| reviewed | severity | pillar | category | resource | online version |
|---|---|---|---|---|---|
2023-07-26 |
Critical |
Security |
SE:06 Network controls |
Databricks |
Use Databricks workspaces configured for secure cluster connectivity.
An Azure Databricks workspace uses one or more runtime clusters to execute data processing workloads.
When configuring Databricks workspaces, runtime clusters can be configured with or without public IP addresses. Secure cluster connectivity is used when a Databricks workspace is deployed without public IP addresses. Use secure cluster connectivity to simplify security and administration of Databricks networking within Azure.
With secure cluster connectivity enabled:
- An outbound connection over HTTPS from the runtime cluster is used to communicate to the control plane.
- No open ports or IP public addressing is required.
Consider configuring Databricks workspaces to use secure cluster connectivity.
To deploy workspaces that pass this rule:
- Set the
properties.parameters.enableNoPublicIp.valueproperty totrue.
For example:
{
"type": "Microsoft.Databricks/workspaces",
"apiVersion": "2023-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "standard"
},
"properties": {
"managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
"publicNetworkAccess": "Disabled",
"parameters": {
"enableNoPublicIp": {
"value": true
}
}
}
}To deploy workspaces that pass this rule:
- Set the
properties.parameters.enableNoPublicIp.valueproperty totrue.
For example:
resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
name: name
location: location
sku: {
name: 'standard'
}
properties: {
managedResourceGroupId: managedRg.id
publicNetworkAccess: 'Disabled'
parameters: {
enableNoPublicIp: {
value: true
}
}
}
}