AWS PrivateLink and Snowflake¶

This topic describes how to configure AWS PrivateLink to directly connect your Snowflake account to one or more AWS VPCs.

Note that AWS PrivateLink is not a service provided by Snowflake. It is an AWS service that Snowflake supports to use with your Snowflake account.

What is AWS PrivateLink?¶

AWS PrivateLink is an AWS service for creating private VPC endpoints that allow direct, secure connectivity between your AWS VPCs and the Snowflake VPC without traversing the public Internet. The connectivity is for AWS VPCs in the same AWS region.

For Writing external functions, you can also use AWS PrivateLink with private endpoints.

In addition, if you have an on-premises environment (e.g. a non-hosted data center), you can choose to use AWS Direct Connect, in conjunction with AWS PrivateLink, to connect all your virtual and physical environments in a single, private network.

Note

AWS Direct Connect is a separate AWS service that must be implemented independently from AWS PrivateLink and is outside the scope of this topic. To inquire about implementing AWS Direct Connect, please contact Amazon.

Enabling AWS PrivateLink¶

Note

Currently, the self-service enablement process in this section does not support authorizing an AWS account identifier from a managed cloud service or a third party vendor.

To authorize an AWS account identifier for this use case, please retrieve the AWS account identifier from the vendor and contact Snowflake Support.

To enable AWS PrivateLink for your Snowflake account, complete the following steps:

In your command line environment, run the following AWS CLI STS command and save the output. The output will be used as the value for the federated_token argument in the next step.
aws sts get-federation-token --name sam
Copy
Note that get-federation-token requires either an identity and access management user in AWS or the AWS account root user. For details, refer to the AWS documentation.

Extract the 12-digit number in the "FederatedUserId" value (truncated). For example, if your token contains:
{ ... "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }
Copy
Extract 185.... This 12-digit number will be the value for the aws_id in the next step.

As a Snowflake account administrator (i.e. a user with the ACCOUNTADMIN system role), call the SYSTEM$AUTHORIZE_PRIVATELINK function to authorize (i.e. enable) AWS PrivateLink for your Snowflake account:

select SYSTEM$AUTHORIZE_PRIVATELINK ( '<aws_id>' , '<federated_token>' );

Copy

Where:

'aws_id'
The 12-digit identifier that uniquely identifies your Amazon Web Services (AWS) account, as a string.
'federated_token'
The federated token value that contains access credentials for a federated user as a string.

For example:

use role accountadmin;

select SYSTEM$AUTHORIZE_PRIVATELINK (
    '185...',
    '{
       "Credentials": {
           "AccessKeyId": "ASI...",
           "SecretAccessKey": "enw...",
           "SessionToken": "Fwo...",
           "Expiration": "2021-01-07T19:06:23+00:00"
       },
       "FederatedUser": {
           "FederatedUserId": "185...:sam",
           "Arn": "arn:aws:sts::185...:federated-user/sam"
       },
       "PackedPolicySize": 0
    }'
  );

Copy

To verify your authorized configuration, call the SYSTEM$GET_PRIVATELINK function in your Snowflake account on AWS. This function uses the same argument values for 'aws_id' and 'federated_token' that were used to authorize your Snowflake account.

Snowflake returns Account is authorized for PrivateLink. for a successful authorization.

If it is necessary to disable AWS PrivateLink in your Snowflake account, call the SYSTEM$REVOKE_PRIVATELINK function, using the same argument values for 'aws-id' and 'federated_token'.

Important

The federated_token expires after 12 hours.

If you’re calling any of the system functions to authorize, verify, or disable your Snowflake account to use AWS PrivateLink and the token is not valid, regenerate the token using the AWS CLI STS command shown at the beginning of the procedure in this section.

To further harden your security posture, Snowflake recommends Pinning private connectivity endpoints for inbound traffic for your Snowflake account.

Configuring your AWS VPC environment¶

Attention

This section only covers the Snowflake-specific details for configuring your VPC environment.

Also, note that Snowflake is not responsible for the actual configuration of the required AWS VPC endpoints, security group rules, and DNS records. If you encounter issues with any of these configuration tasks, please contact AWS Support directly.

Create and configure a VPC endpoint (VPCE)¶

Complete the following steps to create and configure a VPC endpoint: In your AWS VPC environment:

As a Snowflake account administrator (i.e. a user with the ACCOUNTADMIN system role), call the SYSTEM$GET_PRIVATELINK_CONFIG function and record the privatelink-vpce-id value.
In your AWS environment, create a VPC endpoint using the privatelink-vpce-id value from the previous step.
In your AWS environment, authorize a security group of services that connect the Snowflake outgoing connection to port 443 and 80 of the VPCE CIDR (Classless Inter-Domain Routing).

For details, see the AWS documentation:

Configure your VPC network¶

To access Snowflake via an AWS PrivateLink endpoint, it is necessary to create CNAME records in your DNS to resolve the appropriate endpoint values from the SYSTEM$GET_PRIVATELINK_CONFIG function to the DNS name of your VPC Endpoint.

The values to obtain from the output of SYSTEM$GET_PRIVATELINK_CONFIG depend on which Snowflake features you are accessing via private connectivity. For a description of the possible values, see Return values.

Note that the values for regionless-snowsight-privatelink-url and snowsight-privatelink-url allow access to Snowsight and the Snowflake Marketplace using private connectivity. However, there is additional configuration if you want to enable URL redirects. For information, see Snowsight & Private Connectivity.

For additional help with DNS configuration, please contact your internal AWS administrator.

Important

The structure of the OCSP cache server hostname depends on the version of your installed clients, as described in Step 1 of Configuring Your Snowflake Clients (in this topic):

If you are using the listed versions (or higher), use the form described above, which allows for better DNS resolution when you have multiple Snowflake accounts (e.g. dev, test, and production) in the same region. When updating client drivers and using OCSP with PrivateLink, update the firewall rules to allow the OCSP hostname.
If you are using older client versions, then the OCSP cache server hostname takes the form ocsp.<region_id>.privatelink.snowflakecomputing.com (i.e. no account identifier).
Note that your DNS record must resolve to private IP addresses within your VPC. If it resolves to public IP addresses, the record is not configured correctly.

Create AWS VPC interface endpoints for Amazon S3¶

This step is required for Amazon S3 traffic from Snowflake clients to stay on the AWS backbone. The Snowflake clients (e.g. SnowSQL, JDBC driver) require access to Amazon S3 to perform various runtime operations.

If your AWS VPC network does not allow access to the public internet, you can configure private connectivity to internal stages or more gateway endpoints to the Amazon S3 hostnames required by the Snowflake clients.

Overall, there are three options to configure access to Amazon S3. The first two options avoid the public Internet and the third option does not:

Configure an AWS VPC interface endpoint for internal stages. This option is recommended.
Configure an Amazon S3 gateway endpoint. For more information, see the note below.
Do not configure an interface endpoint or a gateway endpoint. This results in access using the public Internet.

Attention

To prevent communications between an Amazon S3 bucket and an AWS VPC with Snowflake from using the public Internet, you can set up an Amazon S3 gateway endpoint in the same AWS region as the Amazon S3 bucket. The reason for this is AWS PrivateLink only allows communications between VPCs, and the Amazon S3 bucket is not included in the VPC.

You can configure the Amazon S3 gateway endpoint to limit access to specific users, S3 resources, routes, and subnets; however, Snowflake does not require this configuration. For more details, see Endpoints for Amazon S3.

To configure the Amazon S3 gateway endpoint policies to specifically restrict them to use only the Amazon S3 resources for Snowflake, choose one of the following options:

Use the specific Amazon S3 hostname addresses used by your Snowflake account. For the complete list of hostnames used by your account, see SYSTEM$ALLOWLIST.
Use an Amazon S3 hostname pattern that matches the Snowflake S3 hostnames. In this scenario, there are two possible types of connections to Snowflake, VPC-to-VPC or On-Premises-to-VPC.

Based on your connection type, note the following:

VPC-to-VPC:

Ensure the Amazon S3 gateway endpoint exists. Optionally modify the S3 gateway endpoint policy to match the specific hostname patterns shown in the Amazon S3 Hostnames table.

On-Premises-to-VPC:

You must define a setup to include the S3 hostname patterns in the firewall or proxy configuration if Amazon S3 traffic is not permitted on the public gateway.

The following table lists the Amazon S3 hostname patterns for which you may create gateway endpoints if you do not require them to be specific to your account’s Snowflake-managed S3 buckets:

Amazon S3 Hostnames

Notes

All regions

sfc-*-stage.s3.amazonaws.com:443

All regions other than US East

sfc-*-stage.s3-<region_id>.amazonaws.com:443

Note that the pattern uses a hyphen (-) before the region ID.

sfc-*-stage.s3.<region_id>.amazonaws.com:443

Note that the pattern uses a period (.) before the region ID.

Amazon S3 Hostnames	Notes
All regions
`sfc-*-stage.s3.amazonaws.com:443`
All regions other than US East
`sfc-*-stage.s3-<region_id>.amazonaws.com:443`	Note that the pattern uses a hyphen (`-`) before the region ID.
`sfc-*-stage.s3.<region_id>.amazonaws.com:443`	Note that the pattern uses a period (`.`) before the region ID.

For details about creating gateway endpoints, see Gateway VPC endpoints.

Connect to Snowflake¶

Prior to connecting to Snowflake, you can optionally leverage SnowCD (Snowflake Connectivity Diagnostic tool) to evaluate the network connection with Snowflake and AWS PrivateLink.

For more information, see SnowCD and SYSTEM$ALLOWLIST_PRIVATELINK.

Otherwise, connect to Snowflake with your private connectivity account URL.

Note that if you want to connect to Snowsight via AWS PrivateLink, follow the instructions in the Snowsight documentation.

Blocking public access — Recommended¶

After testing private connectivity to Snowflake using AWS PrivateLink, you can optionally block public access to Snowflake. This means that users can access Snowflake only if their connection request originates from an IP address within a particular CIDR block range specified in a Snowflake network policy.

To block public access using a network policy:

Create a new network policy or edit an existing network policy. Add the CIDR block range for your organization.
Activate the network policy for your account.

For details, see Controlling network traffic with network policies.

Configuring your Snowflake clients¶

Ensure Snowflake clients support OCSP cache server¶

The Snowflake OCSP cache server mitigates connectivity issues between Snowflake clients and the server. To enable your installed Snowflake clients to take advantage of the OCSP server cache, ensure you are using the following client versions:

SnowSQL 1.1.57 (or higher)
Python Connector 1.8.2 (or higher)
JDBC Driver 3.8.3 (or higher)
ODBC Driver 2.19.3 (or higher)

Note

The Snowflake OCSP cache server listens on port 80, which is why you were instructed in Create and configure a VPC endpoint (VPCE) to configure your AWS PrivateLink VPCE security group to accept this port, along with port 443 (required for all other Snowflake traffic).

Specify hostname for Snowflake clients¶

Each Snowflake client requires a hostname to connect to your Snowflake account.

The hostname is the same as the hostname you specified in the CNAME record(s) in Configure your VPC network.

This step is not applicable to access the Snowflake Marketplace.

For example, for an account named xy12345:

If the account is in US West, the hostname is xy12345.us-west-2.privatelink.snowflakecomputing.com.
If the account is in EU (Frankfurt), the hostname is xy12345.eu-central-1.privatelink.snowflakecomputing.com.

Important

The method for specifying the hostname differs depending on the client:

For the Spark connector and the ODBC and JDBC drivers, specify the entire hostname.
For all the other clients, do not specify the entire hostname.

Instead, specify the account identifier with the privatelink segment (i.e. <account_identifier>.privatelink), which Snowflake concatenates with snowflakecomputing.com to dynamically construct the hostname.

For more details about specifying the account name or hostname for a Snowflake client, see the documentation for each client.

Using SSO with AWS PrivateLink¶

Snowflake supports using SSO with AWS PrivateLink. For more information, see:

Using Client Redirect with AWS PrivateLink¶

Snowflake supports using Client Redirect with AWS PrivateLink.

For more information, see Redirecting client connections.

Using replication and Tri-Secret Secure with private connectivity¶

Snowflake supports replicating your data from the source account to the target account, regardless of whether you enable Tri-Secret Secure or this feature in the target account.

Troubleshooting¶

Note the following Snowflake Community articles: