Azure
Overview
Note
For feedback, questions, and comments — please open a GitHub Issue.
Please review the Project Support section for important information on support and service terms.
The Security Reference Architecture (SRA) with Terraform provides a prescriptive deployment pattern for Databricks on Azure, designed for highly secure and regulated environments. It captures Databricks security best practices in Terraform templates, allowing organizations to programmatically deploy workspaces and supporting infrastructure with hardened, opinionated defaults.
This architecture emphasizes:
- Secure by Default – Environments are provisioned with restrictive networking, managed identites, and encryption controls.
- Governance & Compliance – Aligns with industry standards and simplifies audits through consistent, automated configurations.
- Scalability – Built on a hub-and-spoke model to isolate workloads, enforce least privilege, and simplify cross-environment connectivity.
- Point-in-Time Design – Each release reflects security best practices at that time; new releases may not be drop-in replacements.
Architecture Diagram
The Azure implementation of the Security Reference Architecture (SRA) includes:
- Hub-and-Spoke model for network segmentation, workload isolation, and to simplify cross-environment connectivity.
- Core Azure components such as Vnet Injection, privatelink endpoints, managed identities, Azure Storage Accounts, and Azure Key Vault.
- Core Databricks components including Unity Catalog, network connectivty configurations, and network policies for serverless compute.
Next Steps
- Review the Read Before Deploying section for critical considerations.
- Explore the SRA Components Breakdown to understand the included Azure and Databricks resources.
- Follow the Getting Started guide to deploy using Terraform.