{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "Environment": { "type": "object" }, "KeyvaultName": { "type": "String" }, "kvUserObjectId": { "type": "String" }, "EnableKeyvaultSoftDelete": { "type": "String" }, "DatafactoryName": { "type": "String" }, "IRSelfhost": { "type": "object" }, "PhiStorageAccount": { "type": "object" }, "WorkspaceName": { "type": "object" }, "vnet": { "type": "object" } }, "variables": { "vNetId": "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name)]", "selfhostNsgName": "[concat('nsg-', parameters('IRSelfhost').name)]", "selfhostNsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('selfhostNsgName'))]", "workspaceNsgName": "[concat('nsg-', parameters('WorkspaceName').name)]", "workspaceNsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" }, "resources": [ { "apiVersion": "2018-02-14", "name": "[parameters('KeyvaultName')]", "location": "[resourceGroup().location]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name)]" ], "type": "Microsoft.KeyVault/vaults", "properties": { "sku": { "name": "Premium", "family": "A" }, "tenantId": "[subscription().tenantId]", "accessPolicies": [ { "objectId": "[parameters('kvUserObjectId')]", "tenantId": "[subscription().tenantId]", "permissions": { "keys": [ "all" ], "secrets": [ "all" ], "certificates": [ "all" ], "storage": [ "all" ] } } ], "enabledForDeployment": "true", "enabledForDiskEncryption": "true", "enabledForTemplateDeployment": "true", "enableRbacAuthorization": "false", "enableSoftDelete": "[parameters('EnableKeyvaultSoftDelete')]", "networkAcls": { "bypass": "AzureServices", "defaultAction": "deny", "ipRules": [], "virtualNetworkRules": [ { "id": "[concat(resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name), '/subnets/', parameters('vnet').subnets.irselfhost.name)]" } ] } }, "tags": { "Environment": "[parameters('Environment').Type]", "EmbassyZone": "[parameters('Environment').Name]", "Purpose": "ePhi zone KeyStore" } }, { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2020-05-01", "name": "[parameters('vnet').name]", "location": "[resourceGroup().location]", "dependsOn": [ "[concat('Microsoft.Network/networkSecurityGroups/', variables('selfhostNsgName'))]", "[concat('Microsoft.Network/networkSecurityGroups/', variables('workspaceNsgName'))]" ], "properties": { "addressSpace": { "addressPrefixes": "[parameters('vnet').addressPrefixes]" }, "subnets": [ { "name": "[parameters('vnet').subnets.default.name]", "properties": { "addressPrefix": "[parameters('vnet').subnets.default.properties.addressPrefix]", "serviceEndpoints": "[parameters('vnet').subnets.default.properties.serviceEndpoints]", "delegations": [], "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "name": "[parameters('vnet').subnets.irselfhost.name]", "properties": { "addressPrefix": "[parameters('vnet').subnets.irselfhost.properties.addressPrefix]", "serviceEndpoints": "[parameters('vnet').subnets.irselfhost.properties.serviceEndpoints]", "networkSecurityGroup": { "id": "[variables('selfhostNsgId')]" }, "delegations": [], "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "name": "[parameters('vnet').subnets.privateEndpoints.name]", "properties": { "addressPrefix": "[parameters('vnet').subnets.privateEndpoints.properties.addressPrefix]", "serviceEndpoints": "[parameters('vnet').subnets.privateEndpoints.properties.serviceEndpoints]", "delegations": [], "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "name": "[parameters('vnet').subnets.databricksPrivate.name]", "properties": { "addressPrefix": "[parameters('vnet').subnets.databricksPrivate.properties.addressPrefix]", "networkSecurityGroup": { "id": "[variables('workspaceNsgId')]" }, "delegations": [ { "name": "[concat('databricks-del-', uniqueString(parameters('vnet').subnets.databricksPrivate.name))]", "properties": { "serviceName": "Microsoft.Databricks/workspaces" } } ], "serviceEndpoints": "[parameters('vnet').subnets.databricksPrivate.properties.serviceEndpoints]", "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "name": "[parameters('vnet').subnets.databricksPublic.name]", "properties": { "addressPrefix": "[parameters('vnet').subnets.databricksPublic.properties.addressPrefix]", "networkSecurityGroup": { "id": "[variables('workspaceNsgId')]" }, "delegations": [ { "name": "[concat('databricks-del-', uniqueString(parameters('vnet').subnets.databricksPublic.name))]", "properties": { "serviceName": "Microsoft.Databricks/workspaces" } } ], "serviceEndpoints": "[parameters('vnet').subnets.databricksPublic.properties.serviceEndpoints]", "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled" } } ], "virtualNetworkPeerings": [], "enableDdosProtection": false, "enableVmProtection": false }, "tags": { "Environment": "[parameters('Environment').Type]", "EmbassyZone": "[parameters('Environment').Name]", "Purpose": "VirtualNetwork" } }, { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2020-05-01", "name": "[concat(parameters('vnet').name, '/', parameters('vnet').subnets.default.name)]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name)]" ], "properties": { "addressPrefix": "[parameters('vnet').subnets.default.properties.addressPrefix]", "serviceEndpoints": "[parameters('vnet').subnets.default.properties.serviceEndpoints]", "delegations": [], "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2020-05-01", "name": "[concat(parameters('vnet').name, '/', parameters('vnet').subnets.irselfhost.name)]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name)]" ], "properties": { "addressPrefix": "[parameters('vnet').subnets.irselfhost.properties.addressPrefix]", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('selfhostNsgName'))]" }, "serviceEndpoints": "[parameters('vnet').subnets.irselfhost.properties.serviceEndpoints]", "delegations": [], "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2020-05-01", "name": "[concat(parameters('vnet').name, '/', parameters('vnet').subnets.privateEndpoints.name)]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name)]" ], "properties": { "addressPrefix": "[parameters('vnet').subnets.privateEndpoints.properties.addressPrefix]", "serviceEndpoints": "[parameters('vnet').subnets.privateEndpoints.properties.serviceEndpoints]", "delegations": [], "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2020-05-01", "name": "[concat(parameters('vnet').name, '/', parameters('vnet').subnets.databricksPublic.name)]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name)]" ], "properties": { "addressPrefix": "[parameters('vnet').subnets.databricksPublic.properties.addressPrefix]", "networkSecurityGroup": { "id": "[variables('workspaceNsgId')]" }, "delegations": [ { "name": "[concat('databricks-del-', uniqueString(parameters('vnet').subnets.databricksPublic.name))]", "properties": { "serviceName": "Microsoft.Databricks/workspaces" } } ], "serviceEndpoints": "[parameters('vnet').subnets.databricksPublic.properties.serviceEndpoints]", "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2020-05-01", "name": "[concat(parameters('vnet').name, '/', parameters('vnet').subnets.databricksPrivate.name)]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnet').name)]", "[concat(variables('vNetId'), '/subnets/', parameters('vnet').subnets.databricksPublic.name)]" ], "properties": { "addressPrefix": "[parameters('vnet').subnets.databricksPrivate.properties.addressPrefix]", "networkSecurityGroup": { "id": "[variables('workspaceNsgId')]" }, "delegations": [ { "name": "[concat('databricks-del-', uniqueString(parameters('vnet').subnets.databricksPrivate.name))]", "properties": { "serviceName": "Microsoft.Databricks/workspaces" } } ], "serviceEndpoints": "[parameters('vnet').subnets.databricksPrivate.properties.serviceEndpoints]", "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "name": "[variables('selfhostNsgName')]", "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2019-09-01", "location": "[resourceGroup().location]", "properties": { "securityRules": [ { "name": "default-allow-rdp", "properties": { "priority": 1000, "sourceAddressPrefix": "*", "protocol": "Tcp", "destinationPortRange": "3389", "access": "Deny", "direction": "Inbound", "sourcePortRange": "*", "destinationAddressPrefix": "*" } } ] } }, { "apiVersion": "2019-06-01", "type": "Microsoft.Network/networkSecurityGroups", "location": "[resourceGroup().location]", "name": "[variables('workspaceNsgName')]", "properties": { "securityRules": [ { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound", "properties": { "description": "Required for worker nodes communication within a cluster.", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 100, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh", "properties": { "description": "Required for Databricks control plane management of worker nodes.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "22", "sourceAddressPrefix": "AzureDatabricks", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 101, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy", "properties": { "description": "Required for Databricks control plane communication with worker nodes.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "5557", "sourceAddressPrefix": "AzureDatabricks", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 102, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp", "properties": { "description": "Required for workers communication with Databricks Webapp.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "AzureDatabricks", "access": "Allow", "priority": 100, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql", "properties": { "description": "Required for workers communication with Azure SQL services.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "3306", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "Sql", "access": "Allow", "priority": 101, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage", "properties": { "description": "Required for workers communication with Azure Storage services.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "Storage", "access": "Allow", "priority": 102, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound", "properties": { "description": "Required for worker nodes communication within a cluster.", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 103, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "name": "Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub", "properties": { "description": "Required for worker communication with Azure Eventhub services.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "9093", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "EventHub", "access": "Allow", "priority": 104, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } } ] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for Databricks control plane communication with worker nodes.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "5557", "sourceAddressPrefix": "AzureDatabricks", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 102, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for Databricks control plane management of worker nodes.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "22", "sourceAddressPrefix": "AzureDatabricks", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 101, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for workers communication with Databricks Webapp.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "AzureDatabricks", "access": "Allow", "priority": 100, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for worker communication with Azure Eventhub services.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "9093", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "EventHub", "access": "Allow", "priority": 104, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for workers communication with Azure SQL services.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "3306", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "Sql", "access": "Allow", "priority": 101, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for workers communication with Azure Storage services.", "protocol": "tcp", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "Storage", "access": "Allow", "priority": 102, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for worker nodes communication within a cluster.", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 100, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2020-05-01", "name": "[concat(variables('workspaceNsgName'), '/Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('workspaceNsgName'))]" ], "properties": { "description": "Required for worker nodes communication within a cluster.", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 103, "direction": "Outbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } } ] }