databricks

01 - Architecture & Deployment Flow

Visual Guide: Understand the complete deployment architecture through modular diagrams.

Quick Reference

πŸ“¦ 7 Terraform Modules β†’ 65-70 AWS/Databricks Resources
⏱️  15-20 minutes deployment time
πŸ”’ Private Link + Unity Catalog + CMK Encryption

Table of Contents

  1. High-Level Architecture
  2. Module Dependency Flow
  3. VPC & Network Layout
  4. Deployment Sequence
  5. Resource Breakdown

1. High-Level Architecture

1.1 Complete System Overview

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e1e1e1'}}}%%
%%{init: {'flowchart': {'htmlLabels': false}}}%%
graph TB
    subgraph "AWS Account"
        subgraph "VPC 10.0.0.0/22"
            subgraph "Public Subnets /26"
                NAT["NAT Gateways<br/>2 AZs<br/>High Availability"]
                IGW["Internet<br/>Gateway"]
            end

            subgraph "Private Subnets /24 - Databricks Clusters"
                CLUSTER["Cluster Nodes<br/>Spark Workers<br/>502 IPs total"]
            end

            subgraph "PrivateLink Subnets /26 - VPC Endpoints"
                VPCE["VPC Endpoints<br/>β€’ Workspace 8443-8451<br/>β€’ Relay SCC 6666<br/>β€’ AWS Services"]
            end

            subgraph "Storage Layer"
                S3["S3 Buckets<br/>β€’ DBFS Root<br/>β€’ UC Metastore<br/>β€’ UC External<br/>KMS Encrypted"]
            end
        end

        subgraph "IAM Layer"
            ROLES["IAM Roles<br/>β€’ Cross-Account<br/>β€’ UC Metastore<br/>β€’ UC External<br/>β€’ Instance Profile"]
        end

        subgraph "Encryption Layer"
            KMS["KMS Keys<br/>β€’ S3 Buckets<br/>β€’ Workspace CMK<br/> DBFS/EBS/MS"]
        end
    end

    subgraph "Databricks Control Plane"
        CONTROL["Databricks SaaS<br/>accounts.cloud.databricks.com"]
    end

    subgraph "Unity Catalog"
        UC["Metastore<br/>Catalogs<br/>External Locations"]
    end

    CLUSTER -->|Private Link| VPCE
    VPCE -.->|Backend Private| CONTROL
    CLUSTER -->|NAT| NAT
    NAT --> IGW
    CLUSTER -->|Gateway Endpoint| S3
    ROLES -->|Permissions| S3
    ROLES -->|Permissions| KMS
    KMS -->|Encrypts| S3
    CONTROL -->|Provisions| UC
    UC -->|Stores Metadata| S3

    style CONTROL fill:#FF3621
    style S3 fill:#569A31
    style VPCE fill:#FF9900
    style UC fill:#1B72E8

Key Components:

2. Module Dependency Flow

2.1 Terraform Module Execution Order

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e1e1e1'}}}%%
flowchart TD
    START["terraform apply"] --> NET["1. Networking Module<br/>VPC, Subnets, Security Groups<br/>VPC Endpoints"]
    NET --> IAM["2. IAM Module<br/>Cross-Account Role<br/>UC Metastore Role<br/>Instance Profile"]
    IAM --> KMS["3. KMS Module Optional<br/>S3 Encryption Key<br/>Workspace CMK<br/>+ UC Role KMS Policy"]
    KMS --> STORAGE["4. Storage Module<br/>S3 Buckets<br/>DBFS Root<br/>UC Buckets"]
    STORAGE --> WORKSPACE["5. Databricks Workspace<br/>MWS Resources<br/>Private Access Settings<br/>Workspace Creation"]
    WORKSPACE --> UC["6. Unity Catalog Module<br/>Metastore Assignment<br/>External Location<br/>Workspace Catalog<br/>+ External Role KMS Policy"]
    UC --> USER["7. User Assignment<br/>Workspace Admin<br/>Permissions"]
    USER --> END["Deployment Complete"]

    style START fill:#569A31
    style END fill:#1B72E8
    style KMS fill:#FF9900
    style UC fill:#FF3621

Critical Dependencies:

Docs: Databricks Terraform Provider

3. VPC & Network Layout

3.1 Subnet Architecture

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e1e1e1'}}}%%
graph TB
    subgraph "VPC 10.0.0.0/22 1024 IPs"
        subgraph "AZ-1 us-west-1a"
            PUB1["Public Subnet<br/>10.0.0.0/26<br/>62 IPs<br/>NAT GW"]
            PRIV1["Private Subnet<br/>10.0.1.0/24<br/>251 IPs<br/>Clusters"]
            PL1["PrivateLink Subnet<br/>10.0.3.0/26<br/>62 IPs<br/>VPC Endpoints"]
        end

        subgraph "AZ-2 us-west-1c"
            PUB2["Public Subnet<br/>10.0.0.64/26<br/>62 IPs<br/>NAT GW"]
            PRIV2["Private Subnet<br/>10.0.2.0/24<br/>251 IPs<br/>Clusters"]
            PL2["PrivateLink Subnet<br/>10.0.3.64/26<br/>62 IPs<br/>VPC Endpoints"]
        end
    end

    PUB1 -.->|Internet| IGW[Internet Gateway]
    PUB2 -.->|Internet| IGW
    PRIV1 -->|via| PUB1
    PRIV2 -->|via| PUB2

    style PRIV1 fill:#569A31
    style PRIV2 fill:#569A31
    style PL1 fill:#FF9900
    style PL2 fill:#FF9900

IP Allocation:

Docs: VPC and Subnets

3.2 Route Table Logic

Private Subnet Route Table:
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Destination   β”‚      Target       β”‚      Description     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  10.0.0.0/22    β”‚      local        β”‚  VPC-internal trafficβ”‚
β”‚  0.0.0.0/0      β”‚   nat-gateway     β”‚  Internet via NAT    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

PrivateLink Subnet Route Table:
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Destination   β”‚      Target       β”‚      Description     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  10.0.0.0/22    β”‚      local        β”‚  VPC-internal only   β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

4. Deployment Sequence

4.1 End-to-End Flow (Cluster Launch)

%%{init: {'theme': 'base'}}%%
sequenceDiagram
    autonumber
    actor User as User/Admin
    participant WS as Databricks<br/>Workspace UI
    participant CP as Control Plane<br/>via Private Link
    participant VPC as Customer VPC
    participant CLUSTER as Spark Cluster
    participant S3 as S3 DBFS/UC
    participant UC as Unity Catalog

    User->>WS: Create Cluster
    WS->>CP: API Call dbc-*.cloud.databricks.com:8443
    Note over WS,CP: DNS returns private IP 10.0.3.x
    CP->>VPC: Launch EC2 Instances
    VPC->>CLUSTER: Provision nodes in private subnets
    CLUSTER->>CP: Register via Relay VPCE:6666
    Note over CLUSTER,CP: Secure Cluster Connectivity
    CLUSTER->>S3: Mount DBFS via Gateway Endpoint
    CLUSTER->>UC: Query catalog metadata
    UC-->>CLUSTER: Return table locations
    CLUSTER->>S3: Read/Write data with UC permissions
    CLUSTER-->>User: Cluster Ready

Timeline:

  1. User action β†’ API call (instant)
  2. Control plane β†’ VPC provisioning (30-60s)
  3. Cluster startup β†’ registration (2-5 min)
  4. Unity Catalog β†’ data access (instant)

Docs: Cluster Creation

4.2 Traffic Path Decision Tree

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e1e1e1'}}}%%
flowchart TD
    START["Cluster Node<br/>Initiates Traffic"] --> DNS{DNS Query<br/>What is destination?}

    DNS -->|S3 bucket| S3PATH["S3 Gateway Endpoint<br/>FREE, VPC-internal"]
    DNS -->|dbc-*.cloud.databricks.com| DBDNS{Private Link<br/>Enabled?}
    DNS -->|Public internet| NATPATH["NAT Gateway<br/>β†’ Internet Gateway"]

    DBDNS -->|Yes| PRIV["Private IP 10.0.3.x<br/>β†’ VPC Endpoint<br/>β†’ Private Link"]
    DBDNS -->|No| NATPATH

    S3PATH --> S3["S3 Buckets<br/>DBFS, Unity Catalog"]
    PRIV --> CONTROL["Databricks<br/>Control Plane"]
    NATPATH --> INTERNET["Public Internet<br/>Maven, PyPI, etc"]

    style S3PATH fill:#569A31
    style PRIV fill:#FF9900
    style NATPATH fill:#FF3621

Key Decision Points:

  1. S3 traffic: Always uses Gateway Endpoint (free)
  2. Databricks API: Private Link if enabled, else NAT
  3. Public internet: Always via NAT Gateway

5. Resource Breakdown

5.1 Resources by Category

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e1e1e1'}}}%%
pie title "Resource Distribution 70 Total"
    "Networking 30" : 30
    "IAM/Security 12" : 12
    "Storage 4" : 4
    "Databricks 15" : 15
    "Unity Catalog 6" : 6
    "Optional CMK 3" : 3

5.2 Detailed Resource List

Networking Module (30 resources)

VPC & Subnets (9):
β”œβ”€β”€ 1 VPC
β”œβ”€β”€ 2 Public subnets
β”œβ”€β”€ 2 Private subnets (Databricks clusters)
β”œβ”€β”€ 2 PrivateLink subnets (VPC endpoints)
└── 2 NAT Gateways

Routing (7):
β”œβ”€β”€ 3 Route tables (public, private, privatelink)
└── 6 Route table associations

VPC Endpoints (6):
β”œβ”€β”€ Databricks Workspace VPCE (8443-8451) [Conditional: Private Link]
β”œβ”€β”€ Databricks Relay VPCE (6666) [Conditional: Private Link]
β”œβ”€β”€ S3 Gateway Endpoint (FREE, regional) [Always]
β”œβ”€β”€ STS Interface Endpoint (regional) [Always]
β”œβ”€β”€ Kinesis Interface Endpoint (regional) [Always]
└── RDS Endpoint: NOT CONFIGURED (Unity Catalog deployment)

Regional Endpoint Benefits:
β”œβ”€β”€ Lower latency (direct regional connections)
β”œβ”€β”€ Reduced cost (no cross-region data transfer)
└── Better security (traffic stays in region) βœ…

Security Groups (8):
β”œβ”€β”€ Workspace SG + 6 rules
└── VPCE SG + 1 rule

Docs: VPC Requirements

IAM Module (12 resources)

Cross-Account Role (3):
β”œβ”€β”€ IAM role
β”œβ”€β”€ IAM policy (inline, Databricks-generated)
└── Policy attachment

Unity Catalog Metastore Role (3):
β”œβ”€β”€ IAM role
β”œβ”€β”€ IAM policy
└── Policy attachment

Instance Profile (3):
β”œβ”€β”€ IAM role
β”œβ”€β”€ IAM policy
β”œβ”€β”€ IAM instance profile

UC External Location Role (3):
β”œβ”€β”€ Created in Unity Catalog module
β”œβ”€β”€ Workspace-specific
└── Includes workspace ID in name

Docs: IAM Roles

KMS Module (3 resources - optional)

S3 Bucket Encryption:
β”œβ”€β”€ KMS key
β”œβ”€β”€ KMS alias
└── Key policy

Workspace CMK (optional):
β”œβ”€β”€ KMS key (DBFS/EBS/Managed Services)
β”œβ”€β”€ KMS alias
└── Key policy

IAM Policies:
β”œβ”€β”€ UC Metastore role KMS policy
└── UC External role KMS policy

Docs: Customer-Managed Keys

Storage Module (4 resources)

S3 Buckets:
β”œβ”€β”€ DBFS Root bucket
β”œβ”€β”€ Unity Catalog metastore bucket
β”œβ”€β”€ Unity Catalog external location bucket
└── Unity Catalog root storage bucket (conditional)

Docs: S3 Bucket Configuration

Databricks Workspace Module (15 resources)

MWS Resources:
β”œβ”€β”€ Credentials configuration
β”œβ”€β”€ Storage configuration
β”œβ”€β”€ Network configuration
β”œβ”€β”€ Customer-managed keys (optional)
└── Workspace

Private Access Settings:
β”œβ”€β”€ PAS object (can be reused)
└── Public access control

Docs: Workspace Configuration

Unity Catalog Module (6+ resources)

Metastore:
β”œβ”€β”€ Metastore (or use existing)
β”œβ”€β”€ Workspace assignment
└── Admin grants

External Storage:
β”œβ”€β”€ Storage credential
β”œβ”€β”€ External location
β”œβ”€β”€ IAM role (workspace-specific)
β”œβ”€β”€ IAM policy
└── Location grants

Workspace Catalog:
β”œβ”€β”€ Catalog
β”œβ”€β”€ Default namespace setting
└── Catalog admin grants

Docs: Unity Catalog Setup

5.3 Optional vs Required Resources

Always Created (55):
β”œβ”€β”€ Networking: VPC, Subnets, NAT, AWS Service Endpoints
β”œβ”€β”€ IAM: All roles
β”œβ”€β”€ Storage: All S3 buckets
β”œβ”€β”€ Workspace: MWS resources
└── Unity Catalog: Metastore assignment, catalog

Optional based on enable_private_link=true (2):
β”œβ”€β”€ Databricks Workspace VPCE
└── Databricks Relay VPCE

Optional based on enable_encryption=true (3):
β”œβ”€β”€ S3 encryption KMS key
└── 2x IAM policies for UC roles

Optional based on enable_workspace_cmk=true (2):
β”œβ”€β”€ Workspace CMK key
└── Key policy

Optional based on existing_private_access_settings_id (1):
β”œβ”€β”€ Private Access Settings (PAS)

6. Configuration Options

6.1 Deployment Scenarios

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e1e1e1'}}}%%
flowchart LR
    START["Configuration<br/>Choice"] --> PL{enable_private_link}

    PL -->|true| FULL["Full Private Link<br/>All Databricks traffic<br/>via VPC Endpoints"]
    PL -->|false| PUBLIC["Public Internet<br/>via NAT Gateway<br/>Lowest Cost"]

    FULL --> ENC{enable_encryption}
    PUBLIC --> ENC

    ENC -->|true| CMK["+ S3 KMS Encryption<br/>Customer-Managed Keys"]
    ENC -->|false| NOCMK["AWS-Managed<br/>Encryption"]

    CMK --> WCMK{enable_workspace_cmk}
    NOCMK --> WCMK

    WCMK -->|true| FULLCMK["+ Workspace CMK<br/>DBFS/EBS/MS Encryption"]
    WCMK -->|false| NOWCMK["Standard Encryption"]

    style FULL fill:#569A31
    style PUBLIC fill:#FF9900
    style FULLCMK fill:#1B72E8

Configuration Matrix:

Scenario enable_private_link enable_encryption enable_workspace_cmk Cost
Development false false false $
Production Basic true false false $$
Production Secure true true false $$$
Maximum Security true true true \(\)

Next Steps

βœ… Architecture understood β†’ 02-IAM-SECURITY.md - IAM roles and policies

βœ… Ready to deploy β†’ 04-QUICK-START.md - 5-minute deployment

Docs: Databricks AWS Architecture