AWS PrivateLink and Streamlit in Snowflake¶
This topic describes using AWS PrivateLink and Streamlit in Snowflake.
Note
Azure Private Link and Google Cloud Private Service Connect are currently not supported for use with Streamlit in Snowflake.
Prerequisites¶
To access Streamlit in Snowflake with AWS PrivateLink:
Set up private connectivity for your Snowflake account.
Set up private connectivity for Snowsight.
Configuring access to Streamlit in Snowflake¶
To determine the hostname, call SYSTEM$GET_PRIVATELINK_CONFIG in your Snowflake account.
The Streamlit hostname is displayed under the app-service-privatelink-url key, which is the wildcard URL required for
routing Streamlit application traffic through AWS PrivateLink.
Note
You can set up a new VPC endpoint for Streamlit, or create a DNS record to the same VPC endpoint of your Snowflake account, as shown in the following example:
Record name:
*.abcd.privatelink.snowflake.appType: CNAME
Route traffic to: same VPC as your Snowflake traffic.
Hostname routing at an account level is currently not supported.
Security considerations¶
Streamlit in Snowflake apps serve both HTTPS-encrypted traffic and WebSocket-encrypted traffic. The Streamlit browser client application is mounted in a third-party, cross-origin iframe within Snowsight. This enables strict cross-site browser isolation control.
Streamlit in Snowflake uses a separate URL scheme for specific security requirements. Streamlit URLs have their own top-level domain, with no shared elements with Snowsight. Each Streamlit app has a unique origin.
Note
When using AWS PrivateLink, you control the DNS resolution; there are no PrivateLink DNS records controlled by Snowflake.