databricks · dgokeeffe · Jun 6, 2026
@@ -46,6 +46,7 @@ The folder `examples` contains the following Terraform implementation examples :
 | Azure | ~~adb-external-hive-metastore~~ **REMOVED** | This example was removed in February 2026. External Hive metastore has been superseded by [Unity Catalog](https://docs.databricks.com/en/data-governance/unity-catalog/index.html). Use [adb-unity-catalog-basic-demo](examples/adb-unity-catalog-basic-demo/) instead. |
 | Azure | [adb-kafka](examples/adb-kafka/)                                                   | ADB - single node kafka template                                                                                                                                                                     |
 | Azure | [adb-private-links](examples/adb-private-links/)                                   | Azure Databricks Private Links                                                                                                                                                                       |
+| Azure | [adb-serverless-appgw-tls-transit](examples/adb-serverless-appgw-tls-transit/)     | Serverless → external TLS service (Kafka, etc.) via an Application Gateway v2 TCP/TLS proxy transit + NCC private endpoint                                                                            |
 | Azure | [adb-squid-proxy](examples/adb-squid-proxy/)                                       | ADB clusters with HTTP proxy                                                                                                                                                                         |
 | Azure | [adb-teradata](examples/adb-teradata/)                                             | ADB with single VM Teradata integration                                                                                                                                                              |
 | Azure | [adb-uc](examples/adb-uc/)                                                         | ADB Unity Catalog Process                                                                                                                                                                            |
@@ -77,6 +78,7 @@ The folder `modules` contains the following Terraform modules :
 | Azure | [adb-with-private-link-standard](modules/adb-with-private-link-standard/)                                 | Provisioning Databricks on Azure with Private Link - Standard deployment                                                                                                                  |
 | Azure | [adb-exfiltration-protection](modules/adb-exfiltration-protection/)                                       | A sample implementation of [Data Exfiltration Protection](https://www.databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html)                             |
 | Azure | [adb-with-private-links-exfiltration-protection](modules/adb-with-private-links-exfiltration-protection/) | Provisioning Databricks on Azure with Private Link and [Data Exfiltration Protection](https://www.databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html) |
+| Azure | [adb-serverless-appgw-tls-transit](modules/adb-serverless-appgw-tls-transit/)                             | Serverless → external TLS service (Kafka, etc.) via an Application Gateway v2 TCP/TLS proxy transit + NCC private endpoint                                                                 |
 | Azure | [adb-overwatch-regional-config](modules/adb-overwatch-regional-config/)                                   | Overwatch regional configuration on Azure                                                                                                                                                 |
 | Azure | [adb-overwatch-mws-config](modules/adb-overwatch-mws-config/)                                             | Overwatch multi-workspace deployment on Azure                                                                                                                                             |
 | Azure | [adb-overwatch-main-ws](modules/adb-overwatch-main-ws/)                                                   | Main Overwatch workspace deployment                                                                                                                                                       |

@@ -0,0 +1,7 @@
+.PHONY: docs test_docs
+
+docs:
+	terraform-docs -c ../../.terraform-docs.yml .
+
+test_docs:
+	terraform-docs -c ../../.terraform-docs.yml --output-check .
@@ -0,0 +1,74 @@
+# Example — Serverless → TLS service via App Gateway v2 TCP/TLS transit
+
+Deploys the [`adb-serverless-appgw-tls-transit`](../../modules/adb-serverless-appgw-tls-transit)
+module: a customer-tenant Application Gateway v2 TCP/TLS proxy that lets
+Databricks Serverless reach an external TLS service (Kafka or any TLS-over-TCP
+workload) over Azure Private Link, wired to an NCC private endpoint rule.
+
+## Prerequisites
+
+* Premium-tier Databricks account; you must be an **account admin**.
+* The **`az` CLI authenticated** as that account admin (used for the documented
+  REST NCC rule + private endpoint approval — see the module README).
+* A target TLS service reachable from the transit VNet (set `backend_addresses`),
+  and the FQDNs serverless clients dial (set `serverless_domain_names`).
+
+## How to use
+
+1. Copy `terraform.tfvars` and fill in your values.
+2. `terraform init`
+3. `terraform apply`
+4. The module auto-approves the App Gateway private endpoint connection. Confirm
+   the NCC rule reaches `ESTABLISHED` in the account console, then restart
+   serverless compute and test connectivity to your service.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+| ---- | ------- |
+| <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | 2.0.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=4.31.0 |
+| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | >=1.81.1 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >=3.2.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >=0.9.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+| ---- | ------ | ------- |
+| <a name="module_adb-serverless-appgw-tls-transit"></a> [adb-serverless-appgw-tls-transit](#module\_adb-serverless-appgw-tls-transit) | ../../modules/adb-serverless-appgw-tls-transit | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| ---- | ----------- | ---- | ------- | :------: |
+| <a name="input_azure_region"></a> [azure\_region](#input\_azure\_region) | Azure region short name (e.g. australiaeast). Must match your workspace/NCC region. | `string` | n/a | yes |
+| <a name="input_azure_subscription_id"></a> [azure\_subscription\_id](#input\_azure\_subscription\_id) | Azure subscription ID to deploy into. | `string` | n/a | yes |
+| <a name="input_backend_addresses"></a> [backend\_addresses](#input\_backend\_addresses) | IPs (or FQDNs) of the target TLS service, reachable from the transit VNet. | `list(string)` | n/a | yes |
+| <a name="input_databricks_account_id"></a> [databricks\_account\_id](#input\_databricks\_account\_id) | Databricks account ID (UUID). | `string` | n/a | yes |
+| <a name="input_databricks_workspace_id"></a> [databricks\_workspace\_id](#input\_databricks\_workspace\_id) | Databricks workspace ID to bind the NCC to. | `string` | n/a | yes |
+| <a name="input_serverless_domain_names"></a> [serverless\_domain\_names](#input\_serverless\_domain\_names) | FQDNs serverless clients dial (e.g. Kafka bootstrap + wildcard). Max 10. | `list(string)` | n/a | yes |
+| <a name="input_databricks_host"></a> [databricks\_host](#input\_databricks\_host) | Databricks account console host. | `string` | `"https://accounts.azuredatabricks.net"` | no |
+| <a name="input_listener_port"></a> [listener\_port](#input\_listener\_port) | TCP/TLS port (e.g. 9092/9094 for Kafka). | `number` | `9092` | no |
+| <a name="input_rg_name"></a> [rg\_name](#input\_rg\_name) | Name of the resource group to create for the transit. | `string` | `"rg-appgw-tls-transit"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to created resources. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+| ---- | ----------- |
+| <a name="output_appgw_frontend_config_name"></a> [appgw\_frontend\_config\_name](#output\_appgw\_frontend\_config\_name) | Frontend config name = the NCC rule group\_id. |
+| <a name="output_appgw_id"></a> [appgw\_id](#output\_appgw\_id) | Resource ID of the Application Gateway. |
+| <a name="output_ncc_id"></a> [ncc\_id](#output\_ncc\_id) | Databricks NCC ID. |
+| <a name="output_serverless_domain_names"></a> [serverless\_domain\_names](#output\_serverless\_domain\_names) | FQDNs serverless clients dial (registered in the NCC rule). |
+| <a name="output_transit_vnet_id"></a> [transit\_vnet\_id](#output\_transit\_vnet\_id) | Transit VNet ID — peer your target service network here or place a private endpoint. |
+<!-- END_TF_DOCS -->
@@ -0,0 +1,18 @@
+module "adb-serverless-appgw-tls-transit" {
+  source = "../../modules/adb-serverless-appgw-tls-transit"
+
+  azure_subscription_id   = var.azure_subscription_id
+  azure_region            = var.azure_region
+  rg_name                 = var.rg_name
+  databricks_host         = var.databricks_host
+  databricks_account_id   = var.databricks_account_id
+  databricks_workspace_id = var.databricks_workspace_id
+
+  # Target TLS service (e.g. Kafka brokers) reachable from the transit VNet,
+  # and the FQDNs serverless clients dial.
+  backend_addresses       = var.backend_addresses
+  serverless_domain_names = var.serverless_domain_names
+  listener_port           = var.listener_port
+
+  tags = var.tags
+}
@@ -0,0 +1,24 @@
+output "appgw_id" {
+  description = "Resource ID of the Application Gateway."
+  value       = module.adb-serverless-appgw-tls-transit.appgw_id
+}
+
+output "appgw_frontend_config_name" {
+  description = "Frontend config name = the NCC rule group_id."
+  value       = module.adb-serverless-appgw-tls-transit.appgw_frontend_config_name
+}
+
+output "ncc_id" {
+  description = "Databricks NCC ID."
+  value       = module.adb-serverless-appgw-tls-transit.ncc_id
+}
+
+output "serverless_domain_names" {
+  description = "FQDNs serverless clients dial (registered in the NCC rule)."
+  value       = module.adb-serverless-appgw-tls-transit.serverless_domain_names
+}
+
+output "transit_vnet_id" {
+  description = "Transit VNet ID — peer your target service network here or place a private endpoint."
+  value       = module.adb-serverless-appgw-tls-transit.transit_vnet_id
+}
@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=4.31.0"
+    }
+    databricks = {
+      source  = "databricks/databricks"
+      version = ">=1.81.1"
+    }
+    azapi = {
+      source  = "Azure/azapi"
+      version = "2.0.1"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">=3.2.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">=0.9.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  subscription_id = var.azure_subscription_id
+  features {}
+}
+
+provider "databricks" {
+  alias      = "accounts"
+  host       = var.databricks_host
+  account_id = var.databricks_account_id
+}
+
+provider "azapi" {
+  subscription_id = var.azure_subscription_id
+}
@@ -0,0 +1,24 @@
+azure_subscription_id = "00000000-0000-0000-0000-000000000000"
+azure_region          = "australiaeast"
+rg_name               = "rg-appgw-tls-transit"
+
+databricks_host         = "https://accounts.azuredatabricks.net"
+databricks_account_id   = "00000000-0000-0000-0000-000000000000"
+databricks_workspace_id = "1234567890123456"
+
+# Target TLS service (e.g. Kafka brokers) reachable from the transit VNet.
+backend_addresses = ["10.230.3.10"]
+
+# FQDNs serverless clients dial. For Confluent Cloud this is the cluster
+# bootstrap FQDN + a wildcard for per-broker re-resolution. Max 10.
+serverless_domain_names = [
+  "lkc-xxxxx.<network-id>.australiaeast.azure.confluent.cloud",
+  "*.<network-id>.australiaeast.azure.confluent.cloud",
+]
+
+listener_port = 9092
+
+tags = {
+  Environment = "dev"
+  Workload    = "serverless-kafka-privatelink"
+}
@@ -0,0 +1,53 @@
+variable "azure_subscription_id" {
+  type        = string
+  description = "Azure subscription ID to deploy into."
+}
+
+variable "azure_region" {
+  type        = string
+  description = "Azure region short name (e.g. australiaeast). Must match your workspace/NCC region."
+}
+
+variable "rg_name" {
+  type        = string
+  description = "Name of the resource group to create for the transit."
+  default     = "rg-appgw-tls-transit"
+}
+
+variable "databricks_host" {
+  type        = string
+  description = "Databricks account console host."
+  default     = "https://accounts.azuredatabricks.net"
+}
+
+variable "databricks_account_id" {
+  type        = string
+  description = "Databricks account ID (UUID)."
+}
+
+variable "databricks_workspace_id" {
+  type        = string
+  description = "Databricks workspace ID to bind the NCC to."
+}
+
+variable "backend_addresses" {
+  type        = list(string)
+  description = "IPs (or FQDNs) of the target TLS service, reachable from the transit VNet."
+}
+
+variable "serverless_domain_names" {
+  type        = list(string)
+  description = "FQDNs serverless clients dial (e.g. Kafka bootstrap + wildcard). Max 10."
+}
+
+variable "listener_port" {
+  type        = number
+  description = "TCP/TLS port (e.g. 9092/9094 for Kafka)."
+  default     = 9092
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags applied to created resources."
+  default     = {}
+}
@@ -0,0 +1,7 @@
+.PHONY: docs test_docs
+
+docs:
+	terraform-docs -c ../../.terraform-docs.yml .
+
+test_docs:
+	terraform-docs -c ../../.terraform-docs.yml --output-check .