Control: 2.1.9 Ensure 'No Public IP' is set to 'Enabled'
Description
Enable secure cluster connectivity (also known as no public IP) on Azure Databricks workspaces to ensure that clusters do not have public IP addresses and communicate with the control plane over a secure connection.
Enabling secure cluster connectivity limits exposure to the public internet, improving security and reducing the risk of external attacks.
Remediation
Remediate from Azure Portal
- Go to
Azure Databricks. - Click the name of a workspace.
- Under
Settings, clickNetworking. - Under
Network access, next toDeploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP), click the radio button next toEnabled. - Click
Save. - Repeat steps 1-5 for each workspace requiring remediation.
Remediate from Azure CLI
For each workspace requiring remediation, run the following command to set enableNoPublicIp to true:
az databricks workspace update --resource-group <resource-group> --name <workspace> --enable-no-public-ip true
Remediate from PowerShell
For each workspace requiring remediation, run the following command to set EnableNoPublicIP to True:
Update-AzDatabricksWorkspace -ResourceGroupName <resource-group> -Name <workspace> -EnableNoPublicIP
Default Value:
No Public IP is set to Enabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_2_1_9Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_2_1_9 --shareSQL
This control uses a named query:
select a.id as resource, case when (parameters -> 'enableNoPublicIp' -> 'value')::bool then 'ok' else 'alarm' end as status, case when (parameters -> 'enableNoPublicIp' -> 'value')::bool then a.name || ' no public IP enabled.' else a.name || ' no public IP disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_databricks_workspace as a left join azure_subscription as sub on sub.subscription_id = a.subscription_id;