ALTER NETWORK POLICY¶
Modifies the properties for an existing network policy. Currently, the only supported actions are changing the IP addresses that are allowed or denied access to the account and adding/overwriting/removing a comment for a network policy.
Note
Only the network policy owner (i.e. role with the OWNERSHIP privilege on the network policy) or higher can alter a network policy.
- See also:
CREATE NETWORK POLICY , DESCRIBE NETWORK POLICY , DROP NETWORK POLICY , SHOW NETWORK POLICIES
Syntax¶
ALTER NETWORK POLICY [ IF EXISTS ] <name> SET {
[ ALLOWED_NETWORK_RULE_LIST = ( '<network_rule>' [ , '<network_rule>' , ... ] ) ]
[ BLOCKED_NETWORK_RULE_LIST = ( '<network_rule>' [ , '<network_rule>' , ... ] ) ]
[ ALLOWED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' ... ] ) ]
[ BLOCKED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' ... ] ) ]
[ COMMENT = '<string_literal>' ] }
ALTER NETWORK POLICY [ IF EXISTS ] <name> UNSET COMMENT
ALTER NETWORK POLICY <name> ADD { ALLOWED_NETWORK_RULE_LIST = '<network_rule>' | BLOCKED_NETWORK_RULE_LIST = '<network_rule>' }
ALTER NETWORK POLICY <name> REMOVE { ALLOWED_NETWORK_RULE_LIST = '<network_rule>' | BLOCKED_NETWORK_RULE_LIST = '<network_rule>' }
ALTER NETWORK POLICY <name> RENAME TO <new_name>
ALTER NETWORK POLICY <name> SET TAG <tag_name> = '<tag_value>' [ , <tag_name> = '<tag_value>' ... ]
ALTER NETWORK POLICY <name> UNSET TAG <tag_name> [ , <tag_name> ... ]
Parameters¶
name
Specifies the identifier for the network policy to alter. If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.
SET ...
Specifies the parameter to set for the network policy:
ALLOWED_NETWORK_RULE_LIST = ( 'network_rule' [ , 'network_rule' , ... ] )
Specifies a list of network rules that contain the network identifiers that are allowed access to Snowflake.
Replaces existing network rules in the allowed list. To add network rules without replacing existing ones, use the
ALTER NETWORK POLICY ... ADD
command.BLOCKED_NETWORK_RULE_LIST = ( 'network_rule' [ , 'network_rule' , ... ] )
Specifies a list of network rules that contain the network identifiers that are denied access to Snowflake.
Replaces existing network rules in the blocked list. To add network rules without replacing existing ones, use the
ALTER NETWORK POLICY ... ADD
command.ALLOWED_IP_LIST = ( [ ip_address ] [ , ip_address , ... ] )
Specifies a list of IPv4 addresses that are allowed access to your Snowflake account. This is referred to as the allowed list. Snowflake automatically blocks all IP addresses not included in the allowed list.
Note that if the parameter is specified with an empty list, the network policy allows no IPv4 addresses to access Snowflake.
BLOCKED_IP_LIST = ( [ ip_address ] [ , ip_address , ... ] )
Specifies a list of IPv4 addresses that are denied access to your Snowflake account. This is referred to as the blocked list.
Set this parameter only when you are allowing access to a range of IP addresses (specified in
ALLOWED_IP_LIST
), but want to deny access to one or more IP addresses within the range.To unset this parameter, specify an empty list.
COMMENT = 'string_literal'
Adds a comment or overwrites an existing comment for the network policy.
TAG tag_name = 'tag_value' [ , tag_name = 'tag_value' , ... ]
Specifies the tag name and the tag string value.
The tag value is always a string, and the maximum number of characters for the tag value is 256.
For details about specifying tags in a statement, refer to Tag quotas for objects and columns.
UNSET ...
Specifies the properties to unset for the network policy, which resets them to the defaults:
COMMENT
, which removes the comment, if one exists, for the network policy.TAG tag_name [ , tag_name ... ]
ADD { ALLOWED_NETWORK_RULE_LIST = 'network_rule' | BLOCKED_NETWORK_RULE_LIST = 'network_rule' }
Adds a network rule to the allowed or blocked list of the network policy without removing existing ones.
REMOVE { ALLOWED_NETWORK_RULE_LIST = 'network_rule' | BLOCKED_NETWORK_RULE_LIST = 'network_rule' }
Removes a network rule from the allowed or blocked list of the network policy.
RENAME TO ...
Specifies a new name for the existing network policy.
Usage Notes¶
The
SET
action for the allowed/blocked lists is not additive (i.e. it removes all IP addresses in the existing lists for the network policy and replaces them with the specified lists).As a result, to make additions to the existing lists, you must specify the new IP addresses and replicate the existing lists.
Each
ip_address
can cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation:ip_address[/optional_prefix_length]
For example:
192.168.1.0/24
When a network policy includes values for both
ALLOWED_IP_LIST
andBLOCKED_IP_LIST
, Snowflake applies the blocked list first.Do not add
0.0.0.0/0
toBLOCKED_IP_LIST
. Because Snowflake applies the blocked list first, this would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses toALLOWED_IP_LIST
. Snowflake automatically blocks all IP addresses not included in the allowed list.Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.
Example¶
Alter a network policy named mypolicy1
as follows:
Retain the existing allowed list (all IP addresses in the range of
192.168.1.0/24
) and blocked list (192.168.1.99
) for the policy, as defined in the CREATE NETWORK POLICY examples.Add IP address
192.168.255.100
to the allowed list.Deny all other IP addresses.
DESC NETWORK POLICY mypolicy1;
+-----------------+----------------+
| name | value |
|-----------------+----------------|
| ALLOWED_IP_LIST | 192.168.1.0/24 |
| BLOCKED_IP_LIST | 192.168.1.99 |
+-----------------+----------------+
ALTER NETWORK POLICY mypolicy1 SET ALLOWED_IP_LIST=('192.168.1.0/24','192.168.255.100')
BLOCKED_IP_LIST=('192.168.1.99');
DESC NETWORK POLICY mypolicy1;
+-----------------+--------------------------------+
| name | value |
|-----------------+--------------------------------|
| ALLOWED_IP_LIST | 192.168.1.0/24,192.168.255.100 |
| BLOCKED_IP_LIST | 192.168.1.99 |
+-----------------+--------------------------------+
Note
To retain the existing allowed and blocked lists, you must include all the IP addresses from the previous lists.