Yeah, it’s definitely possible for Databricks to hit Azure Storage through a private endpoint without turning on “allow trusted services.” The key is making sure everything’s using the private network path.
Right now, that 10.0.35.x IP you’re seeing is from the Databricks subnet inside your VNet, but it sounds like the storage account traffic is still resolving to the public endpoint. That’s why it’s getting blocked.
To fix it, make sure:
- The Databricks workspace is VNet-injected (not the managed VNet type).
- You’ve got a Private Endpoint for your storage account (blob/dfs) in the same VNet or a peered one.
- The Private DNS zone (like privatelink.blob.core.windows.net or privatelink.dfs.core.windows.net) is linked to the Databricks VNet, so lookups for the storage account resolve to the private IP.
- NSGs and routes allow traffic between the Databricks and private endpoint subnets.
Once DNS is resolving correctly, Databricks should talk to storage entirely within your VNet, and you can safely keep “trusted services” turned off.
