Update- AWS modular private link repo - Multiple PL/Non-PL WSP

[Siddharth-Ponugoti]

Update:
I’ve enhanced the AWS modular PrivateLink Terraform module to support the creation of both PrivateLink-enabled and non-PrivateLink workspaces within the same VPC.

⸻

Hi all,

I’m Sai from the SSA team in the London Databricks office.

Previously, the module only supported the creation of multiple Databricks workspaces with PrivateLink enabled by default. However, I had a customer requirement to provision both PrivateLink and non-PrivateLink workspaces from the same VPC. To support this use case, I’ve modified the module to add conditional logic based on a boolean flag: enable_private_link.

If enable_private_link is set to true, the workspace is created with PrivateLink enabled. If set to false, the workspace is created without PrivateLink. I’ve tested this updated logic and confirmed that it works as expected.

Let me know if you have any questions or feedback!

[hwang-db]

thanks Sai for updating! may I know the reasoning of having a mixture of PL and non-PL (backend) workspaces in the same VPC? In a VPC where the vpce are already created, the vpce can be shared by multiple workspaces; and not sure what use case it can address by putting non-backend-PL workspaces compute plane into the same VPC.

[Siddharth-Ponugoti]

Hi Hwang,
I had 2 customer scenarios where they wanted to create a PL enabled workspace and another non-PL workspace, with the current setup PL is assigned by default and we can not disable it once enabled.

By doing this change we have an option to deploy multiple PL workspaces or multi non PL workspaces or a mixture of PL and Non-Pl enabled workspaces by simply changing the code from true to false.

Multiple workspaces still use the same the Vpce, and the private access settings are enabled followed be attaching that vpce to the workspace. if the trigger is set to true, if it is set to false then none of the above take place.

I already got 2 customer requests this past month and I belive updating this code would make things easier without changing the underlying logic.

[hwang-db]

hi Sai, there's still no actual benefit demonstrated for the "mixture" design; using backend PL will:

1. Gives lower cost: egress via NGW is more expensive than VPCE.
2. Keeps all traffic with private IP.

Thus I still don't get the benefit of putting a mixture of pl/non-pl workspaces together.

[Siddharth-Ponugoti]

Hi wang,

In my opinion Supporting a mixture of PL and non-PL workspaces in the same VPC:
• Enables hybrid adoption without duplicating infra.
• Simplifies customer operations and deployment.
• Allows for faster provisioning and testing of new features.
• Supports real-world customer use cases already observed.

I believe this approach could also address potential future customer scenarios. That said, I’m happy to close the PR if you feel it doesn’t add sufficient value.

[hwang-db]

hi Sai, yes you can close this PR first, there's also overhaul changes in progress to make this particular example (multiple workspaces deployment) leaner. Thank you