Azure Databricks workspaces should disable public network access

March 21, 2025 ยท View on GitHub

SYNOPSIS

Azure Databricks workspaces should disable public network access.

DESCRIPTION

Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead.

RECOMMENDATION

Consider configuring Databricks workspaces to disable public network access, using private endpoints to control connectivity.

EXAMPLES

Configure with Azure template

To deploy workspaces that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled.

For example:

{
  "type": "Microsoft.Databricks/workspaces",
  "apiVersion": "2023-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "standard"
  },
  "properties": {
    "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
    "publicNetworkAccess": "Disabled",
    "parameters": {
      "enableNoPublicIp": {
        "value": true
      }
    }
  }
}

Configure with Bicep

To deploy workspaces that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled.

For example:

resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
  name: name
  location: location
  sku: {
    name: 'standard'
  }
  properties: {
    managedResourceGroupId: managedRg.id
    publicNetworkAccess: 'Disabled'
    parameters: {
      enableNoPublicIp: {
        value: true
      }
    }
  }
}