Mode 3: Bring-your-own Hub and Spoke Network
Description
You provide both existing hub and spoke infrastructure. SRA is only responsible for creating the spoke workspace and related resources.
What Gets Created
| Resource | Component | Created by SRA |
|---|---|---|
| Hub Resource Group | Hub VNET + Azure Firewall | ✗ (You provide) |
| Webauth Workspace | ✗ (You provide) | |
| CMK KeyVault | ✗ (You provide) | |
| Route Table | ✗ (You provide) | |
| Spoke Resource Group | Workspace | ✓ |
| Spoke VNET | ✗ (You provide) | |
| Back-end Private Endpoint | ✓ | |
| UC Storage Account | ✓ | |
| Account Console | NCC (Network Connectivity Config) | ✗ (You provide) |
| Network Policy | ✗ (You provide) | |
| Metastore | ✗ (You provide) |
Configuration
create_hub = false # You provide hub
create_workspace_vnet = false # You provide spoke network
Required Variables
Additional Requirements
When bringing your own hub and spoke, you must provide all hub and spoke infrastructure details. This combines all requirements from Mode 2 with spoke network details.
# Disable hub and spoke creation
create_hub = false
create_workspace_vnet = false
# Basic configuration
databricks_account_id = "00000000-0000-0000-0000-000000000000"
location = "westus2"
subscription_id = "ffffffff-ffff-ffff-ffff-ffffffffffff"
resource_suffix = "spoke"
# REQUIRED: Existing metastore from your hub
databricks_metastore_id = "00000000-0000-0000-0000-000000000000"
# REQUIRED: Existing hub VNET details (for spoke network peering)
existing_hub_vnet = {
route_table_id = "/subscriptions/.../providers/Microsoft.Network/routeTables/rt-hub"
vnet_id = "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/vnet-hub"
}
# REQUIRED: Existing NCC and network policy
existing_ncc_id = "your-ncc-id"
existing_network_policy_id = "your-network-policy-id"
# REQUIRED if cmk_enabled = true (default)
existing_cmk_ids = {
key_vault_id = "/subscriptions/.../providers/Microsoft.KeyVault/vaults/kv-hub"
managed_disk_key_id = "https://kv-hub.vault.azure.net/keys/cmk-disk/version"
managed_services_key_id = "https://kv-hub.vault.azure.net/keys/cmk-services/version"
}
# REQUIRED: BYO workspace network configuration
existing_workspace_vnet = {
network_configuration = {
virtual_network_id = "/subscriptions/.../virtualNetworks/vnet-spoke"
private_subnet_id = "/subscriptions/.../subnets/container"
public_subnet_id = "/subscriptions/.../subnets/host"
private_endpoint_subnet_id = "/subscriptions/.../subnets/private-endpoints"
private_subnet_network_security_group_association_id = "/subscriptions/.../subnets/container"
public_subnet_network_security_group_association_id = "/subscriptions/.../subnets/host"
}
dns_zone_ids = {
backend = "/subscriptions/.../privateDnsZones/privatelink.azuredatabricks.net"
dfs = "/subscriptions/.../privateDnsZones/privatelink.dfs.core.windows.net"
blob = "/subscriptions/.../privateDnsZones/privatelink.blob.core.windows.net"
}
}
# Network egress
allowed_fqdns = []
hub_allowed_urls = []
tags = {
Owner = "user@example.com"
}
Required Variable Summary
databricks_account_idlocationsubscription_idresource_suffixdatabricks_metastore_idexisting_ncc_idexisting_network_policy_idexisting_hub_vnetexisting_cmk_ids(ifcmk_enabled = true)existing_workspace_vnet
Template File
Use template_byo_spoke_network.example.tfvars as your starting point.
Validation Rules
When create_hub = false:
- Must provide
databricks_metastore_id - Must provide
existing_ncc_id - Must provide
existing_network_policy_id - Must provide
existing_hub_vnet - Must provide
existing_cmk_idsifcmk_enabled = true - Must NOT provide
existing_cmk_idsifcmk_enabled = false
When create_workspace_vnet = false:
- Must provide
existing_workspace_vnet - Must NOT provide
workspace_vnet
Next Steps
- Copy
template_byo_spoke_network.example.tfvarstoterraform.tfvars - Fill in required variables from your existing infrastructure
- Review Configuration Reference for optional features
- Follow Getting Started deployment steps