Categories:

User & Security DDL (Network Policies)

ALTER NETWORK POLICY¶

Modifies the properties for an existing network policy. Currently, the only supported actions are changing the IP addresses that are allowed or denied access to the account and adding/overwriting/removing a comment for a network policy.

Note

Only users with the SECURITYADMIN role (or higher) can alter network policies.

Syntax¶

ALTER NETWORK POLICY [ IF EXISTS ] <name> SET { [ ALLOWED_IP_LIST = ( '<ip_address>' [ , '<ip_address>' ... ] ) ]
[ BLOCKED_IP_LIST = ( '<ip_address>' [ , '<ip_address>' ... ] ) ]
[ COMMENT = '<string_literal>' ] }

ALTER NETWORK POLICY [ IF EXISTS ] <name> UNSET COMMENT


Parameters¶

name

Specifies the identifier for the network policy to alter. If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.

SET ...

ALLOWED_IP_LIST = ( ip_address [ , ip_address , ... ] )

Specifies one or more IPv4 addresses that are allowed access to your Snowflake account. This is referred to as the allowed list. Snowflake automatically blocks all IP addresses not included in the allowed list.

BLOCKED_IP_LIST = ( ip_address [ , ip_address , ... ] )

Set this parameter only when you are allowing access to a range of IP addresses (specified in ALLOWED_IP_LIST), but want to deny access to one or more IP addresses within the range.

COMMENT = 'string_literal'

Adds a comment or overwrites an existing comment for the network policy.

UNSET ...

Specifies the properties to unset for the network policy, which resets them to the defaults.

Currently, the only property you can unset is COMMENT, which removes the comment, if one exists, for the network policy.

Usage Notes¶

• The SET action for the allowed/blocked lists is not additive (i.e. it removes all IP addresses in the existing lists for the network policy and replaces them with the specified lists).

As a result, to make additions to the existing lists, you must specify the new IP addresses and replicate the existing lists.

• Each ip_address can cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation:

ip_address[/optional_prefix_length]

For example:

192.168.1.0/24

• When a network policy includes values for both ALLOWED_IP_LIST and BLOCKED_IP_LIST, Snowflake applies the blocked list first.

• Do not add 0.0.0.0/0 to BLOCKED_IP_LIST. Because Snowflake applies the blocked list first, this would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to ALLOWED_IP_LIST. Snowflake automatically blocks all IP addresses not included in the allowed list.

Example¶

Alter a network policy named mypolicy1 as follows:

• Retain the existing allowed list (all IP addresses in the range of 192.168.1.0/24) and blocked list (192.168.1.99) for the policy, as defined in the CREATE NETWORK POLICY examples.

• Add IP address 192.168.255.100 to the allowed list.

• Deny all other IP addresses.

DESC NETWORK POLICY mypolicy1;

+-----------------+----------------+
| name            | value          |
|-----------------+----------------|
| ALLOWED_IP_LIST | 192.168.1.0/24 |
| BLOCKED_IP_LIST | 192.168.1.99   |
+-----------------+----------------+

ALTER NETWORK POLICY mypolicy1 SET ALLOWED_IP_LIST=('192.168.1.0/24','192.168.255.100')
BLOCKED_IP_LIST=('192.168.1.99');

DESC NETWORK POLICY mypolicy1;

+-----------------+--------------------------------+
| name            | value                          |
|-----------------+--------------------------------|
| ALLOWED_IP_LIST | 192.168.1.0/24,192.168.255.100 |
| BLOCKED_IP_LIST | 192.168.1.99                   |
+-----------------+--------------------------------+


Note

To retain the existing allowed and blocked lists, you must include all the IP addresses from the previous lists.