External network access limitations

This topic describes limitations for accessing external network locations from user-defined functions and procedures.


  • Currently, handlers written only in Java or Python may access network locations external to Snowflake.

  • External network locations not on the public internet are not supported for external access. For example, locations behind a virtual private network (VPN) or virtual network (VNet) can’t be reached from a UDF or procedure.

  • Wildcards are not supported for VALUE_LIST values in network rules.

  • Within handler code, you must access the secret API from the main thread of the procedure or UDF. If your handler code forks a new thread and attempts to use a secrets API from it, you will see an error such as the following:

    Secrets can only be accessed from the main thread.

    For example, the following Python code will generate an error:

    with ThreadPoolExecutor(max_workers=1) as executor:
      futures = [executor.submit(function, get_generic_secret)]
  • This feature is currently available to accounts on all AWS and Azure regions except Gov.

    For more information, see Supported Cloud Regions.

  • External access is not supported for trial accounts.