Set up Openflow - Snowflake Deployment: Configure allowed domains for Openflow connectors¶
Openflow - Snowflake Deployments access external domain resources. Snowflake controls access to external domains using a network policy to either grant or deny access to specific domains.
This topic describes the process of creating a network policy to grant access to a specific domain. In addition, the known domains used by Openflow connectors are provided.
Two possible workflows exist for managing access to external domains:
Create a new network policy: Create a new network policy that defines the list of allowed domain/port combinations.
Alter an existing network policy: Alter an existing network policy to add a list of allowed domain/port combinations.
Create a network policy granting access to one or more domains¶
To create a new network policy that grants access to one or more domain/port combinations execute an SQL statement similar to:
USE ROLE SECURITYADMIN;
CREATE NETWORK POLICY ALLOW_LIST_NETWORK_POLICY
ALLOWED_IP_LIST = ('<domain:port>', '<domain:port>');
For example, to allow Snowflake to access googleads.googleapis.com on port 443, execute the following.
USE ROLE SECURITYADMIN;
CREATE NETWORK POLICY GADS_ALLOW_LIST_NETWORK_POLICY
ALLOWED_IP_LIST = ('googleads.googleapis.com:443');
For more information, see CREATE NETWORK POLICY.
Alter an existing network policy granting access to one or more domains¶
To alter an existing network policy to grant access to one or more domain/port combinations, execute an SQL statement similar to:
USE ROLE SECURITYADMIN;
ALTER NETWORK POLICY GADS_ALLOW_LIST_NETWORK_POLICY
ALLOWED_IP_LIST = ('<existing domain:port>', <existing domain:port>,
'googleads.googleapis.com:443');
Note
Use SHOW NETWORK POLICIES to list the existing network policies. Use DESCRIBE NETWORK POLICY to describe the properties of a specific network policy.
Next step¶
Deploy a connector in a runtime. For a list of connectors available in Openflow, see Openflow connectors.
Domains used by Openflow connectors¶
The following domains are used by Openflow connectors and require network policies to be granted access.
Amazon Ads¶
The following domains are used by the Amazon Ads connector.
advertising-api.amazon.comadvertising-api-eu.amazon.comadvertising-api-fe.amazon.comapi.amazon.comapi.amazon.co.ukapi.amazon.co.jpReport location. For example,
offline-report-storage-eu-west-1-prod.s3.eu-west-1.amazonaws.comis used to download reports.
The exact report URL location is not always known before creating a report. Snowflake recommends allow listing all s3 regions:
*.s3.eu-west-[1-3].amazonaws.com
*.s3.eu-central-[1-2].amazonaws.com
*.s3.eu-north-1.amazonaws.com
*.s3.eu-south-[1-2].amazonaws.com
*.s3.il-central-1.amazonaws.com
For advertising-api-fe.amazon.com (Far East / APAC):
*.s3.ap-northeast-[1-3].amazonaws.com*.s3.ap-south-[1-2].amazonaws.com*.s3.ap-southeast-[1-7].amazonaws.com*.s3.ap-east-[1-2].amazonaws.com*.s3.me-south-1.amazonaws.com*.s3.me-central-1.amazonaws.com*.s3.af-south-1.amazonaws.com
The last domain is obtained from the report URL is returned after the report is ready to fetch.
This is an Amazon S3 bucket where the report is stored. Customers will need to specify their own AWS region.
for example, us-east-1 or eu-west-1 and a specific bucket. As it may be not possible to know the
exact region and bucket, Snowflake suggests using wildcards and listing all possible regions for a given location.
AWS Secret Manager¶
The following domains are used by the AWS Secret Manager connector.
secretsmanager.us-west-2.amazonaws.comsts.us-west-2.amazonaws.comaws.amazon.comamazonaws.com
Box¶
The following domains are used by the Box connector.
api.box.com
box.com
Confluence¶
The following domains are used by the Confluence connector.
Customer-specific domain name, such as
https://company-name.atlassian.net/.For OAuth, https://atlassian.company-name.com/
Microsoft Dataverse¶
The following domains are used by the Dataverse connector.
Customer-specific domain name, such as
org12345467.crm.dynamics.comFor OAuth,
login.microsoftonline.com
Google Ads¶
The following domains are used by the Google Ads connector.
googleads.googleapis.com:443
Google Drive¶
The following domains are used by the Google Drive connector:
drive.google.comwww.googleapis.comoauth2.googleapis.comwww.googleapis.com
Google Sheets¶
The following domains are used by the Google Sheets connector.
sheets.googleapis.com:443
Hubspot¶
The following domains are used by the HubSpot connector.
api.hubapi.com
Jira Cloud¶
The following domains are used by the Jira Cloud connector.
Customer-specific domain name, for example
company-name.atlassian.netapi.atlassian.com
Kafka¶
The following domains are used by the Kafka connector.
Customer Kafka bootstrap servers and all Kafka brokers
Kinesis¶
The following domains are used by the Kinesis connector.
AWS region dependent. For example:
for us-west-2:
kinesis.us-west-2.amazonaws.comkinesis-fips.us-west-2.api.awskinesis-fips.us-west-2.amazonaws.comkinesis.us-west-2.api.aws*.control-kinesis.us-west-2.amazonaws.com*.control-kinesis.us-west-2.api.aws*.data-kinesis.us-west-2.amazonaws.com*.data-kinesis.us-west-2.api.awsdynamodb.us-west-2.amazonaws.commonitoring.us-west-2.amazonaws.com:80monitoring.us-west-2.amazonaws.com:443monitoring-fips.us-west-2.amazonaws.com:80monitoring-fips.us-west-2.amazonaws.com:443monitoring.us-west-2.api.aws:80monitoring.us-west-2.api.aws:443
LinkedIn Ads¶
The following domains are used by the LinkedIn Ads connector.
www.linkedin.com:443api.linkedin.com:443
Meta Ads¶
The following domains are used by the Meta Ads connector.
graph.facebook.com
MySQL¶
The following domains are used by the MySQL connector.
Customer-specific domain and port combination.
PostgreSQL¶
The following domains are used by the PostgreSQL connector.
Customer-specific domain and port combination.
Slack¶
The following domains are used by the Slack connector.
slack.comandapi.slack.com
SQL Server¶
The following domains are used by the SQL Server connector.
Customer-specific domain and port combination.
Workday¶
The following domains are used by the Workday connector.
Customer-specific domain and port combination. For example,
company-domain.tenant.myworkday.com:443.To obtain the domain, you can use the report URL (base URL is always the same).