cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Connect Workspace EnableNoPublicIP=No and VnetInject=No to storage account with Private Endpoint.

jx1226
New Contributor II

We know that Databricks with VNET injection (our own VNET) allows is to connect to blob storage/ ADLS Gen2 over private endpoints and peering. This is what we typically do.

  • We have a client who created Databricks with EnableNoPublicIP=No (secure cluster connectivity) and VnetInjection=No. So itโ€™s using a managed VNET in the Databricks managed resource group and expose with public IP. Weโ€™re wondering if we still can make it connect to blob storage/ ADLS Gen2 over private endpoints. Or do we need to delete and recreate the Databricks workspace with VNET injection?
  • We want use Oauth2 with Service Principal with Storage Blob Data Contributor as role set on the blob storage/ ADLS Gen2.
  • We want to mount in Workspace with Service Principal credentials
  • In customer Workspace, UC is not activated, no possibility via UC access connector.
  • So basically my question is can we use this workspace setup EnableNoPublicIP=No and VnetInjection=No to access storage with private endpoint use mounting?
2 REPLIES 2

User16539034020
Databricks Employee
Databricks Employee

Hello, 

Thanks for contacting Databricks Support.
You need to enable EnableNoPublicIP,  otherwise, you will get the error message "cannot be deployed on subnet containing Basic SKU Public IP addresses or Basic SKU Load Balancer. NIC", it was usually thrown when the the Deploy Azure Databricks.

With secure cluster connectivity enabled, customer virtual networks have no inbound open ports from external networks and Databricks cluster nodes have no public IP addresses. Databricks recommends this configuration for all Azure Databricks workspaces because it significantly reduces the attack surface and hardens the security posture.
Reference:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/p...

Here is the doc of adding secure cluster connectivity (NPIP) to an existing workspace:
https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity workspace with Secure Cluster Connectivity (No Public IP) is false.

VNet injection is an optional feature that allows you to provide your own VNet to host new Azure Databricks clusters. So you can set it to "NO". 

Regards,

Hi May I know what might be the impact if we enable 'enableNoPublicIP' for existing databrick service from disabled to enabled.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group