Network Security: Private Connectivity and Customer-Managed VPCs

    Who this is for:

    Architecture / Concept Overview: Network Security: Private Connectivity and Customer-Managed VPCs

    %%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%% graph TD classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED Internet[Public Internet] -.->|"Blocked"| Workspace Corporate[Corporate Network] --> PrivateLink[Private Link Endpoint] PrivateLink --> ControlPlane[Databricks Control Plane] ControlPlane --> |"Secure Channel"| DataPlane[Customer VPC Data Plane] DataPlane --> Storage[Cloud Storage] DataPlane --> Services[Internal Services] Internet:::source Corporate:::ingestion PrivateLink:::processing ControlPlane:::governance DataPlane:::storage Storage:::serving Services:::serving Workspace:::source

    *Private connectivity architecture: corporate traffic reaches Databricks exclusively via Private Link, with public internet access disabled.*

    %%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%% flowchart LR classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED VPC[Customer VPC] --> Subnet1[Private Subnet A] VPC --> Subnet2[Private Subnet B] Subnet1 --> NAT[NAT Gateway] Subnet2 --> NAT NAT --> Egress[Controlled Egress] VPC --> SG[Security Groups] SG --> NSG[Network ACLs] VPC:::storage Subnet1:::processing Subnet2:::processing NAT:::ingestion Egress:::source SG:::governance NSG:::governance

    *Customer-managed VPC layout: private subnets host Databricks clusters, NAT gateways control egress, and security groups enforce micro-segmentation.*

    %%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%% graph TD classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED FrontEnd[Front-End Private Link] --> |"Web UI / API"| WebApp[Databricks Web App] BackEnd[Back-End Private Link] --> |"Cluster Comms"| SCC[Secure Cluster Connectivity] SCC --> Relay[Control Plane Relay] Relay --> Cluster[Cluster Nodes] WebApp --> API[REST APIs] FrontEnd:::ingestion BackEnd:::processing WebApp:::serving SCC:::storage Relay:::governance Cluster:::source API:::serving

    *Dual Private Link connections: front-end for user access to UI/API, back-end for cluster-to-control-plane communication.*

    Key Terms

    Prerequisites and Setup

    • Databricks Enterprise tier (Private Link requires Enterprise)
    • Cloud provider admin access for VPC, subnet, and endpoint creation
    • Dedicated CIDR ranges for Databricks subnets (minimum /26 per subnet)
    • DNS infrastructure for Private Link endpoint resolution
    • Network team collaboration for firewall and routing changes

    Step-by-Step Implementation

      Configuration Reference

      Network Security: Private Connectivity and Customer-Managed VPCs configuration options
      SettingCloudRequiredNotes
      Customer-Managed VPCAWS/Azure/GCPEnterpriseMin 2 subnets in different AZs
      Front-End Private LinkAWS/AzureEnterpriseFor UI and REST API access
      Back-End Private LinkAWS/AzureEnterpriseFor cluster relay communication
      Secure Cluster ConnectivityAllPremium+No public IPs on cluster nodes
      NAT GatewayAllWhen SCC enabledRequired for package downloads
      VPC PeeringAllOptionalFor connecting to other VPCs
      IP Access ListsAllPremium+Restrict source IPs for API/UI
      DNS Private ZonesAllWith Private LinkResolve workspace URLs privately

      Monitoring, Cost, and Security Considerations

      Common Pitfalls and Recommended Patterns

        Frequently Asked Questions