topic Re: Azure Databricks Control Plane connectivity issue after migrating to vWAN in Administration & Architecture

Azure Databricks Control Plane connectivity issue after migrating to vWAN

nodeb — Mon, 20 Oct 2025 23:13:21 GMT

Hello everyone,

Recently, I received a client request to migrate our Azure Databricks environment from a Hub-and-Spoke architecture to a vWAN Hub architecture with an NVA (Network Virtual Appliance).

Here’s a quick overview of the setup:

The Databricks workspace is VNet-injected.
Private Endpoints are configured for all required services.
Two subnets are in use: Public Host and Private Host.
The routing intent on the vWAN hub is configured to send all traffic through the NVA.
Storage accounts and DNS resolution (Private Link) work correctly — verified through a VM on the same VNet.
The issue affects only the Databricks Control Plane, which cannot communicate with the cluster/compute plane.

Error Message:

Failed to add 1 worker to the compute. Will attempt retry: true.
Reason: Control Plane Request Failure Due To Misconfig

CONTROL_PLANE_REQUEST_FAILURE:
Network health check reported that instance is unable to reach Databricks Control Plane.
Please check that instances have connectivity to the Databricks Control Plane.
Instance bootstrap inferred timeout reason: NetworkHealthCheck_CP_Failed

Failure message (Base64 encoded):
dW5yZWFjaGFibGUgY3VybDogKDI4KSBSZXNvbHZpbmcgdGltZWQgb3V0IGFmdGVyIDEwMDAwIG1pbGxpc2Vjb25kcw==

VM extension code: ProvisioningState/succeeded
InstanceId: 3fc5930e53d94adb80120a420bae2724
WorkerEnv: workerenv-85992446950252
NetworkHealthCheck finished with exit code 125.

Troubleshooting done so far:

Verified NSG rules on both host subnets (allowing outbound 443).
Confirmed Private Endpoints are resolving correctly.
Checked that routing intent is sending outbound traffic via NVA as expected.
Validated that the same setup works in our previous Hub-and-Spoke model.

It seems that when using secured vWAN hubs with routing intent, the control plane traffic might not be reaching Databricks public endpoints.

Has anyone experienced similar issues or found a way to route control plane traffic properly through vWAN (or bypass it when needed)?

Any guidance or best practices for Databricks + vWAN + NVA setups would be appreciated.

Thanks,

Re: Azure Databricks Control Plane connectivity issue after migrating to vWAN

nodeb — Wed, 22 Oct 2025 22:09:13 GMT

The problem is fixed.

Re: Azure Databricks Control Plane connectivity issue after migrating to vWAN

szymon_dybczak — Thu, 23 Oct 2025 07:00:13 GMT

Hi @nodeb ,

Could you share the solution then with community?

Re: Azure Databricks Control Plane connectivity issue after migrating to vWAN

nodeb — Tue, 28 Oct 2025 12:23:42 GMT

Hello.

The issue was related to connectivity between the public/private hosts and the DNS resolver. In the old environment, our firewall policy did not allow communication with the DNS resolver, which caused the traffic to be blocked. In the previous setup, DNS traffic bypassed the firewall and therefore did not require a specific firewall policy.
During this issue, I studied Azure Databricks architecture in depth. If anyone needs assistance or guidance on similar problems, feel free to reach out to me.

Re: Azure Databricks Control Plane connectivity issue after migrating to vWAN

nayan_wylde — Tue, 28 Oct 2025 12:48:09 GMT

@nodeb Can you please mark your reply as solution. It will help other users find the resolution fast.

Re: Azure Databricks Control Plane connectivity issue after migrating to vWAN

hshekhar — Tue, 03 Mar 2026 13:41:09 GMT

HI I am facing this issue since so many days ....can we connect on gneet if you can help me to resolve this isuue ...i do not have any idea how to resolve this and have no idea how or where to connect with you...my email id is hshekhar2009@gmail.com . please help me out with this i can connect any time according to ur availablity...