Deploy React.js Apps on Azure Databricks: Full Guide
Time Date
Raj
Manoharan
Connect with
{{name}}
{{name}}
Tracey
Wilson
Summary: Deploying ReactJS Apps on Azure Databricks
Azure Databricks Apps can run Node.js and/or Python web applications directly on Databricks’ serverless compute plane, integrating with Unity Catalog governance and OAuth-based authentication. Most “React-in-Databricks” deployments fail for non-obvious reasons: build/start wiring (package.json detection), incorrect port binding and misunderstanding the app’s OAuth identity model (app vs user).
Failure Modes
Where teams typically break things and why:
Hard-coded ports (works locally, dead in Apps): Apps expose a specific port via DATABRICKS_APP_PORT. If your Node server binds to 3000 or your API binds to 8080 without bridging, health checks and routing fail.
SPA routing 404s after refresh: React client-side routing requires an “index.html fallback” for unknown paths. If you serve only static files without a fallback, /orders/123 refresh becomes a server 404. (It’s not a Databricks issue; it’s a static serving contract issue.)
“It deployed, but it’s running the wrong process” (package.json detection trap): Deployment logic changes when package.json is present at the app root. Databricks runs Node build steps and (unless overridden) executes npm run start. Teams often expect a Python uvicorn entrypoint to run and it never does.
Hybrid frontend+backend launched incorrectly: If you want Node + Python together, you must explicitly orchestrate them (for example, via a start script using a process manager like concurrently). Otherwise only one side starts.
Secrets leaked into the browser: The runtime provides OAuth client credentials to the app environment (DATABRICKS_CLIENT_ID, DATABRICKS_CLIENT_SECRET). If you accidentally embed these into frontend bundles (e.g., Vite env injection), you’ve created an exfil path.
Auth confusion: “My app can read tables, but users can’t (or vice versa)”: Apps use an OAuth 2.0 authorisation model that combines app permissions and user permissions and supports two identity models: app authorisation and user authorisation. If you don’t decide intentionally which identity is used for which operation, you get inconsistent access behaviour and audit gaps.
Network egress surprises: Apps run on the serverless compute plane; ingress/egress can be controlled with IP access lists, Private Link, and network policies. If your React app depends on external APIs, you can break production simply by applying an egress policy without updating allowlists.
Slow deploys / cold starts from heavy Node dependency graphs: Deploy runs npm install (and optionally npm run build) during deployment. Large dependency trees and unpinned lockfiles cause slow, inconsistent deployments.
Resource ceiling assumptions: By default, Apps have a constrained footprint (for example, 2 vCPUs / 6 GB memory by default, configurable). A Node build step, server-side rendering, or PDF processing can easily hit limits if you treat this like an unconstrained VM.
Engineering Deep Dive
Understand the Databricks Apps runtime contract (before you write code)
A Databricks App is not a notebook. It’s a deployed web workload running on a serverless compute plane, with a defined runtime environment (Ubuntu 22.04, Python 3.11 venv, Node.js 22.16) and a fixed network ingress port exposed via DATABRICKS_APP_PORT. The second non-obvious contract: Databricks decides “Node vs Python vs both” based on the presence of package.json at the root and then applies deterministic build/run logic.
Deployment logic: what actually happens
From the Azure Databricks deployment model:
If package.json exists at the root, deployment will:
Run npm install
Run pip install -r requirements.txt (if present)
Run npm run build (if a build script exists)
Run the command from app.yaml, or default to npm run start
If package.json does not exist, deployment will:
Run pip install -r requirements.txt (if present)
Run the command from app.yaml, or default to python <first .py file>
You can deploy the source and let the platform run npm run build, as long as your scripts are correctly defined.
app.yaml: when you need it and how it bites you
app.yaml is optional but becomes necessary when you need:
A custom entrypoint command, or
Environment variables (including references to secrets/external sources).
Two details matter operationally:
The file must be at the project root.
The command is not executed in a shell, so you can’t rely on shell expansion; pass explicit arguments and use the env section for configuration.
Example: Node-only React serving (custom command not strictly required if you use npm run start, but shown for explicitness):
command: ["npm", "run", "start"]
env:
- name: "API_BASE_PATH"
value: "/api"
// server.js
import express from "express";
import path from "path";
import { fileURLToPath } from "url";
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const app = express();
const port = parseInt(process.env.DATABRICKS_APP_PORT ?? "8000", 10);
const dist = path.join(__dirname, "dist"); //Vite default output
app.use(express.static(dist, { maxAge: "1h", etag: true }));
// SPA fallback
app.get("*", (_req, res) => {
res.sendFile(path.join(dist, "index.html"));
});
app.listen(port, "0.0.0.0", () => console.log(`Listening on ${port}`));
Why this matters:
DATABRICKS_APP_PORT is the contract, don’t hardcode.
Apps commonly default to port 8000, but you should still read the env var.
Hybrid pattern: React + Python API in one Databricks App
Databricks Apps explicitly supports Python, Node.js, or a combination, so a Node frontend with a Python backend is a first-class option.But you must explicitly orchestrate processes. The docs are clear: if no command is specified in app.yaml and package.json exists, Databricks runs npm run start even if Python code exists. To run both, define a custom start script using a tool like concurrently.
Example package.json (conceptual):
{
"scripts": {
"build": "vite build",
"start:ui": "node server.js",
"start:api": "python -m uvicorn api.main:app --host 127.0.0.1 --port 8080",
"start": "concurrently \"npm run start:ui\" \"npm run start:api\""
}
}
Key design choice:
Expose one public listener on DATABRICKS_APP_PORT (the UI server).
Keep API on loopback (127.0.0.1) and proxy /api server-side.
This avoids CORS and keeps tokens server-side.
OAuth identity model: how data access really works
This is where most “works on my machine” deployments fail in enterprise environments.
Databricks Apps authorisation is based on OAuth 2.0 and combines the permissions assigned to the app with those of the user accessing it.
Two complementary identity models exist:
App authorisation: each app has a dedicated service principal identity; it’s unique per app instance and you cannot reuse or specify an existing service principal at creation time.
User authorisation: the app can act with the identity/permissions of the interacting user.
Practical implications for a React app:
Never call Databricks APIs from the browser using app credentials. The runtime exposes the app’s OAuth client credentials as environment variables; those belong on the server only.
Decide which operations are “system actions” (app identity) vs “user actions” (user identity) and ensure Unity Catalog / SQL permissions align accordingly. Apps are explicitly positioned to integrate with Unity Catalog for governance and Databricks SQL for querying.
Networking: why “it works in dev” breaks in prod
Networking is not an afterthought in Apps. The documented flow is:
Initial requests trigger OAuth authentication with the control plane
Subsequent requests route directly to the serverless compute plane.
Then ingress/egress controls apply at the serverless plane:
IP access lists, Private Link (front-end private connectivity) and network policies.
Network policies (Premium tier) are explicitly recommended to prevent accidental data exfiltration and restrict outbound domains.
Legacy regional URLs aren’t supported for Apps because OAuth is required.
For React apps that depend on third-party APIs, plan the allowlist and failure behaviour (timeouts, retries, and degraded mode) as part of the app design, not as a post-deploy ticket.
Best Practices & Anti-Patterns
Best practices
Bind to DATABRICKS_APP_PORT and avoid port literals everywhere (Node and Python).
Treat package.json at root as a platform switch; design your repo layout intentionally around deployment logic.
Use the platform build pipeline (npm run build during deployment) instead of uploading pre-built artifacts, unless you have a reproducibility reason to do otherwise.
Use app.yaml primarily for explicit commands and env/secrets injection; keep it minimal and deterministic.
Keep secrets and OAuth client credentials strictly server-side; expose only your own /api/* endpoints to the browser.
Use network policies to constrain outbound traffic for production apps, and treat egress allowlists as part of your release process.
Design for the default resource envelope (2 vCPU / 6 GB) and scale compute size only when you have a measured need.
Anti-patterns
Shipping a React dev server (vite dev, CRA dev server) as “production” behind Apps. (It will be fragile and wasteful.)
Running Python APIs “because it worked in a notebook,” without defining an explicit app entrypoint and startup command.
Assuming user identity == app identity; mixing them randomly leads to inconsistent authorisation and audit trails.
Calling Databricks endpoints directly from the browser using long-lived tokens or injected env vars.
Ignoring ingress/egress controls until production, then discovering the app can’t resolve DNS or reach required domains under policy.
How Cloudaeon Approaches This
This is the discipline that prevents “demo apps” from becoming operational liabilities:
Start from platform contracts, not from framework tutorials: We map repo structure + deployment logic first (Node/Python detection, build steps, default start behaviour). That eliminates 80% of “why is it running the wrong thing?” incidents.
Make identity an architectural decision: We explicitly separate app-identity actions (service principal) from user-identity actions, and we design the backend boundary so React never handles privileged credentials.
Build a deterministic configuration surface: All runtime configuration is through app.yaml env + managed secrets references, not through ad-hoc environment drift.
Treat networking as part of the app spec: We define required outbound domains/endpoints and expected Private Link / IP access list behaviour as release criteria, because Apps traffic and auth routing have a specific control-plane → serverless-plane model.
Operationalise early: We wire structured logging, request correlation, and deploy-time checks (build reproducibility, lockfile policy, minimal dependency set). Apps also provide monitoring surfaces (logs/audit/cost), so we design around what can be observed and alerted on.
Technology Stack
Frontend: React (SPA), Vite/CRA build output, Node.js runtime
Web serving: Express (or equivalent Node server) bound to DATABRICKS_APP_PORT
Backend (optional): FastAPI + Uvicorn / Gunicorn (pre-installed packages available in Apps environment)
Databricks integration: databricks-sdk, databricks-sql-connector (pre-installed), Unity Catalog + Databricks SQL
Security: OAuth 2.0 authorisation model; dedicated app service principal identity
Deployment: Azure Databricks UI or CLI (Databricks sync, Databricks apps deploy)
Network controls: IP access lists, Private Link ingress, network policies / NCC for egress restriction
Conclusion
Deploying ReactJS applications on Azure Databricks Apps requires more than simply packaging a frontend, it demands a clear understanding of the platform’s runtime contracts, identity model, networking controls, and deployment logic. By designing applications around these constraints, correct port binding, intentional repo structure, secure handling of OAuth credentials, and well-defined process orchestration, teams can avoid common pitfalls and build reliable, production-ready data applications that integrate seamlessly with the Databricks ecosystem. If you're planning to deploy or modernise web applications on Azure Databricks, talk to our experts to design a secure and scalable architecture.
