Share via

Block public access to Azure databricks

Gil Shinar 0 Reputation points
2023-10-22T11:13:43.5266667+00:00

Hi,

I have created a Databricks workspace of standard tier. In the public/not public access I have chosen public and in the vnet injection I have chosen true and used my vnet/subnets/NSGs.
In the NSGs there's a default rule to block all access. In a higher priority I have opened access to 443 to some IPs but haven't added mine. While testing, I can access the databricks workspace no problems at all. To be on the safe side, I sent the URL to one of my colleagues who's not part of this project and he could telenet to port 443 no problem.

During some trial and error, I realized some interesting things. One of them is that whatever databricks workspace I have created (in useast), they all resolve to the same DNS address of: eastus-c3.azuredatabricks.net

I read a lot. Tried whatever I have found while reading. telnet to 443 works always!! Created firewall rule (didn't work).

I created a databricks workspace of premium tier and chose to not use public IP. Created a private endpoint but, still, could telnet to 443. I still haven't tried to access the databricks other than telnet while using premium tier and private endpoint.

Today, someone told me that the firewall rule is not enough because I'm connecting to eastus-c3.azuredatabricks.net and not directly to my vnet so he helped me to create a route from my vnet to the public IP of the firewall rule and that blocked access but also created critical issues with the compute of the workspace.

My question is as follows, is there a way to block all access to the workspace (standard tier) except a few single IPs? If there is, I'll be glad to know how? In case I have to use premium tier, I'll not be using public access and add an endpoint. Should that solve this issue or will I require a VPN to access the databricks?

Thanks!
Gil

Azure Databricks
Azure Databricks

An Apache Spark-based analytics platform optimized for Azure.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VasimTamboli 5,550 Reputation points MVP
    2023-10-22T22:00:55.0766667+00:00

    You can refer below KB article -

    https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject

    Steps to block public access to Azure Databricks Standard tier:

    1. Create a network security group (NSG) with rules to deny all inbound and outbound traffic.
    2. Associate the NSG to the subnets used by your Azure Databricks workspace.
    3. Create a network interface (NIC) in the same subnet as your Azure Databricks workspace.
    4. Assign a public IP address to the NIC.
    5. Create a route table in your virtual network (VNet).
    6. Add a route to the route table that directs traffic for the Azure Databricks DNS name (eastus-c3.azuredatabricks.net) to the public IP address of the NIC.

    This will allow you to access your Azure Databricks workspace from the allowed IP addresses. All other traffic will be blocked.

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  2. Gil Shinar 0 Reputation points
    2023-10-23T12:45:06.7+00:00

    Hi

    First thanks for replying!
    The above procedure wasn't fully obvious to me and on top of that, no matter what I have tried, it didn't work.
    First I'll elaborate on what wasn't clear to me:

    1. I'm creating the setup using TF and while doing that I'm also creating two NSGs. These NSGs are being created with a 3 default inbound and outbound rules. The least prioritiesed is the deny all access. Do I still need to create another NSG?
    2. The above are associated
    3. Which subnet? The private one or public one?
    4. No problem with this
    5. Which of the subnets should be associated with this route table?
    6. Couldn't find a way to create route from a DNS. I can only use IP address or service tag

    Now for what I have tried:

    1. At first I tried to create a NIC from the portal and attach it to one of the subnets. It didn't work because of the databricks rules that had been added to the subnet using the databricks delegation. What I did to solve this issue is to destroy and recreate all using terraform. That way I was able to attach the NIC with the public IP to the subnet
    2. At first I tried to add the NIC to the public subnet and associate the route table to the public subnet. That caused issues with the cluster. The cluster failed to be created/start. No matter what I've tried with the route rule, it failed to create/start.
    3. I tried to attach the NIC on the private subnet and whatever I tried with the route rule, I could reach the databricks from my laptop although my IP address is not part of any NSG.
    4. I created a new NSG with one rule fir inbound and one rule to outbound to deny all traffic but failed to associate this NSG with any of the subnets due to intent policy conflicts (rules that had been added by databricks using the delegation)

    Is there anything that I'm missing?

    Thanks

    Gil

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.