---
title: Databricks workspaces should have NSGs configured on their subnets
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Databricks workspaces should have NSGs
  configured on their subnets
---

# Databricks workspaces should have NSGs configured on their subnets
 
## Description{% #description %}

Ensure that Network Security Groups (NSGs) are configured on the private and public subnets used by Azure Databricks workspaces deployed in a custom virtual network. NSGs provide network-level filtering of inbound and outbound traffic to control access to Databricks compute resources.

This rule only applies to workspaces deployed in a custom virtual network (VNet injection) and checks the two subnets identified by `customPrivateSubnetName` and `customPublicSubnetName`. Workspaces using the default managed VNet are skipped.

## Remediation{% #remediation %}

Assign a Network Security Group to each Databricks subnet. See [Azure network security groups overview](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview) and [Deploy Azure Databricks in your Azure virtual network (VNet injection)](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject).