Categories:: System functions (System Control)

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT¶

Provisions a private connectivity endpoint in the Snowflake VPC or VNet to enable Snowflake to connect to an external service using private connectivity. The endpoint can be a service endpoint or a resource endpoint depending on the cloud platform that hosts your Snowflake account.

Syntax¶

AWS:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '<provider_service_name>',
  '<host_name>'
)

Copy

Azure:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '<provider_resource_id>',
  '<host_name>'
  [, '<subresource>' ]
)

Copy

Arguments¶

'provider_service_name'

Specifies the external service or resource to connect to. For example, com.amazonaws.us-west-2.execute-api for the Amazon API Gateway or com.amazonaws.us-west-2.s3 for Amazon S3.

For information about retrieving this value from AWS, see Provision private connectivity endpoints.

'host_name'

Specifies the fully-qualified hostname to access the resource in your VPC or VNet.

This value does not contain any port numbers and must match what you specified in the Snowflake object that enables you to connect to the external service.

AWS:

Examples include bedrock-runtime.us-west-2.amazonaws.com and *.s3.us-west-2.amazonaws.com.

For information about retrieving this value from AWS, see Provision private connectivity endpoints.

Azure:

For Microsoft Azure API Management, the value must match the API_ALLOWED_PREFIXES property of the API integration. Do not include https://.

For examples of the hostname for outbound private connectivity for external functions, see the following:

Azure Portal

Azure ARM template.

'provider_resource_id'

Specifies the fully-qualified identifier for the resource in your VPC or VNet.

'subresource'

Specifies the name of the subresource of the Azure resource.

This argument is not required for Azure Private Link Service and Azure API Management Service.

For all supported values, see the Sub-resource table.

Returns¶

Returns a status message that the endpoint was provisioned successfully or details and instructions about why the endpoint was not provisioned successfully.

Usage notes¶

Only account administrators (users with the ACCOUNTADMIN role) can call this function.
You cannot modify an existing private connectivity endpoint; you must deprovision the endpoint, then provision a new one. To deprovision the endpoint, call the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function.
This function can take approximately 5 minutes to execute because it depends on the process to provision the private connectivity endpoint in the cloud platform (outside of Snowflake).
For details about private endpoint limits, see Scaling considerations.

Examples¶

AWS:

Set up outbound private connectivity to an external S3 service:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.us-west-2.s3',
  '*.s3.us-west-2.amazonaws.com'
);

Copy

For more AWS examples, see the following guides:

Microsoft Azure:

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to the Microsoft Azure API Management service in your Microsoft Azure VNet:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'aztest1-external-function-api.azure.net',
  'Gateway'
  );

Copy

Private endpoint with ID "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/32bd3122-bfbd-417d-8620-1a02fd68fcf8" to resource "/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api" has been provisioned successfully. Please note down the endpoint ID and approve the connection from it on the Azure portal.

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to an external service using external network access:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver/databases/testdb',
  'testdb.database.windows.net',
  'sqlServer'
  );

Copy

"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Provision a private endpoint to allow Snowflake to connect to an external stage for Microsoft Azure:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo',
  'storagedemo.blob.core.windows.net',
  'blob'
);

Copy

"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"