Locking down a port on Azure Databricks (managed resoruce)

Daniel Widdis 21 Reputation points
2020-10-20T00:21:22.12+00:00

I am trying to lock down a high risk port on a managed azure databricks workspace.

My problem is the exact opposite of the request on the question "Opening up port 443 on Azure Databricks (managed resource)". Instead of wanting to open up a port, like in that question, I want to restrict access to a port.

Similar to the asker of that other question, I attempted to edit the inbound rules in the security group worker-sg. Also similar to the asker of that other question, I was prevented from doing so by a system deny assignment put in place by Databricks itself.

My justification for wanting to lock down this port is to comply with Microsoft security policies.

How can I lock down ports on the Databricks resource?

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,175 questions
0 comments
Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 89,466 Reputation points Microsoft Employee
    2020-10-20T11:43:07.47+00:00

    Hello @Daniel Widdis ,

    Welcome to microsoft Q&A platform.

    Unfortunately, you are not allowed to configure network security group (NSG) rules in the managed resource group because the managed resource group is locked.

    To resolve this issue, there are couple of options to restricts access to a port in the NSG rules.

    Option1: Deploy Azure Databricks in your Azure Virtual Network (VNet injection).

    The default deployment of Azure Databricks is a fully managed service on Azure: all data plane resources, including a virtual network (VNet) that all clusters will be associated with, are deployed to a locked resource group. If you require network customization, however, you can deploy Azure Databricks data plane resources in your own virtual network (sometimes called VNet injection), enabling you to:

    • Connect Azure Databricks to other Azure services (such as Azure Storage) in a more secure manner using service endpoints.
    • Connect to on-premises data sources for use with Azure Databricks, taking advantage of user-defined routes.
    • Connect Azure Databricks to a network virtual appliance to inspect all outbound traffic and take actions according to allow and deny rules.
    • Configure Azure Databricks to use custom DNS.
    • Configure network security group (NSG) rules to specify egress traffic restrictions.
    • Deploy Azure Databricks clusters in your existing virtual network.

    Option2: Please do raise a support request, so that databricks team helps to remove System deny assignment for your managed resource group.

    Hope this helps. Do let us know if you any further queries.

    ------------

    • Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification.
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.