Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 2.1.11 Ensure private endpoints are used to access Azure Databricks workspaces

Description

Use private endpoints for Azure Databricks workspaces to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

Using private endpoints for Azure Databricks workspaces ensures that all communication between clients, services, and data sources occurs over a secure, private IP space within an Azure Virtual Network (VNet). This approach eliminates exposure to the public internet, significantly reducing the attack surface and aligning with Zero Trust principles. Additionally, integrating Databricks with a VNet enables network segmentation, fine-grained access control, and hybrid connectivity through VNet peering or VPN/ExpressRoute.

Remediation

Remediate from Azure Portal

  1. Go to Azure Databricks.
  2. Click the name of a workspace.
  3. Under Settings, click Networking.
  4. Click Private endpoint connections.
  5. Click + Private endpoint.
  6. Under Project details, select a Subscription and a Resource group.
  7. Under Instance details, provide a Name, Network Interface Name, and select a Region.
  8. Click Next : Resource >.
  9. Select a Target sub-resource.
  10. Click Next : Virtual Network >.
  11. Under Networking, select a Virtual network and a Subnet.
  12. Optionally, configure Private IP configuration and Application security group.
  13. Click Next : DNS >.
  14. Optionally, configure Private DNS integration.
  15. Click Next : Tags >.
  16. Optionally, configure tags.
  17. Click Next : Review + create >.
  18. Click Create.
  19. Repeat steps 1-18 for each workspace requiring remediation

Remediate from Azure CLI

For each workspace requiring remediation, run the following command to create a private endpoint connection:

az network private-endpoint create --resource-group <resource-group> --name <private-endpoint> --location <location> --vnet-name <virtual-network> --subnet <subnet> --private-connection-resource-id <workspace> --connectionname <private-endpoint-connection> --group-id <browser_authentication|databricks_ui_api>

Default Value:

Private endpoints are not configured for Azure Databricks workspaces by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_2_1_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_2_1_11 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 2.1.11
cis_level = 2
cis_section_id = 2.1
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure