Databricks Community

sintsan · ‎04-20-2023

For an Azure Databricks with vnet injection, we would like to change the networking on the default managed Azure Databricks storage account (dbstorage) from Enabled from all networks to Enabled from selected virtual networks and IP addresses.

Can this be done and if not can you point to some docs describing how the managed storage account is secured?

Thanks!

karthik_p · ‎04-20-2023

@Sander Sintjorissen As far as i know storage config for azure is different from aws. but it looks in azure during workspace configuration encryption is enabled by default for your storage, if you want to have more security you can go with "Double Encryption for DBFS Root"

https://learn.microsoft.com/en-us/azure/databricks/security/keys/double-encryption

sintsan · ‎04-20-2023

@karthik p Thank you for your answer, although it does not really answer my question. Reading this post https://community.databricks.com/s/question/0D53f00001mFBAkCAO/network-security-for-dbfs-storage-acc... I understand the current workaround is to create another Azure SA and then redirect logs, etc to that account.

Is there any descriptive documentation on Azure Databricks as to what the impact of having Allow All in networking on DBFS Root actually is?

Thanks!

karthik_p · ‎04-24-2023

@Sander Sintjorissen usually root storage bucket has below directories present in article

https://learn.microsoft.com/en-us/azure/databricks/dbfs/root-locations

to store logs related to auditing you can create another storage and add that. hope this helps

Databricks Community

Azure Databricks DBFS Root, Storage Account Networking

Connect with Databricks Users in Your Area

Insights from a global survey of 1,100 technologists and interviews with 28 CIOs

Data + AI Summit: Call for Presentations

Season's Speedings: Databricks SQL Delivers 4x Performance Boost Over Two Years

Now Hiring: Databricks Community Technical Moderator

Become Our Next Monthly Community Champion!