Categories:: System functions (System Control)

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT¶

Provisions a private connectivity endpoint in the Snowflake VPC or VNet to enable Snowflake to connect to an external service by using private connectivity. The endpoint can be a service endpoint or a resource endpoint depending on the cloud platform that hosts your Snowflake account.

Note

If the Snowflake account is in an Azure government region, the provider resource ID must be the ID of a resource in a government subscription. For more information about government regions for Snowflake customers, see U.S. SnowGov Regions.

Syntax¶

AWS:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '<provider_service_name>',
  '<host_name>'
)

Copy

Azure:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '<provider_resource_id>',
  '<host_name>',
  [, '<subresource>' ]
)

Copy

Google Cloud:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
 '<target_service_id>',
 '<host_name>'
);

Copy

Arguments¶

AWS:

'provider_service_name'

Specifies the external service or resource to connect to. For example, com.amazonaws.us-west-2.execute-api for the Amazon API Gateway or com.amazonaws.us-west-2.s3 for Amazon S3.

For information about retrieving this value from AWS, see Provision private connectivity endpoints.

'host_name'

Specifies the fully-qualified hostname to access the resource in your VPC or VNet.

This value doesn’t contain any port numbers and must match what you specified in the Snowflake object that lets you to connect to the external service.

Examples include bedrock-runtime.us-west-2.amazonaws.com and *.s3.us-west-2.amazonaws.com.

When using private connectivity for external stages and external volumes, the host_name must use a wildcard instead of specifying a specific AWS S3 bucket.

For information about retrieving this value from AWS, see Provision private connectivity endpoints.

Azure:

'provider_resource_id'

Specifies the fully qualified identifier for the resource in your VPC or VNet.

'subresource'

Specifies the name of the subresource of the Azure resource.

This argument isn’t required for Azure Private Link Service and Azure API Management Service.

For all supported values, see the Sub-resource table.

'host_name'

Specifies the fully qualified hostname to access the resource in your VPC or VNet.

For examples of the hostname for outbound private connectivity for external functions, see the following topics:

Azure Portal

Azure ARM template.

Google Cloud:

'target_service_id': Specifies the service attachment ID (to a custom service), or regional Google API endpoint to connect to.
'host_name': Specifies the fully qualified hostname to access the resource.

Returns¶

Returns a status message that the endpoint was provisioned successfully or details and instructions about why the endpoint was not provisioned successfully.

Usage notes¶

Only account administrators (users with the ACCOUNTADMIN role) can call this function.
You cannot modify an existing private connectivity endpoint; you must deprovision the endpoint, then provision a new one. To deprovision the endpoint, call the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function.
This function can take approximately 5 minutes to execute because it depends on the process to provision the private connectivity endpoint in the cloud platform (outside of Snowflake).
For details about private endpoint limits, see Scaling considerations.

Examples¶

AWS:

Set up outbound private connectivity to an external S3 service:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.us-west-2.s3',
  '*.s3.us-west-2.amazonaws.com'
);

Copy

For more AWS examples, see the following guides:

Microsoft Azure:

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to the Microsoft Azure API Management service in your Microsoft Azure VNet:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'aztest1-external-function-api.azure.net',
  'Gateway'
  );

Copy

Private endpoint with ID "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/32bd3122-bfbd-417d-8620-1a02fd68fcf8" to resource "/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api" has been provisioned successfully. Please note down the endpoint ID and approve the connection from it on the Azure portal.

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to an external service using external network access:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver',
  'testdb.database.windows.net',
  'sqlServer'
  );

Copy

"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Provision a private endpoint to allow Snowflake to connect to an external stage for Microsoft Azure:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo',
  'storagedemo.blob.core.windows.net',
  'blob'
);

Copy

"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Google Cloud:

Connect to a published service:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'projects/my-project/regions/us-west2/serviceAttachments/my-http-server',
  'my-http-server.com'
);

Copy

After creating the endpoint, the connection must be accepted on Google Cloud by the resource provider.

Provision a private endpoint to allow Snowflake on Google Cloud to connect to a service attachment in your Google Cloud VPC Network:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'projects/my-project/regions/us-east4/serviceAttachments/my-service-attachment',
  'my-service.com'
  );

Copy

Private endpoint with ID "abcd0000000000000001" to resource "projects/my-project/regions/us-east4/serviceAttachments/my-service-attachment"
was provisioned successfully. Please note the Private Endpoint ID and approve the corresponding connection request in the cloud provider console.

Provision a private endpoint to allow Snowflake on Google Cloud to connect to the regional Cloud Key Management Service (Cloud KMS) endpoint:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'cloudkms.us-east4.rep.googleapis.com',
  'cloudkms.us-east4.rep.googleapis.com'
  );

Copy

Private endpoint with ID "abcd0000000000000001" to resource "cloudkms.us-east4.rep.googleapis.com" was provisioned successfully.
Please note the Private Endpoint ID and approve the corresponding connection request in the cloud provider console.

Provision a private endpoint to allow Snowflake to connect to an external stage for Google Cloud:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'storage.us-east4.rep.googleapis.com',
  'storage.us-east4.rep.googleapis.com'
);

Copy

Private endpoint with ID "abcd0000000000000001" to resource "storage.us-east4.rep.googleapis.com" was provisioned successfully.
Please note the Private Endpoint ID and approve the corresponding connection request in the cloud provider console.