Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Virtual Network (VNet) Injection

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To ensure the secure isolation of Databricks compute resources and control planes within your organization's network boundary, deploy your Azure Databricks workspaces to a customer-managed Virtual Network, a process known as VNet injection.

Security

By default, Azure Databricks creates a managed Virtual Network (VNet), which offers limited control over network security policies, firewall configurations, and routing. Deploying Databricks workspaces within a customer-managed VNet (i.e., VNet injection) provides enhanced control over network security and supports the principles of a zero-trust architecture. This approach enables restricted outbound Internet access to mitigate unauthorized data exfiltration, seamless integration with on-premises networks through VPN or ExpressRoute for hybrid connectivity, fine-grained Network Security Group (NSG) policies to restrict access at the subnet level, and the use of Private Link to ensure secure API access while avoiding exposure to the public Internet.

Audit

To determine if your Azure Databricks workspaces were deployed to a customer-managed Virtual Network (VNet), perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

05 Click on the name (link) of the Azure Databricks workspace that you want to examine.

06 In the resource navigation panel, under Settings, select Properties to access the configuration properties available for the selected workspace.

07 In the Parameters section, check the Custom virtual network Id parameter value to identify the ID of the customer-managed Virtual Network (VNet) associated with your Databricks workspace. If the Custom virtual network Id parameter does not have a value (i.e., View value as JSON is not available), the selected Azure Databricks workspace was not deployed to a customer-managed Virtual Network (VNet). As a result, the workspace networking configuration is not compliant.

08 Repeat steps no. 5 - 7 for each Azure Databricks workspace available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run databricks workspace list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Databricks workspace available in the selected Azure subscription: 

az databricks workspace list
	--query '[*].id'

05 The command output should return the requested Databricks workspace IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-prod-databricks-workspace"
]

06 Run databricks workspace show command (Windows/macOS/Linux) with the ID of the Azure Databricks workspace that you want to examine as the identifier parameter and custom output filters to describe the ID of the customer-managed Virtual Network (VNet) associated with the selected Databricks workspace: 

az databricks workspace show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--query '{"customVirtualNetworkId":parameters.customVirtualNetworkId.value}'

07 The command output should return the ID of the customer-managed VNet associated with your workspace: 

{
	"customVirtualNetworkId": null
}

If the databricks workspace show command output returns null for the "customVirtualNetworkId" attribute value, as shown in the example above, the selected Azure Databricks workspace was not deployed to a customer-managed Virtual Network (VNet). As a result, the workspace networking configuration is not compliant.

08 Repeat steps no. 6 and 7 for each Azure Databricks workspace available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To deploy your Azure Databricks workspace to a customer-managed Virtual Network (VNet), you must re-create your workspace with the appropriate networking configuration. To redeploy your Azure Databricks workspace, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Azure Databricks blade available at https://portal.azure.com/#browse/Microsoft.Databricks%2Fworkspaces.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Click on the name (link) of the Azure Databricks workspace that you want to re-create and copy any relevant configuration information.

05 Navigate back to the Azure Databricks blade, choose Create, and perform the following actions to create a new Azure Databricks workspace:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the new Databricks workspace in the Workspace name box.
    4. For Region, select the Azure cloud region where the workspace instance will be deployed.
    5. For Pricing Tier, choose the appropriate pricing tier (must match the source workspace configuration).
    6. Choose Next : Networking > to continue the setup process.
  2. For Networking, provide the following information:
    1. For Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP), choose whether to enable secure cluster connectivity for the new workspace.
    2. For Deploy Azure Databricks workspace in your own Virtual Network (VNet), choose Yes to deploy the workspace instance to a customer-managed Virtual Network (VNet).
    3. For Virtual network, choose the name of the customer-managed Virtual Network (VNet) that you want to use for your Databricks workspace. Two new subnets (one public and one private) will be created in the selected Virtual Network. Implicit delegation of both subnets will be done to Azure Databricks service on your behalf.
    4. For Public Subnet Name, provide a unique name for the new public subnet.
    5. For Public Subnet CIDR Range, enter the CIDR range for the public subnet. The subnet's CIDR range should be less than or equal to /28.
    6. For Private Subnet Name, provide a unique name for the new private subnet.
    7. For Private Subnet CIDR Range, enter the CIDR range for the private subnet. The subnet's CIDR range should be less than or equal to /28.
    8. (Optional) If you selected Yes for Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP), you can provide a name for the NAT gateway that Azure Databricks will deploy on your behalf in the Nat Gateway Name box.
    9. Choose Next : Encryption > to continue the setup.
  3. For Encryption, perform the following actions:
    1. For Managed Disks, check the Use your own key setting checkbox.
    2. Enter the identifier of the Customer-Managed Key (CMK) that you want to use for CMK-based encryption in the Key Identifier box (must match the source workspace configuration).
    3. Select the appropriate Azure subscription from the Subscription dropdown menu.
    4. Check the Enable Auto Rotation of Key setting checkbox to enable automatic key rotation.
    5. For Managed Services, repeat steps no. 1 - 3 to enable CMK-based encryption for supported managed services.
    6. Choose whether to enable double encryption for DBFS root.
    7. Choose Next : Security & compliance > to continue the setup.
  4. For Security & compliance, configure the Enhanced Security and Compliance add-on provided by Azure Databricks (must match the source workspace configuration). Choose Next : Tags > to continue.
  5. For Tags, use the Name and Value fields to create tags that will help organize the identity of the selected resource. Choose Review + create to validate the workspace instance setup.
  6. For Review + create, review the resource configuration details, then choose Create to deploy your new Azure Databricks workspace instance.

06 Repeat steps no. 4 and 5 for each Azure Databricks workspace that you want to redeploy, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run databricks workspace show command (Windows/macOS/Linux) with the ID of the Azure Databricks workspace that you want to re-create as the identifier parameter, to describe the configuration information available for the selected workspace: 

az databricks workspace show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"

05 The command output should return the requested configuration information. This information can be useful for your Databricks workspace redeployment: 

{
	"createdDateTime": "2025-04-07T08:48:47.6044025Z",
	"defaultCatalog": {
		"initialName": "",
		"initialType": "UnityCatalog"
	},
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"isUcEnabled": true,
	"location": "westeurope",
	"managedResourceGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/databricks-rg-cc-project9-data-workspace-abcd1234abcd1234",
	"name": "cc-project9-data-workspace",
	"parameters": {
		"enableNoPublicIp": {
			"type": "Bool",
			"value": true
		},
		"natGatewayName": {
			"type": "String",
			"value": "nat-gateway"
		},
		"prepareEncryption": {
			"type": "Bool",
			"value": false
		},
		"publicIpName": {
			"type": "String",
			"value": "nat-gw-public-ip"
		},
		"requireInfrastructureEncryption": {
			"type": "Bool",
			"value": false
		},
		"resourceTags": {
			"type": "Object",
			"value": {
				"application": "databricks",
				"databricks-environment": "true"
			}
		},
		"storageAccountName": {
			"type": "String",
			"value": "abcd1234abcd1234abcd"
		},
		"storageAccountSkuName": {
			"type": "String",
			"value": "Standard_GRS"
		},
		"vnetAddressPrefix": {
			"type": "String",
			"value": "10.139"
		}
	},
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "premium"
	},
	"tags": {},
	"type": "Microsoft.Databricks/workspaces",
	"workspaceId": "1234567890123456",
	"workspaceUrl": "adb-1234567890123456.0.azuredatabricks.net"
}

06 Run databricks workspace create command (OSX/Linux/UNIX) to create a new Azure Databricks workspace instance and deploy it to a secure Virtual Network (VNet). Use the --vnet, --public-subnet, and --private-subnet parameters to specify the Virtual Network to deploy the workspace to, and the required public and private subnets: 

az databricks workspace create
	--name cc-project9-vnet-workspace
	--resource-group cloud-shell-storage-westeurope
	--managed-resource-group cc-databricks-managed-group
	--location westeurope
	--sku premium
	--enable-no-public-ip true
	--required-nsg-rules NoAzureDatabricksRules
	--public-network-access Disabled
	--vnet "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet"
	--public-subnet cc-project9-vnet-subnet-001
	--private-subnet cc-project9-vnet-subnet-002

07 The command output should return the configuration information available for the new Databricks workspace: 

{
	"authorizations": [
		{
			"principalId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"roleDefinitionId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
		}
	],
	"createdBy": {
		"applicationId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"oid": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"puid": "ABCD1234ABCD1234"
	},
	"createdDateTime": "2025-04-08T10:41:05.9506678Z",
	"defaultCatalog": {
		"initialName": "",
		"initialType": "UnityCatalog"
	},
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-vnet-workspace",
	"isUcEnabled": true,
	"location": "westeurope",
	"managedResourceGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/databricks-rg-cc-project9-vnet-workspace-abcd1234abcd1234",
	"name": "cc-project9-vnet-workspace",
	"parameters": {
		"customPrivateSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-002"
		},
		"customPublicSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-001"
		},
		"customVirtualNetworkId": {
			"type": "String",
			"value": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cc-project9-resource-group/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet"
		},
		"enableNoPublicIp": {
			"type": "Bool",
			"value": true
		},
		"prepareEncryption": {
			"type": "Bool",
			"value": false
		},
		"requireInfrastructureEncryption": {
			"type": "Bool",
			"value": false
		},
		"resourceTags": {
			"type": "Object",
			"value": {
				"application": "databricks",
				"databricks-environment": "true"
			}
		},
		"storageAccountName": {
			"type": "String",
			"value": "abcd1234abcd1234abcd"
		},
		"storageAccountSkuName": {
			"type": "String",
			"value": "Standard_GRS"
		}
	},
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"requiredNsgRules": "NoAzureDatabricksRules",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "premium"
	},
	"tags": {},
	"type": "Microsoft.Databricks/workspaces",
	"workspaceId": "1234567890123456",
	"workspaceUrl": "adb-1234567890123456.16.azuredatabricks.net"
}

08 Repeat steps no. 4 - 7 for each Azure Databricks workspace that you want to redeploy, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 7, 2025

Related Databricks rules