Databricks Community

rdadhichi · ‎01-21-2025

Currently even when using vnet injected Databricks workspace, we are unable to fetch the secrets from AKV if the 'Allow trusted Microsoft services to bypass this firewall' is disabled.
The secret is used a AKV backed secret scope and the key vault is private (public access disabled).

Our security requirement is to disable this and use private endpoints only. We have tried a few things like :
1. NCC configuration to create a private endpoint from databricks to key vault

2. Verifying the dns entries and nslookup from the notebook gives the correct private ip of the kv

Is this a limitation as we could not find any documentation that would help us disabling this without breaking things.
Official troubleshooting doc also asks to keep this enabled
Troubleshooting 403

Alberto_Umana · ‎01-21-2025

Hi @rdadhichi,

Have you set "Allow access from" to "Private endpoint and selected networks" on the firewall?

rdadhichi · ‎01-21-2025

There are no such settings.

We have Disabled Public access .
We have Private endpoints created for the KV in the same vnet and can do a successfull nslookup from a notebook in our workspace

Our requirement is to dsable the exception : ' Allow Trusted services....'

Please let me know if this is possible or not

Databricks Community

Disable 'Allow trusted Microsoft services to bypass this firewall' for Azure Key Vault

Photos

Join Us as a Local Community Builder!

Business Intelligence in the Era of AI

🚀 Monthly Databricks Get Started Days – Accelerate Your Learning Journey! 🚀

Databricks Community Champion - March 2025 - Takuya Omi

Intelligent Data Warehousing: AI/BI for Self-service Analytics

Get Started With Lakehouse Architecture | Pass a quiz to earn your certificate completion.