How to setup Azure databricks with pubic access disabled and configuring the private DNS for SSO login?

Sunilprasath Elangovan 60 Reputation points

Hi Team,

Good afternoon.

We are trying to setup Azure Databricks with public access disabled, by following this page.

We followed all the steps ( ex dedicative private workspace for browser authentication ), but after setting up this , still we are directed to public ip address to authenticate.

All the private endpoints (front,back,browser authentication), private DNS configuration we have done in our Hub Subscription VNET ,which is connected with our on-premises network via Site-to-Site VPN. Users login to Azure databricks from that on-premises network.

User's image

we followed the similar setup for key vault ,, and we are able to access them from on-prem using the private IP address.

Screenshot 2023-05-02 2205555

Thanks for your answers in advance.



Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,250 questions
Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,032 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
484 questions
{count} votes

Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 83,306 Reputation points Microsoft Employee

    @Sunilprasath Elangovan - Thanks for the question and using MS Q&A platform.

    From your diagram, it seems like frontend and backend private links are in the same vnet, which makes no sense in the same subnet since they will point out to the same resource.

    You can check in the private dns zone if there are the proper A records in there, as per the documentation you refer.


    But I think the problem is related to a more architectural design, in the documentation you refer, there isn't any vnet peering, transit and customer data plane vnets are not peered and have different dns zones.


    Normally in this type of hub & spoke network topologies, with vnet peering, you would have 3 vnets:

    • Transit vnet: Has vpn gateway and private endpoint for web auth, linked with dns zone
    • Hub vnet: Has private endpoint for web app and storage accounts
    • Data Plane vnet: linked with dns zone

    Peering happens between transit and hub, and between hub and data plane.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

0 additional answers

Sort by: Most helpful