Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
How to make Azure Databricks cluster outbound connectivity consistent with 1 public outgoing IP address?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 74%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
kvdv
0
Reputation points
I've setup an Azure Databricks service that should get outbound connectivity through an Azure Firewall, which in turn makes sure that all outbound traffic is routed through a single public IP address.
As suggested by a Microsoft auto generated solution I have done the following:
- Used a VNet injected workspace, as suggested in this article (referenced by Microsoft):
- And applied this article (referenced by Microsoft):
https://kb.databricks.com/cloud/azure-vnet-single-ip
This works! Also when stopping and starting the Databricks cluster, the same public IP address is used.
However; when stopping and starting the firewall, on occasion the Databricks cluster cannot get outbound connectivity at all. Sometimes it works, sometimes it doesn't and I can't find a possible reason or inconsistency in the way things are invoked.
The method I'm using to stop and start the firewall (and Databricks cluster) is:
- Azure Automation invokes a script (via runbooks) at around 00:00 UTC that starts (allocates) the Azure Firewall (https://video2.skills-academy.com/en-us/azure/firewall/firewall-faq#how-can-i-stop-and-start-azure-firewall)
- A Databricks workflow is invoked at 00:15 UTC that starts the Databricks cluster, and runs a notebook taking at most 20 minutes)
- Azure Automation invokes a script (via runbooks) at around 01:00 UTC that stops (deallocates) the Azure Firewall (https://video2.skills-academy.com/en-us/azure/firewall/firewall-faq#how-can-i-stop-and-start-azure-firewall)
Yesterday this worked perfectly, today no luck and nothing has changed in the Azure setup.
The output of the start- and stop firewall scripts are 99% the same every time, with the only difference being new e-tags. Sometimes when I manually stop / start the Firewall it suddenly starts working, and a next time it doesn't. So basically: inconsistent behaviour without infra changes.
Things I've tried to fix the problem:
- One method:
- Stopping the firewall "manually" via the automation runbook
- Waiting for x amount of minutes to make sure it's actually stopped
- Starting the firewall manually via the automation runbook
- Starting the Databricks cluster either manually or via the workflow
- Checking for outbound connectivity with a simple http request
- Starting the Databricks cluster either manually or via the workflow
- Starting the firewall manually via the automation runbook
- Waiting for x amount of minutes to make sure it's actually stopped
- Stopping the firewall "manually" via the automation runbook
- Another method:
- Stopping and starting the firewall as described above
- Running a databricks notebook, which invokes the cluster start
- Checking for outbound connectivity with a simple http request
- Running a databricks notebook, which invokes the cluster start
- Stopping and starting the firewall as described above
As said: sometimes it works, sometimes it doesn't. When it doesn't; no outbound connectivity is possible at all.
Any suggestions as to where I could investigate the possible cause of this are much appreciated.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee2023-12-07T03:05:55.8+00:00 Thank you for reaching out.
- In order help diagnose the issue you can enable Flow trace logs for Azure Firewall to check if a packet is dropped, or asymmetric routing has occurred.
- Can you also run the Get-AzFirewall command and check that the firewall's provisioning state is correct when you allocate the firewall with your automation?
Thank you!
-
kvdv 0 Reputation points
2023-12-15T09:01:24.1+00:00 @ChaitanyaNaykodi-MSFT thanks for your response.
I haven't been able to enable flow trace logs yet, but I did check the
Get-AzFirewalloutput from the runbook, which reportsProvisioningState : SucceededI am not considering another option: dropping the Firewall entirely and in stead using a NAT Gateway.
This should be a better and cheaper option considering the use case.However when I try do that through a VNET injected workspace I run into the following error when starting the Databricks cluster:
...[resource-path].../public-subnet has reference to Basic SKU Public IP address or Load BalancerI have setup the public IP with a Standard SKU, not Basic so I am lost as to where this Basic SKU assignment happens. Can you help me debug that in stead?
-
kvdv 0 Reputation points
2023-12-15T09:10:24.56+00:00 One addition; it seems that a new public IP address is auto-generated by AzureDataBricks, when I start the computing cluster on that side. This is undesired behaviour, I have a public IP address already setup that needs to be used.
Any thoughts on how to enforce this consistently @ChaitanyaNaykodi-MSFT?
Thanks in advance!
-
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
2023-12-29T01:16:55.1466667+00:00 Thank you for reaching out and apologies for the delay here.
I understand you are trying to deploy an Egress with VNet injection using NAT Gateway. As documented here are you deploying it using ARM template or the via Azure Portal? Can you please hare more details on the configuration steps done or share the ARM template?
Regarding the Public IP, can you please confirm if you have Disabled the public IP for your Databricks resource?
Thank you!
Sign in to comment
Sign in to answer