3.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)

Information

Networking for Azure Databricks can be set up in a few different ways. Using a customer-managed Virtual Network (VNet) (also known as VNet Injection) ensures that compute clusters and control planes are securely isolated within the organization's network boundary. By default, Databricks creates a managed VNet, which provides limited control over network security policies, firewall configurations, and routing.

Using a customer-managed VNet ensures better control over network security and aligns with zero-trust architecture principles. It allows for:

- Restricted outbound internet access to prevent unauthorized data exfiltration.
- Integration with on-premises networks via VPN or ExpressRoute for hybrid connectivity.
- Fine-grained NSG policies to restrict access at the subnet level.
- Private Link for secure API access, avoiding public internet exposure.

Solution

Remediate from Azure Portal

- Delete the existing Databricks workspace (migration required).
- Create a new Databricks workspace with VNet Injection:
- Go to Azure Portal -> Create Databricks Workspace.
- Select Advanced Networking.
- Choose Deploy into your own Virtual Network.
- Specify a customer-managed VNet and associated subnets.
- Enable Private Link for secure API access.

Remediate from Azure CLI

Deploy a new Databricks workspace in a custom VNet:

az databricks workspace create --name <databricks-workspace-name> \\
--resource-group <resource-group-name> \\
--location <region> \\
--managed-resource-group <managed-rg-name> \\
--enable-no-public-ip true \\
--network-security-group-rule "NoAzureServices" \\
--public-network-access Disabled \\
--custom-virtual-network-id /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>

Ensure NSG Rules are correctly configured:

az network nsg rule create --resource-group <resource-group-name> \\
--nsg-name <nsg-name> \\
--name "DenyAllOutbound" \\
--direction Outbound \\
--access Deny \\
--priority 4096

Remediate from PowerShell

New-AzDatabricksWorkspace -ResourceGroupName <resource-group-name> -Name <databricks-workspace-name> -Location <region> -ManagedResourceGroupName <managed-rg-name> -CustomVirtualNetworkId "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"

Impact:

- Requires additional configuration during Databricks workspace deployment.
- Might increase operational overhead for network maintenance.
- May impact connectivity if misconfigured (e.g., restrictive NSG rules or missing routes).

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|14.1

Plugin: microsoft_azure

Control ID: d21cd368f901779f2439dfd4fe556cb82c78dcd60321cfa274a91b9727647795