Issue Description:
I am attempting to disable public network access on the Azure Databricks managed storage account. However, I am encountering the following error:
Failed to save resource settings โ access is denied due to a deny assignment created by Azure Databricks on the managed resource group.
Although the client has Microsoft.Storage/storageAccounts/write permission, the operation is blocked by a system deny assignment associated with the Databricks workspace.
The goal is to block all public access to the databricks managed storage account while ensuring secure connectivity for:
-- Control Plane โ Storage Account
-- Compute Plane (Databricks clusters) โ Storage Account
-- External Sources โ Storage Account (via Private Endpoint or other secure mechanisms only)
Context / Query:
Based on the Microsoft documentation on Databricks storage firewall support, it mentions:
"Enable firewall support for your workspace storage account - Azure Databricks | Microsoft Learn"
โContact your Azure Databricks account team to update the managed resource group configuration before proceeding.โ
I would like to understand:
1) Whether the firewall support approach allows disabling public network access for the managed storage account
2). If not directly, what is the recommended architecture/configuration to:
a). Restrict public access
b). Ensure Control Plane and Compute Plane connectivity
c). Enable secure external access (Private Endpoint / VNet-based access)
Ask:
--> Whether disabling public access on the managed storage account is supported in this setup
--> If yes, the exact steps/configuration required
--> If not, the alternative secure approach to meet the above requirements
