cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Connect Workspace EnableNoPublicIP=No and VnetInject=No to storage account with Private Endpoint.

jx1226
New Contributor II

We know that Databricks with VNET injection (our own VNET) allows is to connect to blob storage/ ADLS Gen2 over private endpoints and peering. This is what we typically do.

  • We have a client who created Databricks with EnableNoPublicIP=No (secure cluster connectivity) and VnetInjection=No. So it’s using a managed VNET in the Databricks managed resource group and expose with public IP. We’re wondering if we still can make it connect to blob storage/ ADLS Gen2 over private endpoints. Or do we need to delete and recreate the Databricks workspace with VNET injection?
  • We want use Oauth2 with Service Principal with Storage Blob Data Contributor as role set on the blob storage/ ADLS Gen2.
  • We want to mount in Workspace with Service Principal credentials
  • In customer Workspace, UC is not activated, no possibility via UC access connector.
  • So basically my question is can we use this workspace setup EnableNoPublicIP=No and VnetInjection=No to access storage with private endpoint use mounting?
2 REPLIES 2

User16539034020
Contributor II
Contributor II

Hello, 

Thanks for contacting Databricks Support.
You need to enable EnableNoPublicIP,  otherwise, you will get the error message "cannot be deployed on subnet containing Basic SKU Public IP addresses or Basic SKU Load Balancer. NIC", it was usually thrown when the the Deploy Azure Databricks.

With secure cluster connectivity enabled, customer virtual networks have no inbound open ports from external networks and Databricks cluster nodes have no public IP addresses. Databricks recommends this configuration for all Azure Databricks workspaces because it significantly reduces the attack surface and hardens the security posture.
Reference:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/p...

Here is the doc of adding secure cluster connectivity (NPIP) to an existing workspace:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity workspace with Secure Cluster Connectivity (No Public IP) is false.

VNet injection is an optional feature that allows you to provide your own VNet to host new Azure Databricks clusters. So you can set it to "NO". 

Regards,

Hi May I know what might be the impact if we enable 'enableNoPublicIP' for existing databrick service from disabled to enabled.

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!