cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

Networking configuration of Azure Databricks managed storage account

AlbertWang
Contributor III

Hi all,

I created an Azure Databricks Workspace, and the workspace creates an Azure Databricks managed storage account.

The networking configuration of the storage account is "Enabled from all networks".

Shall I change it to "Enabled from selected virtual networks and IP addresses" for better security?

I clicked the checkbox "Enabled from selected virtual networks and IP addresses" and there are 10 virtual networks appear in the section "Virtual networks" section. The "Endpoint Status" all show "Insufficient permissions".

Is that OK to:

  1. Change the networking configuration to "Enabled from selected virtual networks and IP addresses"
  2. Disable the "Allow storage account key access".
  3. Enable the "Default to Microsoft Entra authorization in the Azure portal"

Thank you.

Regards,

Albert

3 REPLIES 3

Walter_C
Databricks Employee
Databricks Employee

Changing the networking configuration of your Azure Databricks managed storage account to "Enabled from selected virtual networks and IP addresses" is a good step for enhancing security. However, the "Insufficient permissions" status you are seeing for the virtual networks indicates that you do not have the necessary permissions to view or modify the network rules for those subnets. This does not necessarily mean that the configuration will not work, but it does mean you need to ensure that the appropriate permissions are granted.

Here are the steps you should follow:

  1. Change the Networking Configuration:

    • It is indeed advisable to change the networking configuration to "Enabled from selected virtual networks and IP addresses" for better security.
  2. Permissions:

    • Ensure you have the necessary permissions to manage network rules for the virtual networks. You might need to work with your Azure administrator to get these permissions.
  3. Disable Storage Account Key Access:

    • Disabling "Allow storage account key access" is a good practice as it enhances security by ensuring that access to the storage account is managed through Azure Active Directory (AAD) rather than storage account keys.
  4. Enable Microsoft Entra Authorization:

    • Enabling "Default to Microsoft Entra authorization in the Azure portal" is also recommended as it ensures that access to the storage account is managed through AAD, providing better security and manageability.

Thank you, @Walter_C.

The 10 networks, I believe, are Azure Databricks networks in this region. Therefore, I do not have the necessary permissions to view or modify the network rules for those subnets. Do I need the permissions to view or modify them? I guess not because this Storage Account is only used by Azure Databricks, but would want to confirm.

I know disabling "Allow storage account key access" is a good practice. However, I don't know how Databricks accesses this Storage Account. If Databricks access via storage account key, then disabling it will cause issue.

The same for Enabling "Default to Microsoft Entra authorization in the Azure portal".

This storage account is not mine storage account for my computes to access, so I don't know how Databrickss use them.

Walter_C
Databricks Employee
Databricks Employee

You dont need view on the subnets itself.

In regards the Disabling key access you could use any of the other authentication methods listed here: https://learn.microsoft.com/en-us/azure/databricks/connect/storage/azure-storage#connect-to-azure-da... 

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group