Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Secure Cluster Connectivity

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Databricks-004

Ensure that secure cluster connectivity (also known as No Public IP Configuration) is enabled for your Microsoft Azure Databricks workspaces. This configuration ensures that clusters are provisioned without public IP addresses and communicate with the control plane exclusively over a secure, private network connection.

Security

To enable secure cluster connectivity, Microsoft Azure Databricks workspaces should run within a customer-managed Virtual Network (VNet). If your Databricks workspace was not deployed to a customer-managed VNet, refer to Check for Virtual Network (VNet) Injection for VNet integration.

Audit

To determine if secure cluster connectivity is enabled for your Azure Databricks workspaces, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

  5. Click on the name (link) of the Azure Databricks workspace that you want to examine.

  6. In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

  7. Select the Network access tab and check the state of the Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) setting to determine the Secure Cluster Connectivity feature status. If Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) is set to Disabled, Secure Cluster Connectivity (No Public IP) is not enabled for the selected Azure Databricks workspace.

  8. Repeat steps no. 5 - 7 for each Azure Databricks workspace available within the selected subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run databricks workspace list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Databricks workspace available in the selected Azure subscription:

    az databricks workspace list
	--query '[*].id'

  5. The command output should return the requested Databricks workspace IDs:

    [
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-prod-databricks-workspace"
]

  6. Run databricks workspace show command (Windows/macOS/Linux) with the ID of the Azure Databricks workspace that you want to examine as the identifier parameter and custom output filters to determine the Secure Cluster Connectivity feature status for the selected workspace:

    az databricks workspace show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--query 'parameters.enableNoPublicIp.value'

  7. The command output should return the requested feature status (true for enabled, false for disabled):

    false

    If the databricks workspace show command output returns false, as shown in the example above, Secure Cluster Connectivity (No Public IP) is not enabled for the selected Azure Databricks workspace.

  8. Repeat steps no. 6 and 7 for each Azure Databricks workspace available in the selected Azure subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

With Secure Cluster Connectivity, customer-managed Virtual Network (VNet) have no open ports and Databricks Runtime cluster nodes have no public IP addresses. To enable Secure Cluster Connectivity for your Azure Databricks workspaces, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

  4. From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

  5. Click on the name (link) of the Azure Databricks workspace that you want to configure.

  6. In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

  7. Select the Network access tab and set the Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) setting to Enabled to enable the Secure Cluster Connectivity feature for the selected Databricks workspace. Choose Save to apply the changes.

  8. Repeat steps no. 5 - 7 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run databricks workspace update command (OSX/Linux/UNIX) to enable the Secure Cluster Connectivity (No Public IP) feature for the selected Databricks workspace:

    az databricks workspace update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--enable-no-public-ip true

  5. The command output should return the configuration information available for the updated Databricks workspace:

    {
	"authorizations": [
		{
			"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
			"roleDefinitionId": "abcd1234-abcd-1234-abcd-abcd1234abcd"
		}
	],
	"createdBy": {
		"applicationId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"oid": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"puid": "ABCDABCDABCDABCD"
	},
	"createdDateTime": "2025-10-09T08:51:19.9701424Z",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"isUcEnabled": false,
	"location": "westeurope",
	"managedResourceGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/databricks-rg-cc-project9-data-workspace-abcdabcdabcd",
	"name": "cc-project9-data-workspace",
	"parameters": {
		"customPrivateSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-002"
		},
		"customPublicSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-001"
		},
		"customVirtualNetworkId": {
			"type": "String",
			"value": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet"
		},
		"enableNoPublicIp": {
			"type": "Bool",
			"value": true
		},
		"prepareEncryption": {
			"type": "Bool",
			"value": false
		},
		"requireInfrastructureEncryption": {
			"type": "Bool",
			"value": false
		},
		"resourceTags": {
			"type": "Object",
			"value": {
				"application": "databricks",
				"databricks-environment": "true"
			}
		},
		"storageAccountName": {
			"type": "String",
			"value": "abcdabcdabcdabcdabcdabcd"
		},
		"storageAccountSkuName": {
			"type": "String",
			"value": "Standard_GRS"
		}
	},
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "premium"
	},
	"tags": {},
	"type": "Microsoft.Databricks/workspaces",
	"workspaceId": "123456789012",
	"workspaceUrl": "adb-123456789012.5.azuredatabricks.net"
}

  6. Repeat steps no. 4 and 5 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

  7. Repeat steps no. 3 – 6 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 7, 2025

Related Databricks rules