About This Architecture

Multi-account AWS architecture isolates Databricks data plane in a customer-managed VPC while integrating with AWS Glue, Lake Formation, and Unity Catalog via PrivateLink. Account A hosts analytics services (Athena, EMR, Redshift, SageMaker) accessing Glue Data Catalog; Account B runs Databricks control and data planes with compute nodes in private subnets; Account C stores customer data in S3 with cross-account IAM trust and dual governance from Lake Formation and Unity Catalog. This zero-trust design eliminates public internet exposure while enabling Iceberg REST API federation between Glue and Unity Catalog metastores. Fork this diagram on Diagrams.so to customize VPC CIDR ranges, add transit gateway peering, or model your organization's account structure with drag-and-drop AWS and Databricks components.

People also ask

How do I architect a secure multi-account Databricks deployment on AWS with PrivateLink and Unity Catalog integration?

Deploy Databricks data plane in a customer-managed VPC (Account B) with private subnets, connect to AWS Glue and analytics services (Account A) via PrivateLink VPC endpoints, store customer data in a separate account (Account C) with cross-account IAM trust, and federate Unity Catalog with Glue Data Catalog using Iceberg REST API—eliminating all public internet paths.