cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Reaching out to Azure Storage with IP from Private VNET pool

Go to solution
zaicnupagadi
New Contributor II

4 weeks ago

Hey All,

Is there a way for Databricks to reach out to Azure Storage using private endpoint?

We would like no omit enabling access by "all trusted services".

All resources are in the same VNET however when Databrics tries to reach out to Storage instead of our 179.x.x.x network we see in the logs that access is blocked and that might be since the ip with which databricks reaches out to storage is from 10.0.35.x pool.

Kindest regards,

Pawel Jarosz

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
nayan_wylde
Esteemed Contributor

4 weeks ago

Yeah, itโ€™s definitely possible for Databricks to hit Azure Storage through a private endpoint without turning on โ€œallow trusted services.โ€ The key is making sure everythingโ€™s using the private network path.

Right now, that 10.0.35.x IP youโ€™re seeing is from the Databricks subnet inside your VNet, but it sounds like the storage account traffic is still resolving to the public endpoint. Thatโ€™s why itโ€™s getting blocked.

To fix it, make sure:

  • The Databricks workspace is VNet-injected (not the managed VNet type).
  • Youโ€™ve got a Private Endpoint for your storage account (blob/dfs) in the same VNet or a peered one.
  • The Private DNS zone (like privatelink.blob.core.windows.net or privatelink.dfs.core.windows.net) is linked to the Databricks VNet, so lookups for the storage account resolve to the private IP.
  • NSGs and routes allow traffic between the Databricks and private endpoint subnets.

Once DNS is resolving correctly, Databricks should talk to storage entirely within your VNet, and you can safely keep โ€œtrusted servicesโ€ turned off.

View solution in original post

2 REPLIES 2

Go to solution
nayan_wylde
Esteemed Contributor

4 weeks ago

Yeah, itโ€™s definitely possible for Databricks to hit Azure Storage through a private endpoint without turning on โ€œallow trusted services.โ€ The key is making sure everythingโ€™s using the private network path.

Right now, that 10.0.35.x IP youโ€™re seeing is from the Databricks subnet inside your VNet, but it sounds like the storage account traffic is still resolving to the public endpoint. Thatโ€™s why itโ€™s getting blocked.

To fix it, make sure:

  • The Databricks workspace is VNet-injected (not the managed VNet type).
  • Youโ€™ve got a Private Endpoint for your storage account (blob/dfs) in the same VNet or a peered one.
  • The Private DNS zone (like privatelink.blob.core.windows.net or privatelink.dfs.core.windows.net) is linked to the Databricks VNet, so lookups for the storage account resolve to the private IP.
  • NSGs and routes allow traffic between the Databricks and private endpoint subnets.

Once DNS is resolving correctly, Databricks should talk to storage entirely within your VNet, and you can safely keep โ€œtrusted servicesโ€ turned off.

Go to solution
zaicnupagadi
New Contributor II

yesterday

Sorry for late reply - thank you for your help Nayan!

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements