CREATE NETWORK POLICY¶
Creates a network policy or replaces an existing network policy.
Only security administrators (i.e. users with the SECURITYADMIN role) or higher or a role with the global CREATE NETWORK POLICY privilege can create network policies.
- See also:
CREATE [ OR REPLACE ] NETWORK POLICY <name> [ ALLOWED_NETWORK_RULE_LIST = ( '<network_rule>' [ , '<network_rule>' , ... ] ) ] [ BLOCKED_NETWORK_RULE_LIST = ( '<network_rule>' [ , '<network_rule>' , ... ] ) ] [ ALLOWED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' , ... ] ) ] [ BLOCKED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' , ... ] ) ] [ COMMENT = '<string_literal>' ]
Identifier for the network policy; must be unique for your account.
The identifier value must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g.
"My object"), Identifiers enclosed in double quotes are also case-sensitive.
For more details, see Identifier Requirements.
ALLOWED_NETWORK_RULE_LIST = ( 'network_rule' [ , 'network_rule' , ... ] )
Specifies a list of network rules that contain the network identifiers that are allowed access to Snowflake.
BLOCKED_NETWORK_RULE_LIST = ( 'network_rule' [ , 'network_rule' , ... ] )
Specifies a list of network rules that contain the network identifiers that are denied access to Snowflake.
ALLOWED_IP_LIST = ( [ ip_address ] [ , 'ip_address' , ... ] )
Specifies a list of IPv4 addresses that are allowed access to your Snowflake account. This is referred to as the allowed list. Snowflake automatically blocks all IP addresses not included in the allowed list.
Note that if the parameter is specified with an empty list, the network policy allows no IPv4 addresses to access Snowflake.
BLOCKED_IP_LIST = ( [ ip_address ] [ , 'ip_address' , ... ] )
Specifies a list of IPv4 addresses that are denied access to your Snowflake account. This is referred to as the blocked list.
Set this parameter only when you are allowing access to a range of IP addresses (specified in
ALLOWED_IP_LIST), but want to deny access to one or more IP addresses within the range.
Default: No value (i.e. no IP addresses in
COMMENT = 'string_literal'
Specifies a comment for the network policy.
Default: No value
Access Control Requirements¶
CREATE NETWORK POLICY
Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed.
For instructions on creating a custom role with a specified set of privileges, see Creating Custom Roles.
ip_addresscan cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation:
When a network policy includes values for both
BLOCKED_IP_LIST, Snowflake applies the blocked list first.
Do not add
BLOCKED_IP_LIST. Because Snowflake applies the blocked list first, this would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to
ALLOWED_IP_LIST. Snowflake automatically blocks all IP addresses not included in the allowed list.
The maximum number of characters for the
ALLOWED_IP_LISTlist is 100,000. Snowflake returns an error message when this character limit is exceeded.
After creating a network policy, you must associate it with your account before Snowflake enforces the policy. You can associate a policy with your account through the ALTER ACCOUNT command, which must be run by a user with the SECURITYADMIN role (or higher).
USE ROLE SECURITYADMIN; ALTER ACCOUNT SET NETWORK_POLICY = <policy_name>;
Before associating a network policy with your account, your current IP address must be included in
ALLOWED_IP_LIST; otherwise, the ALTER ACCOUNT command returns an error. In addition, your current IP address cannot be included in
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
Create a network policy named
mypolicy1 with the following properties:
Allow all IP addresses in the range of
192.168.1.255(via CIDR notation
192.168.1.99, which is explicitly blocked.
Deny all other IP addresses.CREATE NETWORK POLICY mypolicy1 ALLOWED_IP_LIST=('192.168.1.0/24') BLOCKED_IP_LIST=('192.168.1.99'); DESC NETWORK POLICY mypolicy1;+-----------------+----------------+ | name | value | |-----------------+----------------| | ALLOWED_IP_LIST | 192.168.1.0/24 | | BLOCKED_IP_LIST | 192.168.1.99 | +-----------------+----------------+
Create a network policy named
mypolicy2 that allows only the IP addresses
access your account:
CREATE NETWORK POLICY mypolicy2 ALLOWED_IP_LIST=('192.168.1.0','192.168.1.100'); DESC NETWORK POLICY mypolicy2;+-----------------+---------------------------+ | name | value | |-----------------+---------------------------| | ALLOWED_IP_LIST | 192.168.1.0,192.168.1.100 | +-----------------+---------------------------+