cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Access storage account with private endpoint

Go to solution
icyflame92
New Contributor II

โ€Ž11-27-2023 04:50 AM

Hi, I need guidance on connecting Databricks (not VNET injected) to a storage account with Private Endpoint.

We have a client who created Databricks with (public ip and not VNET Injected). Itโ€™s using a managed VNET in the Databricks managed resource group and expose with public IP. Weโ€™re wondering if we still can make it connect to blob storage/ ADLS Gen2 over private endpoints. 

We want use Oauth2 with Service Principal with Storage Blob Data Contributor as role set on the blob storage/ ADLS Gen2 and want to mount in Workspace with Service Principal credentials. In customer Workspace, UC is not activated, no possibility via UC access connector.

So can we use this workspace setup (public ip and not VNET Injected) to access storage with private endpoint use mounting?

Thanks in advance!

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
rudyevers
New Contributor III

โ€Ž11-27-2023 06:19 AM

 No this is not possible because the workspace is not part of the virtual network and since than can not access the storage over it's private endpoint. It is all mentioned in de documentation:

https://www.databricks.com/blog/2020/02/28/securely-accessing-azure-data-sources-from-azure-databric...

So, if you are not able to integrate the workspace in to you vnet there are some workarounds. You can add a storage account to a application gateway, so it is protected from the internet but still publicly available. BUT, if you don't have an application gateway it's an expensive solution. My advice is to follow the best practices and integrated databricks into the virtual network.

View solution in original post

2 REPLIES 2

Go to solution
rudyevers
New Contributor III

โ€Ž11-27-2023 06:19 AM

 No this is not possible because the workspace is not part of the virtual network and since than can not access the storage over it's private endpoint. It is all mentioned in de documentation:

https://www.databricks.com/blog/2020/02/28/securely-accessing-azure-data-sources-from-azure-databric...

So, if you are not able to integrate the workspace in to you vnet there are some workarounds. You can add a storage account to a application gateway, so it is protected from the internet but still publicly available. BUT, if you don't have an application gateway it's an expensive solution. My advice is to follow the best practices and integrated databricks into the virtual network.

Go to solution
icyflame92
New Contributor II
In response to rudyevers

โ€Ž11-27-2023 08:13 AM

From our point of view, it is definitely worth it best practice to follow instead of starting workarounds. Also the infra is not in our hands, hence is no justification to start a workaround with Application Gateway. Thank you @rudyevers 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements
Top