Detections
Analytics

3.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)

Information

Networking for Azure Databricks can be set up in a few different ways. Using a customer-managed Virtual Network (VNet) (also known as VNet Injection) ensures that compute clusters and control planes are securely isolated within the organization's network boundary. By default, Databricks creates a managed VNet, which provides limited control over network security policies, firewall configurations, and routing.

Using a customer-managed VNet ensures better control over network security and aligns with zero-trust architecture principles. It allows for:

 - Restricted outbound internet access to prevent unauthorized data exfiltration.
 - Integration with on-premises networks via VPN or ExpressRoute for hybrid connectivity.
 - Fine-grained NSG policies to restrict access at the subnet level.
 - Private Link for secure API access, avoiding public internet exposure.

Solution

Remediate from Azure Portal

 - Delete the existing Databricks workspace (migration required).
 - Create a new Databricks workspace with VNet Injection:
 - Go to Azure Portal -> Create Databricks Workspace.
 - Select Advanced Networking.
 - Choose Deploy into your own Virtual Network.
 - Specify a customer-managed VNet and associated subnets.
 - Enable Private Link for secure API access.

Remediate from Azure CLI

Deploy a new Databricks workspace in a custom VNet:

az databricks workspace create --name <databricks-workspace-name> \\
 --resource-group <resource-group-name> \\
 --location <region> \\
 --managed-resource-group <managed-rg-name> \\
 --enable-no-public-ip true \\
 --network-security-group-rule "NoAzureServices" \\
 --public-network-access Disabled \\
 --custom-virtual-network-id /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>

Ensure NSG Rules are correctly configured:

az network nsg rule create --resource-group <resource-group-name> \\
 --nsg-name <nsg-name> \\
 --name "DenyAllOutbound" \\
 --direction Outbound \\
 --access Deny \\
 --priority 4096

Remediate from PowerShell

New-AzDatabricksWorkspace -ResourceGroupName <resource-group-name> -Name <databricks-workspace-name> -Location <region> -ManagedResourceGroupName <managed-rg-name> -CustomVirtualNetworkId "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"

Impact:

 - Requires additional configuration during Databricks workspace deployment.
 - Might increase operational overhead for network maintenance.
 - May impact connectivity if misconfigured (e.g., restrictive NSG rules or missing routes).

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|14.1

Plugin: microsoft_azure

Control ID: d21cd368f901779f2439dfd4fe556cb82c78dcd60321cfa274a91b9727647795