Inefficient Private Link Routing to Azure Databricks

Benjamin van der Maas

Service Category

Networking

Cloud Provider

Azure

Service Name

Azure Databricks

Inefficiency Type

Misconfiguration

Explanation

In Azure Databricks environments that rely on Private Link for secure networking, it’s common to route traffic through multi-tiered network architectures. This often includes multiple VNets, Private Link endpoints, or peered subscriptions between data sources (e.g., ADLS) and the Databricks compute plane. While these architectures may be designed for isolation or compliance, they frequently introduce redundant routing paths that add cost without improving performance. Each additional hop may result in duplicated Private Link ingress and egress charges. Without regular review, this can create persistent and unrecognized network inefficiencies tied to Databricks usage.

Relevant Billing Model

Azure networking charges are incurred based on:

Private Link data processing (per GB)
VNet peering ingress/egress (per GB)
Regional vs. cross-region data transfer

Unnecessary network hops can compound these charges, even when they serve no functional or security purpose.

Detection

Review network costs in the Azure subscription hosting your Databricks environment
Identify high Private Link ingress charges or VNet peering transfer fees
Trace end-to-end data paths between storage and Databricks compute
Count how many Private Link or peering hops exist along the path
Assess whether all network segments are functionally required

Remediation

Simplify routing by colocating Databricks and storage in the same region and VNet when possible
Eliminate redundant Private Link endpoints that add no security or compliance value
Use direct peering or shared services models to reduce network traversal
Continuously audit Databricks data paths to align architecture with minimum-cost, minimum-hop configurations

Relevant Documentation