cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Connect Workspace EnableNoPublicIP=No and VnetInject=No to storage account with Private Endpoint.

jx1226
New Contributor

โ€Ž11-27-2023 03:54 AM

We know that Databricks with VNET injection (our own VNET) allows is to connect to blob storage/ ADLS Gen2 over private endpoints and peering. This is what we typically do.

  • We have a client who created Databricks with EnableNoPublicIP=No (secure cluster connectivity) and VnetInjection=No. So itโ€™s using a managed VNET in the Databricks managed resource group and expose with public IP. Weโ€™re wondering if we still can make it connect to blob storage/ ADLS Gen2 over private endpoints. Or do we need to delete and recreate the Databricks workspace with VNET injection?
  • We want use Oauth2 with Service Principal with Storage Blob Data Contributor as role set on the blob storage/ ADLS Gen2.
  • We want to mount in Workspace with Service Principal credentials
  • In customer Workspace, UC is not activated, no possibility via UC access connector.
  • So basically my question is can we use this workspace setup EnableNoPublicIP=No and VnetInjection=No to access storage with private endpoint use mounting?
0 Kudos
2 REPLIES 2

User16539034020
Contributor II
Contributor II

โ€Ž12-12-2023 12:34 PM

Hello, 

Thanks for contacting Databricks Support.
You need to enable EnableNoPublicIP,  otherwise, you will get the error message "cannot be deployed on subnet containing Basic SKU Public IP addresses or Basic SKU Load Balancer. NIC", it was usually thrown when the the Deploy Azure Databricks.

With secure cluster connectivity enabled, customer virtual networks have no inbound open ports from external networks and Databricks cluster nodes have no public IP addresses. Databricks recommends this configuration for all Azure Databricks workspaces because it significantly reduces the attack surface and hardens the security posture.
Reference:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/p...

Here is the doc of adding secure cluster connectivity (NPIP) to an existing workspace:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity workspace with Secure Cluster Connectivity (No Public IP) is false.

VNet injection is an optional feature that allows you to provide your own VNet to host new Azure Databricks clusters. So you can set it to "NO". 

Regards,

0 Kudos

sirichandana_48
New Contributor II
In response to User16539034020

3 weeks ago

Hi May I know what might be the impact if we enable 'enableNoPublicIP' for existing databrick service from disabled to enabled.

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.