Databricks workspaces should have NSGs configured on their subnets

azure

Description

Ensure that Network Security Groups (NSGs) are configured on the private and public subnets used by Azure Databricks workspaces deployed in a custom virtual network. NSGs provide network-level filtering of inbound and outbound traffic to control access to Databricks compute resources.

This rule only applies to workspaces deployed in a custom virtual network (VNet injection) and checks the two subnets identified by customPrivateSubnetName and customPublicSubnetName. Workspaces using the default managed VNet are skipped.

Remediation

Assign a Network Security Group to each Databricks subnet. See Azure network security groups overview and Deploy Azure Databricks in your Azure virtual network (VNet injection).