cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Connect Workspace EnableNoPublicIP=No and VnetInject=No to storage account with Private Endpoint.

jx1226
New Contributor III

‎11-27-2023 03:54 AM

We know that Databricks with VNET injection (our own VNET) allows is to connect to blob storage/ ADLS Gen2 over private endpoints and peering. This is what we typically do.

  • We have a client who created Databricks with EnableNoPublicIP=No (secure cluster connectivity) and VnetInjection=No. So it’s using a managed VNET in the Databricks managed resource group and expose with public IP. We’re wondering if we still can make it connect to blob storage/ ADLS Gen2 over private endpoints. Or do we need to delete and recreate the Databricks workspace with VNET injection?
  • We want use Oauth2 with Service Principal with Storage Blob Data Contributor as role set on the blob storage/ ADLS Gen2.
  • We want to mount in Workspace with Service Principal credentials
  • In customer Workspace, UC is not activated, no possibility via UC access connector.
  • So basically my question is can we use this workspace setup EnableNoPublicIP=No and VnetInjection=No to access storage with private endpoint use mounting?
0 Kudos
2 REPLIES 2

User16539034020
Databricks Employee
Databricks Employee

‎12-12-2023 12:34 PM

Hello, 

Thanks for contacting Databricks Support.
You need to enable EnableNoPublicIP,  otherwise, you will get the error message "cannot be deployed on subnet containing Basic SKU Public IP addresses or Basic SKU Load Balancer. NIC", it was usually thrown when the the Deploy Azure Databricks.

With secure cluster connectivity enabled, customer virtual networks have no inbound open ports from external networks and Databricks cluster nodes have no public IP addresses. Databricks recommends this configuration for all Azure Databricks workspaces because it significantly reduces the attack surface and hardens the security posture.
Reference:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/p...

Here is the doc of adding secure cluster connectivity (NPIP) to an existing workspace:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity workspace with Secure Cluster Connectivity (No Public IP) is false.

VNet injection is an optional feature that allows you to provide your own VNet to host new Azure Databricks clusters. So you can set it to "NO". 

Regards,

0 Kudos

sirichandana_48
New Contributor II
In response to User16539034020

‎04-08-2024 06:22 AM

Hi May I know what might be the impact if we enable 'enableNoPublicIP' for existing databrick service from disabled to enabled.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
Top