Issue Description:
I am attempting to disable public network access on the Azure Databricks managed storage account. However, I am encountering the following error:
Failed to save resource settings — access is denied due to a deny assignment created by Azure Databricks on the managed resource group.
Although the client has Microsoft.Storage/storageAccounts/write permission, the operation is blocked by a system deny assignment associated with the Databricks workspace.
The goal is to block all public access to the databricks managed storage account while ensuring secure connectivity for:
-- Control Plane → Storage Account
-- Compute Plane (Databricks clusters) → Storage Account
-- External Sources → Storage Account (via Private Endpoint or other secure mechanisms only)
Context / Query:
Based on the Microsoft documentation on Databricks storage firewall support, it mentions:
"Enable firewall support for your workspace storage account - Azure Databricks | Microsoft Learn"
“Contact your Azure Databricks account team to update the managed resource group configuration before proceeding.”
I would like to understand:
1) Whether the firewall support approach allows disabling public network access for the managed storage account
2). If not directly, what is the recommended architecture/configuration to:
a). Restrict public access
b). Ensure Control Plane and Compute Plane connectivity
c). Enable secure external access (Private Endpoint / VNet-based access)
Ask:
--> Whether disabling public access on the managed storage account is supported in this setup
--> If yes, the exact steps/configuration required
--> If not, the alternative secure approach to meet the above requirements
