Allowing the VNet Subnet IDs

This topic describes how an Azure administrator in your organization can explicitly grant Snowflake access to your Microsoft Azure storage account (i.e. your containers and the objects in those containers). The process involves allowing the Azure Virtual Network (VNet) subnet IDs for your Snowflake account.

Completing these instructions is required only if Azure storage firewall is configured to block all unauthorized traffic to your Azure storage account.

Important

This security feature currently requires that your storage account is located in the same Azure region as your Snowflake account.

To allow the Snowflake VNet subnet IDs:

  1. Log into your Snowflake account using any supported client.

  2. Execute USE ROLE to set ACCOUNTADMIN as the active role for the user session.

    USE ROLE ACCOUNTADMIN;
    
  3. Query the SYSTEM$GET_SNOWFLAKE_PLATFORM_INFO function to retrieve the IDs of the VNet subnet in which your Snowflake account is located:

    SELECT SYSTEM$GET_SNOWFLAKE_PLATFORM_INFO();
    

    Record the VNet subnet IDs returned by the query.

  4. Log into your preferred Azure command line interface.

  5. Execute the following command to allow each of the Snowflake VNet subnet IDs to access your storage account:

    $ az storage account network-rule add --account-name <account_name> --resource-group myRG --subnet "<snowflake_vnet_subnet_id>"
    

    Where:

    • account_name is the name of the Azure storage account you are granting access to Snowflake.

    • snowflake_vnet_subnet_id is the first of the VNet subnet IDs returned by the SYSTEM$GET_SNOWFLAKE_PLATFORM_INFO function. Execute the command once for each VNet subnet ID.

    For example:

    $ az storage account network-rule add --account-name my_storage_account --resource-group myRG --subnet "/subscriptions/abcd1234-0123-456e-78f9-1a2bcde3ef4g5/resourceGroups/otherRG/providers/Microsoft.Network/virtualNetworks/otherVNET/subnets/default"
    

    Note

    The Azure client may return an error similar to the following:

    Unable retrieve endpoint status for one or more subnets. Status 'insufficent permissions' indicates lack of subnet read permissions ('Microsoft.Network/virtualNetworks/subnets/read').
    

    The error indicates that your Azure storage account may not initiate connections to Snowflake because those permissions are not granted. You can ignore this error. It will not block the allow feature.

For additional options for managing your virtual network rules, see the Azure documentation.

For help with this configuration process or any of the other Azure configuration steps, please contact the Azure administrator for your organization.

Next: Configuring an Azure Container for Loading Data