|
| 1 | +--- |
| 2 | +title: Attach a secured Azure Databricks compute |
| 3 | +titleSuffix: Azure Machine Learning |
| 4 | +description: Use a private endpoint to attach an Azure Databricks compute to an Azure Machine Learning workspace configured for network isolation. |
| 5 | +services: machine-learning |
| 6 | +ms.service: machine-learning |
| 7 | +ms.subservice: enterprise-readiness |
| 8 | +ms.reviewer: larryfr |
| 9 | +ms.author: jhirono |
| 10 | +author: jhirono |
| 11 | +ms.date: 01/19/2023 |
| 12 | +ms.topic: how-to |
| 13 | +ms.custom: security |
| 14 | +monikerRange: 'azureml-api-2 || azureml-api-1' |
| 15 | +--- |
| 16 | + |
| 17 | +# Attach an Azure Databricks compute that is secured in a virtual network (VNet) |
| 18 | + |
| 19 | +Both Azure Machine Learning and Azure Databricks can be secured by using a VNet to restrict incoming and outgoing network communication. When both services are configured to use a VNet, you can use a private endpoint to allow Azure Machine Learning to attach Azure Databricks as a compute resource. |
| 20 | + |
| 21 | +The information in this article assumes that your Azure Machine Learning workspace and Azure Databricks are configured for two separate Azure Virtual Networks. To enable communication between the two services, Azure Private Link is used. A private endpoint for each service is created in the VNet for the other service. A private endpoint for Azure Machine Learning is added to communicate with the VNet used by Azure Databricks. A private endpoint for Azure Databricks is added to communicate with the VNet used by Azure Machine Learning. |
| 22 | + |
| 23 | +:::image type="content" source="./media/how-to-securely-attach-databricks/secure-azure-machine-learning-to-azure-databricks.svg" alt-text="Diagram of the private endpoint connections between services and virtual networks."::: |
| 24 | + |
| 25 | +## Prerequisites |
| 26 | + |
| 27 | +* An Azure Machine Learning workspace that is configured for network isolation. |
| 28 | + |
| 29 | +* An [Azure Databricks deployment that is configured in a virtual network (VNet injection)](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject). |
| 30 | + |
| 31 | + > [!IMPORTANT] |
| 32 | + > Azure Databricks requires two subnets (sometimes called the private and public subnet). Both of these subnets are delegated, and cannot be used by the Azure Machine Learning workspace when creating a private endpoint. We recommend adding a third subnet to the VNet used by Azure Databricks and using this subnet for the private endpoint. |
| 33 | +
|
| 34 | +* The VNets used by Azure Machine Learning and Azure Databricks must use a different set of IP address ranges. |
| 35 | + |
| 36 | +## Limitations |
| 37 | + |
| 38 | +Scenarios where the Azure Machine Learning control plane needs to communicate with the Azure Databricks control plane are not supported. Currently the only scenario we have identified where this is a problem is when using the [DatabrickStep](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.databricks_step.databricksstep) in a machine learning pipeline. To work around this limitation, allows public access to your workspace. This can be either using a workspace that isn't configured with a private link or a workspace with a private link that is [configured to allow public access](how-to-configure-private-link.md#enable-public-access). |
| 39 | + |
| 40 | +## Create a private endpoint for Azure Machine Learning |
| 41 | + |
| 42 | +To allow the Azure Machine Learning workspace to communicate with the VNet that Azure Databricks is using, use the following steps: |
| 43 | + |
| 44 | +1. From the [Azure portal](https://portal.azure.com), select your __Azure Machine Learning workspace__. |
| 45 | + |
| 46 | +1. From the sidebar, select __Networking__, __Private endpoint connections__, and then __+ Private endpoint__. |
| 47 | + |
| 48 | + :::image type="content" source="./media/how-to-securely-attach-databricks/add-private-endpoint.png" alt-text="Screenshot of the private endpoints connection page."::: |
| 49 | + |
| 50 | +1. From the __Create a private endpoint__ form, enter a name for the new private endpoint. Adjust the other values as needed by your scenario. |
| 51 | + |
| 52 | + :::image type="content" source="./media/how-to-securely-attach-databricks/private-endpoint-basics.png" alt-text="Screenshot of the basics section of the private endpoint wizard."::: |
| 53 | + |
| 54 | +1. Select __Next__ until you arrive at the __Virtual Network__ tab. Select the __Virtual network__ that is used by __Azure Databricks__, and the __Subnet__ to connect to using the private endpoint. |
| 55 | + |
| 56 | + :::image type="content" source="./media/how-to-securely-attach-databricks/private-endpoint-virtual-network.png" alt-text="Screenshot of the virtual network section of the private endpoint wizard."::: |
| 57 | + |
| 58 | +1. Select __Next__ until you can select __Create__ to create the resource. |
| 59 | + |
| 60 | +## Create a private endpoint for Azure Databricks |
| 61 | + |
| 62 | +To allow Azure Databricks to communicate with the VNet that the Azure Machine Learning workspace is using, use the following steps: |
| 63 | + |
| 64 | +1. From the [Azure portal](https://portal.azure.com), select your __Azure Databricks instance__. |
| 65 | + |
| 66 | +1. From the sidebar, select __Networking__, __Private endpoint connections__, and then __+ Private endpoint__. |
| 67 | + |
| 68 | + :::image type="content" source="./media/how-to-securely-attach-databricks/databricks-add-private-endpoint.png" alt-text="Screenshot of the private endpoints connection page for Azure Databricks."::: |
| 69 | + |
| 70 | +1. From the __Create a private endpoint__ form, enter a name for the new private endpoint. Adjust the other values as needed by your scenario. |
| 71 | + |
| 72 | +1. Select __Next__ until you arrive at the __Virtual Network__ tab. Select the __Virtual network__ that is used by __Azure Machine Learning__, and the __Subnet__ to connect to using the private endpoint. |
| 73 | + |
| 74 | +## Attach the Azure Databricks compute |
| 75 | + |
| 76 | +1. From [Azure Machine Learning studio](https://ml.azure.com), select your workspace and then select __Compute__ from the sidebar. Select __Attached computes__, __+ New__, and then __Azure Databricks__. |
| 77 | + |
| 78 | + :::image type="content" source="./media/how-to-securely-attach-databricks/add-attached-compute.png" alt-text="Screenshot of the add a compute page."::: |
| 79 | + |
| 80 | +1. From the __Attach Databricks compute__ form, provide the following information: |
| 81 | + |
| 82 | + * __Compute name__: The name of the compute you're adding. This value can be different than the name of your Azure Databricks workspace. |
| 83 | + * __Subscription__: The subscription that contains the Azure Databricks workspace. |
| 84 | + * __Databricks workspace__: The Azure Databricks workspace that you're attaching. |
| 85 | + * __Databricks access token__: For information on generating a token, see [Azure Databricks personal access tokens](/azure/databricks/dev-tools/auth#pat). |
| 86 | + |
| 87 | + Select __Attach__ to complete the process. |
| 88 | + |
| 89 | + :::image type="content" source="./media/how-to-securely-attach-databricks/attach-databricks.png" alt-text="Screenshot of the attach Databricks compute page."::: |
| 90 | + |
| 91 | +## Next steps |
| 92 | + |
| 93 | +* [Manage compute resources for training and deployment](how-to-create-attach-compute-studio.md) |
0 commit comments