DBrick workspace URL need toblock outside the corporate network?

Question

As per security concern, need to restrict/block the dbricks workspace url outside the corporate network. Tried below ip access list, it able to restrict only user login access out the corporate network but still the workspace id url is live outside the corporate network.

https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/ip_access_list

Can anybody advise how to block the workspace url outside the network? Also other requirement is require to block data brick spark UI ?

Answer 1

you can reference doc: https://learn.microsoft.com/en-us/azure/databricks/security/network/ip-access-list

To check if your workspace has the IP access list feature enabled, call the get feature status API (GET /workspace-conf). Pass keys=enableIpAccessLists as arguments to the request.

In the response, the enableIpAccessLists field specifies either true or false.

For example:

curl -X -n https://<databricks-instance>/api/2.0/workspace-conf?keys=enableIpAccessLists
Example response:

{"enableIpAccessLists": "true"}
Enable or disable the IP access list feature for a workspace

To enable or disable the IP access list feature for a workspace, call the enable or disable the IP access list API (PATCH /workspace-conf).

In a JSON request body, specify enableIpAccessLists as true (enabled) or false (disabled).

For example, to enable the feature:

curl -X PATCH -n https://<databricks-instance>/api/2.0/workspace-conf -d '{"enableIpAccessLists": "true"}'

Example response:

{
"enableIpAccessLists": "true"
}

Add an IP access list

To add an IP access list, call the add an IP access list API (POST /ip-access-lists).

In the JSON request body, specify:

label— Label for this list.
list_type— Either ALLOW (allow list) or BLOCK (a block list, which means exclude even if in allow list).
ip_addresses— A JSON array of IP addresses and CIDR ranges, as String values.
The response is a copy of the object that you passed in, but with some additional fields, most importantly the list_id field. You may want to save that value so you can update or delete the list later. If you do not save it, you are still able to get the ID later by querying the full set of IP access lists with a GET request to the /ip-access-lists endpoint.

For example, to add an allow list:

curl -X POST -n \

https://<databricks-instance>/api/2.0/ip-access-lists
-d '{
"label": "office",
"list_type": "ALLOW",
"ip_addresses": [
"1.1.1.1",
"2.2.2.2/21"
]
}'
Example response:
{
"ip_access_list": {
"list_id": "<list-id>",
"label": "office",
"ip_addresses": [
"1.1.1.1",
"2.2.2.2/21"
],
"address_count": 2,
"list_type": "ALLOW",
"created_at": 1578423494457,
"created_by": 6476783916686816,
"updated_at": 1578423494457,
"updated_by": 6476783916686816,
"enabled": true
}
}
To add a block list, do the same thing but with list_type set to BLOCK.

Update an IP access list

To update an IP access list:

Call the list all IP access lists API(GET /ip-access-lists), and find the ID of the list you want to update.
Call the update an IP access list API(PATCH /ip-access-lists/<list-id>).
In the JSON request body, specify at least one of the following values to update:

label— Label for this list.
list_type— Either ALLOW (allow list) or BLOCK (block list, which means exclude even if in allow list).
ip_addresses— A JSON array of IP addresses and CIDR ranges, as String values.
enabled— Specifies whether this list is enabled. Pass true or false.
The response is a copy of the object that you passed in with additional fields for the ID and modification dates.

For example, to update a list to disable it:

curl -X PATCH -n \

https://<databricks-instance>/api/2.0/ip-access-lists/<list-id>

-d '{ "enabled": "false" }'
Replace an IP access list

To replace an IP access list:

Call the list all IP access lists API(GET /ip-access-lists), and find the ID of the list you want to replace.
Call the replace an IP access list API(PUT /ip-access-lists/<list-id>).
In the JSON request body, specify:

label— Label for this list.
list_type— Either ALLOW (allow list) or BLOCK (block list, which means exclude even if in allow list).
ip_addresses— A JSON array of IP addresses and CIDR ranges, as String values.
enabled— Specifies whether this list is enabled. Pass true or false.
The response is a copy of the object that you passed in with additional fields for the ID and modification dates.

For example, to replace the contents of the specified list with the following values:

curl -X PUT -n \
https://<databricks-instance>/api/2.0/ip-access-lists/<list-id>
-d '{
"label": "office",
"list_type": "ALLOW",
"ip_addresses": [
"1.1.1.1",
"2.2.2.2/21"
],
"enabled": "false"
}'
Delete an IP access list

To delete an IP access list:

Call the list all IP access lists API(GET /ip-access-lists), and find the ID of the list you want to delete.
Call the delete an IP access list API(DELETE /ip-access-lists/<list-id>). There is no request body.
curl -X DELETE -n https://<databricks-instance>/api/2.0/ip-access-lists/<list-id>

Answer 2

Hi @a1990 ,

Below article describes how an Azure Databricks workspace can be secured behind an Azure Vnet
Deploy Azure Databricks in your Azure virtual network (VNet injection) - Azure Databricks | Microsoft Learn

Azure Databricks Private Link is in Private Preview (and will go to full Public Preview in the next 2 or 3 months). But even with Private Link, the URL is available publicly but fails when not connecting with the Private EndPoint (screenshot below). This is very similar behavior to IP Access List.

Hope this helps. Please let us know if any further queries.

----------

Please consider hitting Accept Answer button. Accepted answers help community as well.