Bicep
This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint.
@description('Specifies whether to deploy Azure Databricks workspace with secure cluster connectivity (SCC) enabled or not (No Public IP).')
param disablePublicIp bool = true
@description('Location for all resources.')
param location string = resourceGroup().location
@description('The name of the network security group to create.')
param nsgName string = 'databricks-nsg'
@description('The pricing tier of workspace.')
@allowed([
'trial'
'standard'
'premium'
])
param pricingTier string = 'premium'
@description('CIDR range for the private subnet.')
param privateSubnetCidr string = '10.179.0.0/18'
@description('The name of the private subnet to create.')
param privateSubnetName string = 'private-subnet'
@description('Indicates whether public network access is allowed to the workspace with private endpoint - possible values are Enabled or Disabled.')
@allowed([
'Enabled'
'Disabled'
])
param publicNetworkAccess string = 'Disabled'
@description('CIDR range for the public subnet.')
param publicSubnetCidr string = '10.179.64.0/18'
@description('CIDR range for the private endpoint subnet..')
param privateEndpointSubnetCidr string = '10.179.128.0/24'
@description('The name of the public subnet to create.')
param publicSubnetName string = 'public-subnet'
@description('Indicates whether to retain or remove the AzureDatabricks outbound NSG rule - possible values are AllRules or NoAzureDatabricksRules.')
@allowed([
'AllRules'
'NoAzureDatabricksRules'
])
param requiredNsgRules string = 'NoAzureDatabricksRules'
@description('CIDR range for the vnet.')
param vnetCidr string = '10.179.0.0/16'
@description('The name of the virtual network to create.')
param vnetName string = 'databricks-vnet'
@description('The name of the subnet to create the private endpoint in.')
param PrivateEndpointSubnetName string = 'default'
@description('The name of the Azure Databricks workspace to create.')
param workspaceName string = 'default'
var managedResourceGroupName = 'databricks-rg-${workspaceName}-${uniqueString(workspaceName, resourceGroup().id)}'
var trimmedMRGName = substring(managedResourceGroupName, 0, min(length(managedResourceGroupName), 90))
var managedResourceGroupId = '${subscription().id}/resourceGroups/${trimmedMRGName}'
var privateEndpointName = '${workspaceName}-pvtEndpoint'
var privateDnsZoneName = 'privatelink.azuredatabricks.net'
var pvtEndpointDnsGroupName = '${privateEndpointName}/mydnsgroupname'
resource nsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
name: nsgName
location: location
properties: {
securityRules: [
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound'
properties: {
description: 'Required for worker nodes communication within a cluster.'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'VirtualNetwork'
access: 'Allow'
priority: 100
direction: 'Inbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp'
properties: {
description: 'Required for workers communication with Databricks Webapp.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'AzureDatabricks'
access: 'Allow'
priority: 100
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql'
properties: {
description: 'Required for workers communication with Azure SQL services.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '3306'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'Sql'
access: 'Allow'
priority: 101
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage'
properties: {
description: 'Required for workers communication with Azure Storage services.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'Storage'
access: 'Allow'
priority: 102
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound'
properties: {
description: 'Required for worker nodes communication within a cluster.'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'VirtualNetwork'
access: 'Allow'
priority: 103
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub'
properties: {
description: 'Required for worker communication with Azure Eventhub services.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '9093'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'EventHub'
access: 'Allow'
priority: 104
direction: 'Outbound'
}
}
]
}
}
resource vnet 'Microsoft.Network/virtualNetworks@2021-08-01' = {
name: vnetName
location: location
properties: {
addressSpace: {
addressPrefixes: [
vnetCidr
]
}
subnets: [
{
name: publicSubnetName
properties: {
addressPrefix: publicSubnetCidr
networkSecurityGroup: {
id: nsg.id
}
delegations: [
{
name: 'databricks-del-public'
properties: {
serviceName: 'Microsoft.Databricks/workspaces'
}
}
]
}
}
{
name: privateSubnetName
properties: {
addressPrefix: privateSubnetCidr
networkSecurityGroup: {
id: nsg.id
}
delegations: [
{
name: 'databricks-del-private'
properties: {
serviceName: 'Microsoft.Databricks/workspaces'
}
}
]
}
}
{
name: PrivateEndpointSubnetName
properties: {
addressPrefix: privateEndpointSubnetCidr
privateEndpointNetworkPolicies: 'Disabled'
}
}
]
}
}
resource workspace 'Microsoft.Databricks/workspaces@2023-02-01' = {
name: workspaceName
location: location
sku: {
name: pricingTier
}
properties: {
managedResourceGroupId: managedResourceGroupId
parameters: {
customVirtualNetworkId: {
value: vnet.id
}
customPublicSubnetName: {
value: publicSubnetName
}
customPrivateSubnetName: {
value: privateSubnetName
}
enableNoPublicIp: {
value: disablePublicIp
}
}
publicNetworkAccess: publicNetworkAccess
requiredNsgRules: requiredNsgRules
}
}
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-08-01' = {
name: privateEndpointName
location: location
properties: {
subnet: {
id: resourceId('Microsoft.Network/virtualNetworks/subnets', vnetName, PrivateEndpointSubnetName)
}
privateLinkServiceConnections: [
{
name: privateEndpointName
properties: {
privateLinkServiceId: workspace.id
groupIds: [
'databricks_ui_api'
]
}
}
]
}
}
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: privateDnsZoneName
location: 'global'
dependsOn: [
privateEndpoint
]
}
resource privateDnsZoneName_privateDnsZoneName_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
parent: privateDnsZone
name: '${privateDnsZoneName}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: vnet.id
}
}
}
resource pvtEndpointDnsGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-12-01' = {
name: pvtEndpointDnsGroupName
properties: {
privateDnsZoneConfigs: [
{
name: 'config1'
properties: {
privateDnsZoneId: privateDnsZone.id
}
}
]
}
dependsOn: [
privateEndpoint
]
}Last updated