Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Private Endpoints for Azure Databricks Workspaces

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

To reduce the risk of exposure to external threats and strengthens overall security for your Azure Databricks interactions, ensure that your Azure Databricks workspaces are accessed exclusively through private endpoint connections.

Security

Using private endpoints for Azure Databricks workspaces enables secure data access over Azure Private Link. The private endpoint uses an IP address from the virtual network, ensuring traffic stays within the Microsoft Azure backbone network, avoiding public Internet exposure. This setup blocks public endpoint connections, enhances virtual network security, prevents data exfiltration, and supports secure on-premises connections via Azure VPN Gateway or ExpressRoutes with private-peering. Additionally, it helps maintain compliance with regulatory requirements and organizational policies by enforcing strict network access controls and minimizing the surface area for potential security breaches.

The following conditions must be satisfied prior to configuring a private endpoint for your Azure Databricks workspace:

  1. The Databricks workspace should run within a customer-managed Virtual Network (VNet). If your Databricks workspace was not deployed to a customer-managed VNet, refer to Check for Virtual Network (VNet) Injection for VNet integration.
  2. Secure cluster connectivity must be enabled for your Azure Databricks workspaces. To enable the security feature refer to the Enable Secure Cluster Connectivity page.
  3. Public network access to the Databricks workspace must be disabled. To block public network access to your Databricks workspace, refer to the Disable Public Network Access page.
  4. Your Databricks workspaces must be on the Premium pricing tier.

Audit

To determine if secure cluster connectivity is enabled for your Azure Databricks workspaces, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

05 Click on the name (link) of the Azure Databricks workspace that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

07 Select the Private endpoint connections tab and check for any private endpoints configured for your workspace. If there are no private endpoints listed on this page or the endpoint connections are not approved (i.e., Connection state is not set to Approved), the selected Azure Databricks workspace is not configured to allow network access via private endpoints only.

08 Repeat steps no. 5 - 7 for each Azure Databricks workspace available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run databricks workspace list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Databricks workspace available in the selected Azure subscription: 

az databricks workspace list
	--query '[*].id'

05 The command output should return the requested Databricks workspace IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-prod-databricks-workspace"
]

06 Run databricks workspace show command (Windows/macOS/Linux) with the ID of the Azure Databricks workspace that you want to examine as the identifier parameter and custom output filters to describe the private endpoint connections configured for the selected Databricks workspace: 

az databricks workspace show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--query '{"privateEndpointConnections":privateEndpointConnections}'

07 The command output should return the information available for the configured private endpoints: 

{
	"privateEndpointConnections": null
}

If the databricks workspace show command output returns null for the "privateEndpointConnections" configuration attribute, as shown in the example above, the selected Azure Databricks workspace is not configured to allow network access via private endpoints only.

08 Repeat steps no. 6 and 7 for each Azure Databricks workspace available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure Databricks workspaces are accessed exclusively through private endpoint connections, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Azure Databricks Service for Value, and select Apply to list only the Azure Databricks service workspaces available in the selected subscription.

05 Click on the name (link) of the Azure Databricks workspace that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected workspace.

07 Select the Private endpoint connections tab, choose Private endpoint, and perform the following actions to deploy a new private endpoint for your Databricks workspace:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the private endpoint instance in the Name box.
    4. For Region, select the Azure cloud region where the private endpoint instance will be deployed.
    5. Choose Next : Resource > to continue the setup process.
  2. For Resource, select databricks_ui_api from the Target sub-resource dropdown list. Choose Next : Virtual Network > to continue the setup.
  3. For Virtual Network, perform the following actions:
    1. For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
    2. For Subnet, select the VNet subnet where the private endpoint will be deployed.
    3. (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
    4. For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
    5. (Optional) For Application security group, choose Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping virtual machines and defining policies based on these groups.
    6. Choose Next : DNS > to continue.
  4. For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
  5. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
  6. For Review + create, review the resource configuration details, then choose Create to create a new, auto-approved private endpoint for your Azure Databricks workspaces.

08 Repeat steps no. 5 - 7 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach an auto-approved private endpoint to your Microsoft Azure Databricks workspace. Use the --private-connection-resource-id command parameter to specify the resource ID of your Databricks workspace: 

az network private-endpoint create
	--name cc-databricks-private-endpoint
	--resource-group cloud-shell-storage-westeurope
	--vnet-name cc-project9-vnet
	--subnet cc-project9-subnet-001
	--private-connection-resource-id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace"
	--connection-name cc-databricks-private-connection
	--group-id databricks_ui_api
	--location westeurope

05 The command output should return the new private endpoint configuration information: 

{
	"customDnsConfigs": [
		{
			"fqdn": "adb-123456789012.5.azuredatabricks.net",
			"ipAddresses": [
				"10.0.2.4"
			]
		}
	],
	"customNetworkInterfaceName": "",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-databricks-private-endpoint",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "cc-databricks-private-endpoint",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-databricks-private-endpoint.nic.abcd1234-abcd-1234-abcd-1234abcd1234",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"groupIds": [
				"databricks_ui_api"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-databricks-private-endpoint/privateLinkServiceConnections/cc-databricks-private-connection",
			"name": "cc-databricks-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "Auto-approved",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Databricks/workspaces/cc-project9-data-workspace",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-subnet-001",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

06 Repeat steps no. 4 and 5 for each Azure Databricks workspace that you want to configure, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 7, 2025

Related Databricks rules