Databricks: Insufficient Permission to Add Public IP Address and NAT Gateway

Question

Hello everyone,

I have a Azure Databricks resource group that pre-dates the configuration of a NAT Gateway and Standard Public IP address by default.

I have tried to create a Public IP/Nat Gateway in my databricks resource group, but DENY permissions are set by the system which do not allow any changes to the databricks resource group.

How do I get access to do this or do I need to contact Azure support? I received an e-mail that they are retiring default outbound access by September 30, 2025.

Can someone please point me in the right direction?

Answer 1

Hello , Welcome to MS Q&A

Your issue is due to Azure Databricks-managed resource groups being locked by the system, preventing users from making direct modifications. This is why you are encountering DENY permissions when trying to create a Public IP/NAT Gateway within the Databricks resource group.

✅ Recommended Approach: Attach NAT Gateway to a Custom-Managed V-Net

1. Check if Your Databricks Workspace Uses a Managed or Custom VNet
   • If your workspace was deployed without a custom VNet, Azure automatically manages the networking, and you cannot modify the Databricks resource group.
   • You need to recreate the workspace using a VNet-injected (custom VNet) deployment.
2. Deploy Databricks with a Custom VNet
   • Create a new Databricks workspace with the VNet injection option.
   • In this setup, Databricks deploys its cluster nodes into a custom V-Net that you control.
   • Attach a NAT Gateway and Standard Public IP to the custom V-Net’s outbound subnet .
3. Move Workloads to the New Workspace
   • Since you cannot modify the existing Databricks-managed resource group, you must migrate your notebooks, clusters, and jobs to the new Databricks workspace.

Please let me know if any further ques

Kindly accept answer if it helps

Thanks
Deepanshu