Enable Secure Cluster Connectivity

Risk Level: High (not acceptable risk)

Rule ID: Databricks-004

Ensure that secure cluster connectivity (also known as No Public IP Configuration) is enabled for your Microsoft Azure Databricks workspaces. This configuration ensures that clusters are provisioned without public IP addresses and communicate with the control plane exclusively over a secure, private network connection.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To enable secure cluster connectivity, Microsoft Azure Databricks workspaces should run within a customer-managed Virtual Network (VNet). If your Databricks workspace was not deployed to a customer-managed VNet, refer to Check for Virtual Network (VNet) Injection for VNet integration.

Audit

To determine if secure cluster connectivity is enabled for your Azure Databricks workspaces, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

05 Click on the name (link) of the Azure Databricks workspace that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

07 Select the Network access tab and check the state of the Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) setting to determine the Secure Cluster Connectivity feature status. If Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) is set to Disabled, Secure Cluster Connectivity (No Public IP) is not enabled for the selected Azure Databricks workspace.

08 Repeat steps no. 5 - 7 for each Azure Databricks workspace available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run databricks workspace list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Databricks workspace available in the selected Azure subscription:

az databricks workspace list
	--query '[*].id'

05 The command output should return the requested Databricks workspace IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-prod-databricks-workspace"
]

06 Run databricks workspace show command (Windows/macOS/Linux) with the ID of the Azure Databricks workspace that you want to examine as the identifier parameter and custom output filters to determine the Secure Cluster Connectivity feature status for the selected workspace:

az databricks workspace show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--query 'parameters.enableNoPublicIp.value'

07 The command output should return the requested feature status (true for enabled, false for disabled):

false

If the databricks workspace show command output returns false, as shown in the example above, Secure Cluster Connectivity (No Public IP) is not enabled for the selected Azure Databricks workspace.

08 Repeat steps no. 6 and 7 for each Azure Databricks workspace available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

With Secure Cluster Connectivity, customer-managed Virtual Network (VNet) have no open ports and Databricks Runtime cluster nodes have no public IP addresses. To enable Secure Cluster Connectivity for your Azure Databricks workspaces, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

05 Click on the name (link) of the Azure Databricks workspace that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

07 Select the Network access tab and set the Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) setting to Enabled to enable the Secure Cluster Connectivity feature for the selected Databricks workspace. Choose Save to apply the changes.

08 Repeat steps no. 5 - 7 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run databricks workspace update command (OSX/Linux/UNIX) to enable the Secure Cluster Connectivity (No Public IP) feature for the selected Databricks workspace:

az databricks workspace update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--enable-no-public-ip true

05 The command output should return the configuration information available for the updated Databricks workspace:

{
	"authorizations": [
		{
			"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
			"roleDefinitionId": "abcd1234-abcd-1234-abcd-abcd1234abcd"
		}
	],
	"createdBy": {
		"applicationId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"oid": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"puid": "ABCDABCDABCDABCD"
	},
	"createdDateTime": "2025-10-09T08:51:19.9701424Z",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"isUcEnabled": false,
	"location": "westeurope",
	"managedResourceGroupId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/databricks-rg-cc-project9-data-workspace-abcdabcdabcd",
	"name": "cc-project9-data-workspace",
	"parameters": {
		"customPrivateSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-002"
		},
		"customPublicSubnetName": {
			"type": "String",
			"value": "cc-project9-vnet-subnet-001"
		},
		"customVirtualNetworkId": {
			"type": "String",
			"value": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet"
		},
		"enableNoPublicIp": {
			"type": "Bool",
			"value": true
		},
		"prepareEncryption": {
			"type": "Bool",
			"value": false
		},
		"requireInfrastructureEncryption": {
			"type": "Bool",
			"value": false
		},
		"resourceTags": {
			"type": "Object",
			"value": {
				"application": "databricks",
				"databricks-environment": "true"
			}
		},
		"storageAccountName": {
			"type": "String",
			"value": "abcdabcdabcdabcdabcdabcd"
		},
		"storageAccountSkuName": {
			"type": "String",
			"value": "Standard_GRS"
		}
	},
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "premium"
	},
	"tags": {},
	"type": "Microsoft.Databricks/workspaces",
	"workspaceId": "123456789012",
	"workspaceUrl": "adb-123456789012.5.azuredatabricks.net"
}

06 Repeat steps no. 4 and 5 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Networking
Deploy Azure Databricks in your Azure virtual network (VNet injection)
Quickstart: Create an Azure Databricks workspace in your own Virtual Network

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az databricks workspace list
az databricks workspace show
az databricks workspace update

Publication date Nov 7, 2025

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related Databricks rules