Skip to main content

Read Before Deploying

Key Considerations

The Security Reference Architecture (SRA) is a purpose-built, simplified deployment pattern designed for highly secure and regulated customers.

This architecture includes specific functionalities that may affect certain use cases, as outlined below.

  • Azure Firewall: Azure Firewall is deployed to securely manage and control outbound traffic from the classic compute plane. It provides centralized logging, monitoring, and policy enforcement while maintaining compliance with organizational security standards.

    • To add packages (such as from PyPi or Cran) to classic compute or serverless compute, set up a private repository for scanned packages or update firewall rules/network policies to specified domains. See Network Egress Configuration for more information on configuring SRA for package installation.

  • Hub-and-Spoke Network Topology: The architecture employs a hub-and-spoke model:

    • The hub VNet contains shared infrastructure and services.
    • The spoke Vnet houses the Azure Databricks workspace deployed by SRA. SRA can be used more than once for new workspaces for different business units or teams.

    This topology enhances security by isolating workloads and controlling traffic flow between VNets.

  • Private Connectivity: Azure Databricks workspaces are deployed with VNet injection and Private Link, ensuring that all traffic between the workspace and Azure services remains within the Azure backbone network. Private endpoints are configured for services like Azure Storage, Event Hubs, and SQL Databases to prevent data exfiltration.

  • Isolated Unity Catalog Securables: Unity Catalog securables like catalogs, Storage Credentials, and External Locations are isolated to individual workspaces.

    • To share securables between workspaces, update the resources using the databricks_workspace_binding resource.

  • Security Analysis Tool (SAT): The Security Analysis Tool (SAT) is disabled by default to support highly restricted no-egress deployments.

    • When enabled, SAT is installed in the hub (webauth) workspace by default.
    • SAT can be enabled by setting sat_configuration.enabled = true in your configuration.
    • Requires specific network egress rules (see SAT URL Requirements).
    • See the Components page for detailed configuration options.

Prerequisites

Required Permissions

The principal deploying SRA needs:

Azure Permissions:

  • Contributor role on the subscription. Alternatively, see this doc on creating a custom role
  • If SRA is creating a service principal for SAT during deployment, you will need the permissions documented here.

Databricks Permissions:

  • Account admin permissions in the Databricks account

Authentication Setup

To configure authentication for the Databricks provider, see the provider documentation here.