![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 64%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENC%3C/text%3E%3C/svg%3E)
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 13%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
Hello Nassim Cherifi,
Thank you for posting your question on Microsoft Q&A!
You're encountering an issue where Azure Databricks clusters in a VNet-injected workspace aren’t able to access a storage account through a Microsoft.Storage service endpoint, even though the delegated subnet has the service endpoint enabled and the storage firewall permits the subnet.
Official Microsoft documentation confirms that VNet service endpoints are supported for connecting Azure Databricks to Azure Storage when using VNet injection. However, in practice, some users have observed that Databricks cluster traffic may not always originate from the delegated subnet as expected, especially in public preview or legacy workspace configurations, which can result in firewall blocks.
One key detail to verify: for service endpoints to work reliably with Databricks, your workspace must be deployed as a VNet-injected workspace with public access disabled (i.e., no reliance on public IPs for cluster-to-storage communication). Additionally, ensure the storage account’s “Allow trusted Microsoft services” option is not solely relied upon—explicit VNet rules must include the exact delegated subnet.
If you’re still blocked despite correct configuration, it’s worth confirming whether your clusters are actually using the workspace’s managed VNet route. A common troubleshooting step is to inspect the effective routes or outbound IPs from a running cluster node.
To help narrow this down further:
- Is your Databricks workspace deployed with public access disabled (i.e., “EnableNoPublicIP = true”)?
- Are you using a standard Databricks workspace or a secure workspace with additional isolation features?
For reference, Microsoft’s guidance on securely connecting Databricks to storage explicitly lists both service endpoints and private endpoints as valid options, though private endpoints are increasingly recommended for stricter network controls.
Reference documentation: https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject
Let me know the answers to the probing questions above, I’m happy to refine the recommendation based on your exact setup.
Please "Accept as Answer" or click 'Thumbs Up YES' if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.
Thanks
Pratyush
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 73%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)