Detections
Analytics

Ensure public IP addresses are disabled in Azure Databricks Workspaces

MEDIUM

Description

Azure provides a Secure Cluster option for Databricks Workspaces upon resource creation. Selecting the 'No Public IP' option will configure this feature and ensure that even if a public subnet is defined, it is still unable to be used for routing to and from the public internet. This feature can help prevent accidental exposure due to misconfiguration. For more information, see the Azure documentation for Secure Cluster Connectivity.

Remediation

The Secure Cluster Connectivity (No Public IP) feature can only be enabled upon cluster creation. For more information on custom configurations, see the Azure documentation.

In Azure Console -

  1. Open the Azure Portal and go to Databricks.
  2. Select Create and configure the workspace details as needed.
  3. Under Networking, set the Secure Cluster Connectivity (No Public IP) option to Yes.
  4. When configuration is complete, select Create.

In Terraform -

  1. In the azurerm_databricks_workspace resource, create a custom_parameters block.
    2.Set custom_parameters.no_public_ip to true.

References:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/databricks_workspace

Policy Details

Rule Reference ID: AC_AZURE_0252
CSP: Azure
Remediation Available: No
Domain: Infrastructure Security
Resource: azurerm_databricks_workspace
Resource Category: Database
Resource Type: Databricks workspace

Frameworks