Private connectivity with external functions: Azure Portal¶
This topic provides configuration details to set up outbound private connectivity to an external service by calling an external function for Snowflake accounts on Microsoft Azure as follows:
Use the Azure Portal user interface to configure resources in Microsoft Azure.
Create an API integration and external function in Snowflake.
Call the external function in Snowflake to validate private connectivity to the external service.
Billing and pricing¶
This feature is available for Snowflake accounts that are Business Critical Edition (or higher).
You pay for private endpoint and data processed charges, which are aggregated and appear as Outbound Privatelink
in your bill.
Process overview¶
The following is a general overview of the configuration process. Steps in Snowflake must be done by a user with the ACCOUNTADMIN role. Steps in the Azure Portal are done by a user with rights to use the corresponding resources unless otherwise specified.
The following steps are the same as using external functions with the public Internet:
Complete the prerequisite steps for external functions on Microsoft Azure.
In the Azure Portal, create the remote service.
In the Azure Portal, create the proxy service.
However, you might want to create new resources to fully differentiate your private connectivity needs from your public Internet needs. Consult with your internal security administrators to determine the best approach for your needs.
These steps are unique to external functions that use private connectivity for an external service:
In Snowflake, create a private endpoint.
Snowflake stores the private IP address for the private endpoint internally.
In the Azure Portal, approve the private endpoint.
This action is done by the owner of the Azure API Management resource (external service).
In Snowflake, create a new API integration.
You need a dedicated API integration to support private connectivity to the external service.
In Snowflake, create an external function. The private connectivity URL is the value for the invocation URL in the external function.
In Snowflake, call the external function to enable Snowflake to connect to the external service using private connectivity.
Deprovision any private connectivity endpoints that are not necessary.
Configuration¶
Complete these steps in the Azure Portal:
If you already have the Azure API Management resource set up and you want to reuse the remote service and proxy service, skip to the private connectivity steps. Otherwise, complete these steps:
Complete the prerequisites for external functions on Microsoft Azure.
In the Azure Portal, create the remote service.
In the Azure Portal, create the proxy service.
Complete these steps to configure private connectivity:
In Snowflake, run the CREATE API INTEGRATION command to create a new API integration to support private connectivity to the external service. Update the property values to align with your Microsoft Azure subscription:
CREATE API INTEGRATION external_api_integration_azure_private API_PROVIDER = azure_private_api_management AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9' AZURE_AD_APPLICATION_ID = 'dv3421nq-1g4s-4ap4-x89c-xrf28hna7m2o' API_ALLOWED_PREFIXES = ('https://aztest1-external-function-api.azure.net') ENABLED = TRUE COMMENT = 'API integration for private connectivity to an external service with external functions on Azure.';
In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create the private endpoint. Update the argument values to align with your Microsoft Azure subscription:
USE ROLE ACCOUNTADMIN; SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT( '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api', 'aztest1-external-function-api.azure.net', 'Gateway' );
In the Azure Portal and as the owner of the Azure API Management resource, approve the private endpoint. For details, see the approval process.
Link the API Integration for Azure to the proxy service to enable Snowflake to send API requests to the Azure API Management service.
You can choose to block public access to the Azure API Management resource. For more information, see Secure access to the Azure API Management resource (in this topic).
In Snowflake, if you already have a database and schema to store the external function and want to use these objects, be sure these objects are in use or select them in Snowsight. Otherwise, create a database and schema to store the external the external function for use with private connectivity to an external service:
CREATE DATABASE private_external_service_db; CREATE SCHEMA private_ext_functions;
In Snowflake, run the CREATE EXTERNAL FUNCTION command to create the external function to use with private connectivity to the external service. Be sure to update the invocation URL with the external service private connectivity URL:
CREATE OR REPLACE SECURE EXTERNAL FUNCTION private_ext_function_azure_portal( a INTEGER , b VARCHAR) RETURNS VARIANT API_INTEGRATION = external_api_integration_azure_private AS 'https://aztest1-external-function-api.azure.net/my-api-url-suffix/http-function-name';
The URL format depends on whether you are creating an external function using the Azure Portal or the Azure ARM template. For details, see invocation URL format.
In Snowflake, call the external function to test private connectivity to the external service:
SELECT private_ext_function_azure(66, 'Mario');
[0, 66, 'Mario']
If the output of the function returns the result that matches the configuration of the remote service at the beginning of the procedure, then you confirmed that private connectivity to the external service is working as expected.
Secure access to the Azure API Management resource¶
You can secure the access to the Azure API Management resource that is associated with the private endpoint for use with external functions. From the perspective of the Azure API Management resource, Snowflake is an inbound connection. By securing the access, you reduce the likelihood of attacks that might compromise your use of external functions.
For example, you might want to run this Azure CLI apim command to block public access:
az apim update --name <api-name> --resource-group <resource group name> --public-network-access false
Update the placeholder values with the values that correspond to the name of the API Management resource and the name of the resource group.
For details and options, see these topics: