Control: Ensure private endpoints are used to access Azure Databricks workspaces
Description
Use private endpoints for Azure Databricks workspaces to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.databricks_workspace_uses_private_endpointSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.databricks_workspace_uses_private_endpoint --shareSQL
This control uses a named query:
with databricks_workspace_connection as ( select distinct a.id from azure_databricks_workspace as a, jsonb_array_elements(private_endpoint_connections) as connection where connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved')select a.id as resource, case when c.id is null then 'alarm' else 'ok' end as status, case when c.id is null then a.title || ' does not use private endpoint.' else a.title || ' uses private endpoint.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_databricks_workspace as a left join databricks_workspace_connection as c on c.id = a.id left join azure_subscription sub on a.subscription_id = sub.subscription_id;