Geckert Consulting

Category: Setup

Setup Secure Azure Databricks Workspace (Azure Plattform Compare Series Part 3)

30/01/2024 / / 0 Comments

Hello fellow Data Enthusiasts and welcome to my Blog,

if you’ve missed my Blogpost about the Azure Basics please check the Hub and Spoke Part of it before you go on in this post. Make sure you have a managed identity, which has acess to the encryption key vault in the Azure Landing Zone.

Networking

If you want to setup a new Databricks environment I highly recommend to do so in a new Spoke VNet which has at least the size /24 and a peering to the Hub Net. Split the VNet into at least 2*/26 Subnets. This will allow you to create 59 cluster nodes. In case you need more nodes check this page for the networking requirements. Here an example of and subnet configuration:

Deligate the 2 /26 subnets to Databricks:

Create a NSG and associate it with the two /26 Subnets

Add these Rules to the NSG

Storage Account

Create Storage, with private access only. Don’t create private Enpoints here, since Microsoft will then add a random values at the end of the private Endpoint name.

Instead, create the private Endpoints afterwards and I recommend the following naming pattern pe0<storage account name>0<endpoint> and to put them into a separate ressource group.

Set the Storage to use the encryption key from the key vault of the Azure Landing Zone

Databricks

For all security features, you’ll need a Premium workspace. For the managed ressource group I suggest to use mrg0<databricksworkspace name>.

In the Networking tab, you get to define the address spaces and names for Spoke VNet 1 & 2. I suggest refraining from creating private endpoints within the initial setup again, because here, you’ll get again a random string at the end of the name.

The encryption of databricks works a bit different than the one of the storage account. Here the setup requests to enter a key identifier. Someone with access to your encryption key vault could provide this String, which can be found within the key

So this encryption tab should look like this (You could enable to automatically rotate the key).

Note: Make sure the ‘AzureDatabricks’ Service Principal has acess to the Key Vault Keys. You’ll find this Service Pricipal only in Key Vault ressources.

Now create the private endpoints for the databricks workspace, with your naming pattern.

Note: You only need one browser_authentication endpoint for the whole network. So make sure, this private Endpoint is either in the Hub or in your production environment.

Now setup the private DNS Zones in your Hub and then everything is done.

I hope this little guide helps you in your further projects.

Setup Secure Azure Synapse (Azure Plattform Compare Series Part 2)

15/01/2024 / / 0 Comments

Hello fellow Data Enthusiasts and welcome to my Blog,

if you’ve missed my Blogpost about the Azure Basics please check the Hub and Spoke Part of it before you go on in this post. Make sure you have a managed identity, which has acess to the encryption key vault in the Azure Landing Zone.

Networking

To create an Azure Synapse Workspace you won’t need a big VNet. I recomment to create a new Spoke VNet with the sice of at least /26, so you have enough room for potentially multiple workspaces. Since the Synapse componets won’t need a Subnet delegation there is no need create some.

In order for Azure Synapse to work we won’t need any NSGs.

Storage Account

Create Storage, with private access only. Don’t create private Enpoints here, since Microsoft will then add a random values at the end of the private Endpoint name.

Instead, create the private Endpoints afterwards and I recommend the following naming pattern pe0<storage account name>0<endpoint> and to put them into a separate ressource group.

Set the Storage to use the encryption key from the key vault of the Azure Landing Zone

Azure Synapse Workspace

When you create a Synapse workspace you’ll need to define a managed ressource group. For this I recommend to add mrg0 in front of the actual synapse workspace name.

I would suggest to only use Entra ID to authentication, since this is much easier to maintain.

In order to activate the double encryption for the dedicated and serverless SQL pool you’ll need an encryption key. You could manage this within a key vault. If you use a key vault, you’ll need a user assigend managed identity or you could give the permissions to the system assigend managed identity after the workspace creation.

To connect to the different system you’ll need to activate the managed virtual network. You should also disable the public access to the workspace.

Now create the private endpoints for the synapse workspace, with your naming pattern.

Note: You only need one web endpoint for the whole network. So make sure, this private Endpoint is either in the Hub or in your production environment.

Now setup the private DNS Zones in your Hub and then everything is done.

I hope this little guide helps you in your further projects.

Setup Microsoft Fabric (Azure Plattform Compare Series Part 1)

29/12/2023 / / 0 Comments

Hello fellow Data Enthusiasts and welcome to my Blog,

today we’re looking into the setup of Microsoft Fabric and how to create this as good as possible. This Post is probably for you, if you don’t have any PowerBI premium capacity, or if your tennant is in a region where Fabric currently isn’t available. Please check this page for a list of all available regions.

In order to create a fabric capacity, log into the Azure Portal and search for ‘Microsoft Fabric’.

If you click on Create you’ll be introduced to a very short setup. Currently Microsoft doesn’t provide any naming abbreviation for a fabric capacity so I took ‘fc’.

Please note that your data will be stored in another region if your tennant region isn’t available.

That’s already it for the Azure Portal.

Then move to the fabric portal and create a new workspace if you don’t want to impact anything on your exsisting Power BI workspaces. Otherwise this will also work on an old workspace.

In the workspace click onto ‘Workspace Setting’.

Then go into the ‘Premium’ Tab and select ‘Fabric capacity’ and then in the dropdown choose the correct capacity.

Unfortunately Microsoft currently doesn’t support any Networking ressources like private endpoints or private DNS Zones.

I hope this little guide helps you in your further projects.

© 2024 Geckert Consulting

Theme by Anders NorenUp ↑