Control: Azure > CIS v5.0 > 2 - Analytics Services > 2.01 - Azure Databricks > 2.01.11 - Ensure private endpoints are used to access Azure Databricks workspaces

Configures auditing against a CIS Benchmark item.

Level: 2

Use private endpoints for Azure Databricks workspaces to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

Using private endpoints for Azure Databricks workspaces ensures that all communication between clients, services, and data sources occurs over a secure, private IP space within an Azure Virtual Network (VNet). This approach eliminates exposure to the public internet, significantly reducing the attack surface and aligning with Zero Trust principles. Additionally, integrating Databricks with a VNet enables network segmentation, fine-grained access control, and hybrid connectivity through VNet peering or VPN/ExpressRoute.