Azure Databricks DBFS Root, Storage Account Networking

sintsan
New Contributor II

‎04-20-2023 06:00 AM

For an Azure Databricks with vnet injection, we would like to change the networking on the default managed Azure Databricks storage account (dbstorage) from Enabled from all networks to Enabled from selected virtual networks and IP addresses.

Can this be done and if not can you point to some docs describing how the managed storage account is secured?

Thanks!

Labels:
0 Kudos

karthik_p
Databricks Partner

‎04-20-2023 09:54 AM

@Sander Sintjorissen​ As far as i know storage config for azure is different from aws. but it looks in azure during workspace configuration encryption is enabled by default for your storage, if you want to have more security you can go with "Double Encryption for DBFS Root"

https://learn.microsoft.com/en-us/azure/databricks/security/keys/double-encryption

karthik.p
0 Kudos

sintsan
New Contributor II
In response to karthik_p

‎04-20-2023 09:03 PM

@karthik p​  Thank you for your answer, although it does not really answer my question. Reading this post https://community.databricks.com/s/question/0D53f00001mFBAkCAO/network-security-for-dbfs-storage-acc... I understand the current workaround is to create another Azure SA and then redirect logs, etc to that account.

Is there any descriptive documentation on Azure Databricks as to what the impact of having Allow All in networking on DBFS Root actually is?

Thanks!

0 Kudos

karthik_p
Databricks Partner

‎04-24-2023 07:35 PM

@Sander Sintjorissen​ usually root storage bucket has below directories present in article

https://learn.microsoft.com/en-us/azure/databricks/dbfs/root-locations

to store logs related to auditing you can create another storage and add that. hope this helps

karthik.p
0 Kudos