freundcloud

Bicep

This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint.

```bicep @description(‘Specifies whether to deploy Azure Databricks workspace with secure cluster connectivity (SCC) enabled or not (No Public IP).’) param disablePublicIp bool = true

@description(‘Location for all resources.’) param location string = resourceGroup().location

@description(‘The name of the network security group to create.’) param nsgName string = ‘databricks-nsg’

@description(‘The pricing tier of workspace.’) @allowed([ ‘trial’ ‘standard’ ‘premium’ ]) param pricingTier string = ‘premium’

@description(‘CIDR range for the private subnet.’) param privateSubnetCidr string = ‘10.179.0.0/18’

@description(‘The name of the private subnet to create.’) param privateSubnetName string = ‘private-subnet’

@description(‘Indicates whether public network access is allowed to the workspace with private endpoint - possible values are Enabled or Disabled.’) @allowed([ ‘Enabled’ ‘Disabled’ ]) param publicNetworkAccess string = ‘Disabled’

@description(‘CIDR range for the public subnet.’) param publicSubnetCidr string = ‘10.179.64.0/18’

@description(‘CIDR range for the private endpoint subnet..’) param privateEndpointSubnetCidr string = ‘10.179.128.0/24’

@description(‘The name of the public subnet to create.’) param publicSubnetName string = ‘public-subnet’

@description(‘Indicates whether to retain or remove the AzureDatabricks outbound NSG rule - possible values are AllRules or NoAzureDatabricksRules.’) @allowed([ ‘AllRules’ ‘NoAzureDatabricksRules’ ]) param requiredNsgRules string = ‘NoAzureDatabricksRules’

@description(‘CIDR range for the vnet.’) param vnetCidr string = ‘10.179.0.0/16’

@description(‘The name of the virtual network to create.’) param vnetName string = ‘databricks-vnet’

@description(‘The name of the subnet to create the private endpoint in.’) param PrivateEndpointSubnetName string = ‘default’

@description(‘The name of the Azure Databricks workspace to create.’) param workspaceName string = ‘default’

var managedResourceGroupName = ‘databricks-rg-${workspaceName}-${uniqueString(workspaceName, resourceGroup().id)}’ var trimmedMRGName = substring(managedResourceGroupName, 0, min(length(managedResourceGroupName), 90)) var managedResourceGroupId = ‘${subscription().id}/resourceGroups/${trimmedMRGName}’ var privateEndpointName = ‘${workspaceName}-pvtEndpoint’ var privateDnsZoneName = ‘privatelink.azuredatabricks.net’ var pvtEndpointDnsGroupName = ‘${privateEndpointName}/mydnsgroupname’

resource nsg ‘Microsoft.Network/networkSecurityGroups@2021-03-01’ = { name: nsgName location: location properties: { securityRules: [ { name: ‘Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound’ properties: { description: ‘Required for worker nodes communication within a cluster.’ protocol: ‘’ sourcePortRange: ‘’ destinationPortRange: ‘’ sourceAddressPrefix: ‘VirtualNetwork’ destinationAddressPrefix: ‘VirtualNetwork’ access: ‘Allow’ priority: 100 direction: ‘Inbound’ } } { name: ‘Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp’ properties: { description: ‘Required for workers communication with Databricks Webapp.’ protocol: ‘Tcp’ sourcePortRange: ‘’ destinationPortRange: ‘443’ sourceAddressPrefix: ‘VirtualNetwork’ destinationAddressPrefix: ‘AzureDatabricks’ access: ‘Allow’ priority: 100 direction: ‘Outbound’ } } { name: ‘Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql’ properties: { description: ‘Required for workers communication with Azure SQL services.’ protocol: ‘Tcp’ sourcePortRange: ‘’ destinationPortRange: ‘3306’ sourceAddressPrefix: ‘VirtualNetwork’ destinationAddressPrefix: ‘Sql’ access: ‘Allow’ priority: 101 direction: ‘Outbound’ } } { name: ‘Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage’ properties: { description: ‘Required for workers communication with Azure Storage services.’ protocol: ‘Tcp’ sourcePortRange: ‘’ destinationPortRange: ‘443’ sourceAddressPrefix: ‘VirtualNetwork’ destinationAddressPrefix: ‘Storage’ access: ‘Allow’ priority: 102 direction: ‘Outbound’ } } { name: ‘Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound’ properties: { description: ‘Required for worker nodes communication within a cluster.’ protocol: ‘’ sourcePortRange: ‘’ destinationPortRange: ‘’ sourceAddressPrefix: ‘VirtualNetwork’ destinationAddressPrefix: ‘VirtualNetwork’ access: ‘Allow’ priority: 103 direction: ‘Outbound’ } } { name: ‘Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub’ properties: { description: ‘Required for worker communication with Azure Eventhub services.’ protocol: ‘Tcp’ sourcePortRange: ‘’ destinationPortRange: ‘9093’ sourceAddressPrefix: ‘VirtualNetwork’ destinationAddressPrefix: ‘EventHub’ access: ‘Allow’ priority: 104 direction: ‘Outbound’ } } ] } }

resource vnet ‘Microsoft.Network/virtualNetworks@2021-08-01’ = { name: vnetName location: location properties: { addressSpace: { addressPrefixes: [ vnetCidr ] } subnets: [ { name: publicSubnetName properties: { addressPrefix: publicSubnetCidr networkSecurityGroup: { id: nsg.id } delegations: [ { name: ‘databricks-del-public’ properties: { serviceName: ‘Microsoft.Databricks/workspaces’ } } ] } } { name: privateSubnetName properties: { addressPrefix: privateSubnetCidr networkSecurityGroup: { id: nsg.id } delegations: [ { name: ‘databricks-del-private’ properties: { serviceName: ‘Microsoft.Databricks/workspaces’ } } ] } } { name: PrivateEndpointSubnetName properties: { addressPrefix: privateEndpointSubnetCidr privateEndpointNetworkPolicies: ‘Disabled’ } } ] } }

resource workspace ‘Microsoft.Databricks/workspaces@2023-02-01’ = { name: workspaceName location: location sku: { name: pricingTier } properties: { managedResourceGroupId: managedResourceGroupId parameters: { customVirtualNetworkId: { value: vnet.id } customPublicSubnetName: { value: publicSubnetName } customPrivateSubnetName: { value: privateSubnetName } enableNoPublicIp: { value: disablePublicIp } } publicNetworkAccess: publicNetworkAccess requiredNsgRules: requiredNsgRules } }

resource privateEndpoint ‘Microsoft.Network/privateEndpoints@2021-08-01’ = { name: privateEndpointName location: location properties: { subnet: { id: resourceId(‘Microsoft.Network/virtualNetworks/subnets’, vnetName, PrivateEndpointSubnetName) } privateLinkServiceConnections: [ { name: privateEndpointName properties: { privateLinkServiceId: workspace.id groupIds: [ ‘databricks_ui_api’ ] } } ] } }

resource privateDnsZone ‘Microsoft.Network/privateDnsZones@2020-06-01’ = { name: privateDnsZoneName location: ‘global’ dependsOn: [ privateEndpoint ] }

resource privateDnsZoneName_privateDnsZoneName_link ‘Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01’ = { parent: privateDnsZone name: ‘${privateDnsZoneName}-link’ location: ‘global’ properties: { registrationEnabled: false virtualNetwork: { id: vnet.id } } }

resource pvtEndpointDnsGroup ‘Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-12-01’ = { name: pvtEndpointDnsGroupName properties: { privateDnsZoneConfigs: [ { name: ‘config1’ properties: { privateDnsZoneId: privateDnsZone.id } } ] } dependsOn: [ privateEndpoint ] } ```plaintext