Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Public Network Access

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Databricks-003

Ensure that public network access to Microsoft Azure Databricks workspaces via public endpoints is disabled in order to enhance security by preventing unauthorized access.

Security

You can connect to your Databricks workspaces either publicly through public service endpoints or privately using private endpoints. When an Azure Databricks workspace is open to public access, it can be reached by all hosts and networks, including the Internet. This raises the likelihood of unauthorized access, security breaches, and potential compliance violations. However, if public network access is disabled, the public endpoint for your Databricks workspace will be disabled, allowing access only through private endpoint connections.

To enable secure cluster connectivity, Microsoft Azure Databricks workspaces should run within a customer-managed Virtual Network (VNet). If your Databricks workspace was not deployed to a customer-managed VNet, refer to Check for Virtual Network (VNet) Injection for VNet integration.

Audit

To determine whether public network access to your Azure Databricks workspaces is disabled, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

  5. Click on the name (link) of the Azure Databricks workspace that you want to examine.

  6. In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

  7. Select the Network access tab and check the state of the Allow Public Network Access setting to determine the level of network access configured for the selected workspace. If Allow Public Network Access is set to Enabled, the selected Azure Databricks workspace can be accessed through public endpoints. As a result, all networks, including the Internet, will have access to your Databricks workspace.

  8. Repeat steps no. 5 - 7 for each Azure Databricks workspace available within the selected subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run databricks workspace list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Databricks workspace available in the selected Azure subscription:

    az databricks workspace list
	--query '[*].id'

  5. The command output should return the requested Databricks workspace IDs:

    [
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-prod-databricks-workspace"
]

  6. Run databricks workspace show command (Windows/macOS/Linux) with the ID of the Azure Databricks workspace that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected Databricks workspace is disabled:

    az databricks workspace show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--query 'publicNetworkAccess'

  7. The command output should return the status of the "publicNetworkAccess" configuration setting:

    "Enabled"

    If the databricks workspace show command output returns "Enabled", as shown in the example above, the selected Azure Databricks workspace can be accessed through public endpoints. As a result, all networks, including the Internet, will have access to your Databricks workspace.

  8. Repeat steps no. 6 and 7 for each Azure Databricks workspace available in the selected Azure subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public network access to your Microsoft Azure Databricks workspaces, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

  5. Click on the name (link) of the Azure Databricks workspace that you want to configure.

  6. In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

  7. Select the Network access tab and perform the following actions:

    1. Set Allow Public Network Access to Disabled to disable public network access to the selected Databricks workspace.
    2. Set Required NSG Rules to No Azure Databricks Rules to disable the associated NSG rules. Because your workspace data plane does not need Network Security Group rules to connect to the Azure Databricks control plane, NSG rules are not necessary.
    3. Choose Save to apply the changes.
    4. (Optional) Once the new network configuration is applied, no public networks can access your Databricks workspace. To allow secure access via private endpoints, follow the steps outlined on this page.

  8. Repeat steps no. 5 - 7 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run databricks workspace update command (OSX/Linux/UNIX) to disable public network access to the selected Azure Databricks workspace. Because your workspace data plane does not need Network Security Group rules to connect to the Azure Databricks control plane anymore, NSG rules are not necessary. Set the --required-nsg-rules parameter to NoAzureDatabricksRules to disable the associated NSG rules:

    az databricks workspace update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--public-network-access Disabled
	--required-nsg-rules NoAzureDatabricksRules

  5. The command output should return the configuration information available for the modified Databricks workspace:

    {
	"authorizations": [
		{
			"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
			"roleDefinitionId": "abcd1234-abcd-1234-abcd-abcd1234abcd"
		}
	],
	"createdBy": {
		"applicationId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"oid": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"puid": "ABCDABCDABCDABCD"
	},
	"createdDateTime": "2025-10-09T08:51:19.9701424Z",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"isUcEnabled": false,
	"location": "westeurope",
	"managedResourceGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/databricks-rg-cc-project9-data-workspace-abcdabcdabcd",
	"name": "cc-project9-data-workspace",
	"parameters": {
		"customPrivateSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-002"
		},
		"customPublicSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-001"
		},
		"customVirtualNetworkId": {
			"type": "String",
			"value": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet"
		},
		"enableNoPublicIp": {
			"type": "Bool",
			"value": true
		},
		"prepareEncryption": {
			"type": "Bool",
			"value": false
		},
		"requireInfrastructureEncryption": {
			"type": "Bool",
			"value": false
		},
		"resourceTags": {
			"type": "Object",
			"value": {
				"application": "databricks",
				"databricks-environment": "true"
			}
		},
		"storageAccountName": {
			"type": "String",
			"value": "abcdabcdabcdabcdabcdabcd"
		},
		"storageAccountSkuName": {
			"type": "String",
			"value": "Standard_GRS"
		}
	},
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "premium"
	},
	"tags": {},
	"type": "Microsoft.Databricks/workspaces",
	"workspaceId": "123456789012",
	"workspaceUrl": "adb-123456789012.5.azuredatabricks.net"
}

  6. (Optional) Once the new network configuration is applied, no public networks can access your Databricks workspace. To allow secure access via private endpoints, follow the steps outlined on this page.

  7. Repeat steps no. 4 - 6 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

  8. Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 7, 2025

Related Databricks rules