We are excited to announce the upcoming general availability of Azure Private Link support for Databricks SQL (DBSQL) Serverless, planned in April 2024, with no additional charges for use. We are also thrilled to announce that Azure Storage firewall support with stable VNet subnet IDs is now generally available for DBSQL Serverless. This blog will give an overview of the two features and associated best practices for securely accessing data in your Azure Storage account from Databricks serverless.
The Databricks Data Intelligence Platform offers robust security through strong multi-layered isolation and built-in best practices, as detailed in our Trust Center, while continuing to leverage data stored in your existing Azure Storage accounts. We build on this foundation and offer two options to connect your DBSQL Serverless workloads to your Azure Storage accounts securely:
The diagram below shows the high-level connections into and out of your Azure Databricks account for serverless. In this blog, we will focus on securing your connection between DBSQL Serverless workloads and your Azure Storage.
Like many customers, you may have compliance or governance requirements to keep resources accessible on your virtual network traffic via private endpoints. For such scenarios, you can now create and maintain private endpoints for your Storage accounts and grant access to those private endpoints from serverless workloads in specified Workspaces.
As part of our upcoming general availability of Private Link on Azure Databricks for serverless, we are excited to announce that Private Link connections from Databricks SQL Serverless workloads will be available at no additional charge to you! As a result, your TCO for DBSQL Serverless on Azure Databricks gets a huge boost. It also means that Private Link connections will carry no additional charge as we add support for additional Azure Databricks serverless products and Azure resource types.
"Azure Databricks' advanced networking features offer security and simplicity in managing serverless data transformations and analytics at scale."— Jonas Kardell, Data Science Lead, SJ AB
For those not looking to use Private Link, you likely still have a requirement to lock down access to your data in Azure Storage accounts to only authorized workloads running on authorized networks. Azure Storage firewall enables you to restrict access to only clients that access your Storage account from authorized VNet subnet IDs. With this GA launch, you can configure Databricks to use a stable list of subnets within our Azure VNets to reach out to your Storage. You can obtain this list of subnet IDs directly in the product and manage access by adding them to your Azure Storage firewall rules. Combining this feature with Unity Catalog provides layered protection to ensure that only authorized workloads that also have access to the right Managed Identity can access data in your Storage.
With the Network Connectivity Configuration (NCC), you can easily and centrally manage network connectivity. Using NCC enables mapping connectivity configurations to multiple Workspaces, simplifying administration by reducing the number of private endpoints you need to manage. As we continue to broaden our serverless offerings, the NCC will continue to be the single point of managing connectivity across all our serverless products.
Azure Storage firewall support and Azure Private Link are available on the Premium Tier version of Azure Databricks. Refer to our documentation for step-by-step instructions on configuring NCC and Azure Storage firewall support for your Databricks workspaces. While Azure Private Link is in gated public preview, contact your Azure Databricks account team for more information on how to enroll. We are planning to make Azure Private Link support for Azure Databricks serverless generally available in April 2024.
Please visit our Security and Trust Center for more information about Databricks' security best practices and features available to customers.
