CREATE NETWORK POLICY¶
Creates a network policy or replaces an existing network policy.
Note
Only security administrators (i.e. users with the SECURITYADMIN role) or higher or a role with the global CREATE NETWORK POLICY privilege can create network policies.
- See also:
ALTER NETWORK POLICY , DROP NETWORK POLICY , SHOW NETWORK POLICIES , DESCRIBE NETWORK POLICY
Syntax¶
CREATE [ OR REPLACE ] NETWORK POLICY <name>
[ ALLOWED_NETWORK_RULE_LIST = ( '<network_rule>' [ , '<network_rule>' , ... ] ) ]
[ BLOCKED_NETWORK_RULE_LIST = ( '<network_rule>' [ , '<network_rule>' , ... ] ) ]
[ ALLOWED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' , ... ] ) ]
[ BLOCKED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' , ... ] ) ]
[ COMMENT = '<string_literal>' ]
Required parameters¶
name
Identifier for the network policy; must be unique for your account.
The identifier value must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g.
"My object"
), Identifiers enclosed in double quotes are also case-sensitive.For more details, see Identifier requirements.
Optional parameters¶
ALLOWED_NETWORK_RULE_LIST = ( 'network_rule' [ , 'network_rule' , ... ] )
Specifies a list of network rules that contain the network identifiers that are allowed access to Snowflake. There is no limit on the number of network rules in the list.
BLOCKED_NETWORK_RULE_LIST = ( 'network_rule' [ , 'network_rule' , ... ] )
Specifies a list of network rules that contain the network identifiers that are denied access to Snowflake. There is no limit on the number of network rules in the list.
ALLOWED_IP_LIST = ( [ ip_address ] [ , ip_address , ... ] )
Specifies a list of IPv4 addresses that are allowed access to your Snowflake account. This is referred to as the allowed list.
Snowflake recommends using network rules in conjunction with network policies rather than using this property. Use the
ALLOWED_NETWORK_RULE_LIST
property to specify network rules that contain IPv4 addresses.If you are not yet using network rules, specify at least one IPv4 address or CIDR block range to allow access to your Snowflake account. Additionally, if you are not using network rules and this property is specified with an empty list, no IPv4 addresses are allowed to access your Snowflake account.
BLOCKED_IP_LIST = ( [ ip_address ] [ , ip_address , ... ] )
Specifies a list of IPv4 addresses that are denied access to your Snowflake account. This is referred to as the blocked list. To unset this parameter, specify a different CIDR block range, a series of IPv4 addresses, or a single IPv4 address.
Snowflake recommends using network rules in conjunction with network policies rather than using this parameter. Use the
BLOCKED_NETWORK_RULE_LIST
property to specify network rules that contain IPv4 addresses.To block public access, use a network rule and add the network rule to the
BLOCKED_NETWORK_RULE_LIST
property. The result is that only IP addresses that use private connectivity, such as AWS PrivateLink, can access your Snowflake account.Default: No value; no IP addresses in
ALLOWED_IP_LIST
property are blocked.
COMMENT = 'string_literal'
Specifies a comment for the network policy.
Default: No value
Access control requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
CREATE NETWORK POLICY |
Account |
Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
Use network rules in conjunction with the network policy to manage access to your Snowflake account.
You cannot execute a CREATE OR REPLACE NETWORK POLICY command to replace an existing network policy if that policy is currently assigned to an account, security integration, or user.
Each
ip_address
can cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation:ip_address[/optional_prefix_length]
For example:
192.168.1.0/24
When a network policy includes values for both
ALLOWED_IP_LIST
andBLOCKED_IP_LIST
, Snowflake applies the blocked list first.The maximum number of characters for the
ALLOWED_IP_LIST
list is 100,000. Snowflake returns an error message when this character limit is exceeded.After creating a network policy, you must associate it with your account before Snowflake enforces the policy. You can associate a policy with your account through the ALTER ACCOUNT command, which must be run by a user with the SECURITYADMIN role (or higher).
For example:
USE ROLE SECURITYADMIN; ALTER ACCOUNT SET NETWORK_POLICY = <policy_name>;
For more details, see Parameter management. Note that NETWORK_POLICY is currently the only account parameter that can be set by users with the SECURITYADMIN role.
Before associating a network policy with your account, your current IP address must be included in
ALLOWED_IP_LIST
; otherwise, the ALTER ACCOUNT command returns an error. In addition, your current IP address cannot be included inBLOCKED_IP_LIST
.Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
Examples¶
Create a network policy named mypolicy1
with the following properties:
Allow all IP addresses in the range of
192.168.1.0
to192.168.1.255
(via CIDR notation192.168.1.0/24
), except192.168.1.99
, which is explicitly blocked.Deny all other IP addresses.
CREATE NETWORK POLICY mypolicy1 ALLOWED_IP_LIST=('192.168.1.0/24') BLOCKED_IP_LIST=('192.168.1.99'); DESC NETWORK POLICY mypolicy1;+-----------------+----------------+ | name | value | |-----------------+----------------| | ALLOWED_IP_LIST | 192.168.1.0/24 | | BLOCKED_IP_LIST | 192.168.1.99 | +-----------------+----------------+
Create a network policy named mypolicy2
that allows only the IP addresses 192.168.1.0
and 192.168.1.100
to
access your account:
CREATE NETWORK POLICY mypolicy2 ALLOWED_IP_LIST=('192.168.1.0','192.168.1.100'); DESC NETWORK POLICY mypolicy2;+-----------------+---------------------------+ | name | value | |-----------------+---------------------------| | ALLOWED_IP_LIST | 192.168.1.0,192.168.1.100 | +-----------------+---------------------------+