Use Network Security Groups

Risk Level: High (not acceptable risk)

Ensure that your Microsoft Azure Databricks workspaces are configured to use Network Security Groups (NSGs). NSGs provide an additional layer of security for Databricks workspaces deployed inside a Virtual Network (VNet) by controlling inbound and outbound network traffic. Network Security Groups can prevent unauthorized traffic flows.

Security

Using Network Security Groups (NSGs) to control traffic to and from Azure Databricks workspaces is important for the following reasons:

Traffic Filtering: NSGs act as a virtual firewall, enabling you to filter both inbound and outbound traffic based on defined security rules. This reduces the attack surface by restricting access to only trusted sources or destinations.
Isolation and Segmentation: NSGs allow you to isolate and segment your Databricks workspaces from other resources in the network, ensuring that only authorized traffic can communicate with them. This improves the overall security posture of your Azure cloud environment.
Compliance and Security Policies: By using NSGs, you can enforce organizational security policies, ensuring that your applications meet regulatory or compliance requirements by controlling the flow of data and limiting unauthorized access.
Mitigating Threats: Controlling traffic with NSGs helps prevent common network-based attacks such as Distributed Denial-of-Service (DDoS), port scanning, or unauthorized access attempts, enhancing the app's resilience against external threats.

Overall, Network Security Groups (NSGs) provide robust protection for your Azure Databricks workspaces by effectively shielding them from unauthorized access and malicious attacks.

Audit

To determine if your Azure Databricks workspaces are configured to use compliant Network Security Groups (NSGs), perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

05 Click on the name (link) of the Azure Databricks workspace that you want to examine.

06 In the resource navigation panel, under Settings, select Properties to access the configuration properties available for the selected workspace.

07 In the Parameters section, check the Custom public subnet name parameter value to identify the name of the VNet subnet associated with your Databricks workspace. If the Custom public subnet name parameter does not have a value (i.e., View value as JSON is not available), Virtual Network (VNet) integration is not enabled for the selected Azure Databricks workspace. If the Custom public subnet name parameter is configured and the selected workspace is associated with a VNet subnet, copy the parameter value (i.e., subnet name).

08 Navigate to Virtual networks blade available at https://portal.azure.com/#view/HubsExtension/AssetMenuBlade/~/virtualnetworks/assetName/NetworkFoundation/extensionName/Microsoft_Azure_Network.

09 Click on the name (link) of the Virtual Network (VNet) associated with your Databricks workspace.

10 In the resource navigation panel, under Settings, select Subnets to access the subnets configured for the selected VNet.

11 Paste the subnet name copied in step no. 7 in the Search subnets box and click on the name (link) of the associated VNet subnet.

12 In the Security section, check the Network security group setting to identify the name of the Network Security Group configured for the selected subnet. If Network security group is set to None, the selected Microsoft Azure Databricks workspace is not configured to use Network Security Groups (NSGs).

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run databricks workspace list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Databricks workspace available in the selected Azure subscription:

az databricks workspace list
	--query '[*].id'

05 The command output should return the requested Databricks workspace IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-prod-databricks-workspace"
]

06 Run databricks workspace show command (Windows/macOS/Linux) with the ID of the Azure Databricks workspace that you want to examine as the identifier parameter and custom output filters to describe the name of the VNet subnet associated with the selected Databricks workspace:

az databricks workspace show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--query '{"customPublicSubnetName":parameters.customPublicSubnetName.value}'

07 The command output should return the name of the subnet associated with your workspace. If the command output returns null for the "customPublicSubnetName" attribute, Virtual Network (VNet) integration is not enabled for the selected Databricks workspace. Otherwise, it should return the subnet name, as shown in the example below:

{
	"customPublicSubnetName": "cc-project9-vnet-subnet-001"
}

08 Run resource show command (Windows/macOS/Linux) to describe the ID of the Network Security Group (NSG) configured for the VNet subnet associated with your Databricks workspace:

az resource show
	--name "cc-project9-vnet-subnet-001"
	--resource-group "cloud-shell-storage-westeurope"
	--namespace "Microsoft.Network"
	--parent "virtualnetworks/cc-project9-vnet"
	--resource-type "subnets"
	--query '{"NetworkSecurityGroupId":properties.networkSecurityGroup.id}'

09 The command output should return the requested NSG identifier:

{
	"NetworkSecurityGroupId": null
}

If the resource show command output returns null for the "NetworkSecurityGroupId" attribute, as shown in the example above, the selected Microsoft Azure Databricks workspace is not configured to use Network Security Groups (NSGs).

Remediation / Resolution

To configure Network Security Groups (NSGs) for your Microsoft Azure Databricks workspaces, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Network security groups blade available at https://portal.azure.com/#view/HubsExtension/AssetMenuBlade/~/NSGs/assetName/NetworkFoundation/extensionName/Microsoft_Azure_Network.

03 Choose Create and perform the following actions to create a new Network Security Group (NSG) for your Databricks workspace:

For Basics, provide the following information:
1. For Subscription, choose your Azure subscription.
2. For Resource group, select the correct resource group.
3. Provide a unique name for the Network Security Group in the Name box.
4. For Region, select the Azure cloud region where the NSG instance will be deployed.
5. Choose Next : Tags > to continue the setup.
For Tags, use the Name and Value fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the NSG setup.
For Review + create, review the resource configuration details, then choose Create to create your new Network Security Group (NSG).

04 Once your new Network Security Group (NSG) is available, select Go to resource to access your new NSG resource.

05 In the left navigation panel, under Settings, choose Inbound security rules, select Add, and perform the following actions to create a new inbound rule. The inbound rules required by Azure Databricks workspaces are listed here:

For Source choose IP Addresses to allow inbound traffic from specified IP addresses only.
For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses, or IP address ranges that will be allowed to access the resource associated with the selected Network Security Group. You can also provide a comma-separated list of IP addresses or address ranges.
For Destination port ranges, provide a single port, such as 5557, or a comma-separated list of single ports. This specifies on which port(s) the inbound traffic will be allowed by the selected NSG rule.
For Protocol, select the appropriate network protocol (e.g., TCP).
Make sure that Action is set to Allow.
For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
Provide a unique name for the inbound rule in the Name box.
Choose Add to create your new NSG inbound rule.

06 In the navigation panel, under Settings, choose Outbound security rules, select Add, and perform the following operations to create a new outbound rule. The outbound rules required by Azure Databricks workspaces are listed here:

For Destination choose IP Addresses to allow outbound traffic to specified IP addresses only.
For Destination IP addresses/CIDR ranges, provide the IP address, IP addresses, or IP address ranges for the outgoing traffic, allowed by this rule.
For Destination port ranges, provide a single port, such as 443, or a comma-separated list of single ports. This specifies on which port(s) the outbound traffic will be allowed by the selected NSG rule.
For Protocol, select the appropriate network protocol (e.g., TCP).
Make sure that Action is set to Allow.
For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
Provide a unique name for the outbound rule in the Name box.
Choose Add to create your new NSG outbound rule.

07 Navigate to Virtual networks blade available at https://portal.azure.com/#view/HubsExtension/AssetMenuBlade/~/virtualnetworks/assetName/NetworkFoundation/extensionName/Microsoft_Azure_Network.

08 Click on the name (link) of the Virtual Network (VNet) associated with your Azure Databricks workspace.

09 In the resource navigation panel, under Settings, select Subnets to access the subnets configured for the selected VNet.

10 Click on the name (link) of the associated Virtual Network (VNet) subnet.

11 In the Security section, select the name of your new Network Security Group (NSG) from the Network security group dropdown list, and choose Save to apply the configuration changes.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nsg create command (Windows/macOS/Linux) to create a new Network Security Group (NSG) for your Microsoft Azure Databricks workspace:

az network nsg create
	--name cc-databricks-workspace-nsg
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--query 'NewNSG.provisioningState'

05 The command output should return the NSG provisioning status:

"Succeeded"

06 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow inbound traffic from known, trusted IP addresses, on specific ports. The inbound rules required by Azure Databricks workspaces are listed here:

az network nsg rule create
	--name databricks-worker-to-worker-inbound
	--nsg-name cc-databricks-workspace-nsg
	--resource-group cloud-shell-storage-westeurope
	--direction Inbound
	--access Allow
	--protocol Tcp
	--priority 100
	--source-address-prefixes "*"
	--destination-port-ranges "*"
	--destination-address-prefixes "VirtualNetwork"
	--description "Required for worker nodes communication within a cluster"

07 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Required for worker nodes communication within a cluster",
	"destinationAddressPrefix": "VirtualNetwork",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "*",
	"destinationPortRanges": [],
	"direction": "Inbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-databricks-workspace-nsg1/securityRules/databricks-worker-to-worker-inbound",
	"name": "databricks-worker-to-worker-inbound",
	"priority": 100,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "*",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

08 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow outbound traffic to known, trusted IP addresses, on specific ports. The outbound rules required by Azure Databricks workspaces are listed here:

az network nsg rule create
	--name databricks-worker-to-sql
	--nsg-name cc-databricks-workspace-nsg
	--resource-group cloud-shell-storage-westeurope
	--direction Outbound
	--access Allow
	--protocol Tcp
	--priority 150
	--source-address-prefixes "VirtualNetwork"
	--destination-port-ranges 3306
	--destination-address-prefixes "Sql"
	--description "Required for workers communication with Azure SQL services"

09 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Required for workers communication with Azure SQL services",
	"destinationAddressPrefix": "Sql",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "3306",
	"destinationPortRanges": [],
	"direction": "Outbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-databricks-workspace-nsg1/securityRules/databricks-worker-to-sql",
	"name": "databricks-worker-to-sql",
	"priority": 150,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "VirtualNetwork",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

10 Run network vnet subnet update command (Windows/macOS/Linux) to associate the Network Security Group (NSG) created earlier in the Remediation process with the VNet subnet configured for your Azure Databricks workspace:

az network vnet subnet update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-vnet-subnet-001"
	--network-security-group cc-databricks-workspace-nsg

11 The command output should return the information available for configured VNet subnet:

{
	"addressPrefix": "10.0.2.0/24",
	"delegations": [
		{
			"actions": [
				"Microsoft.Network/virtualNetworks/subnets/action"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-vnet-subnet-001/delegations/delegation",
			"name": "delegation",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"serviceName": "Microsoft.Web/serverfarms",
			"type": "Microsoft.Network/virtualNetworks/subnets/delegations"
		}
	],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-vnet-subnet-001",
	"name": "cc-project9-vnet-subnet-001",
	"networkSecurityGroup": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-databricks-workspace-nsg",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"privateEndpointNetworkPolicies": "Disabled",
	"privateLinkServiceNetworkPolicies": "Enabled",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"serviceAssociationLinks": [
		{
			"allowDelete": false,
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-vnet-subnet-001/serviceAssociationLinks/AppServiceLink",
			"linkedResourceType": "Microsoft.Web/serverfarms",
			"locations": [],
			"name": "AppServiceLink",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks"
		}
	],
	"type": "Microsoft.Network/virtualNetworks/subnets"
}

References

Azure Official Documentation
Networking
Deploy Azure Databricks in your Azure virtual network (VNet injection)
Azure network security groups overview
Create, change, or delete a network security group
Azure best practices for network security

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az databricks workspace list
az databricks workspace show
az resource show
az network nsg create
az network nsg rule create
az network vnet subnet update

Publication date Nov 7, 2025

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related Databricks rules