Securing ingress of Snowflake requests with egress IP addresses¶

Support for this feature is available only for external access on AWS.

You can securely allow ingress access from Snowflake to your external resources by allowing egress IP address ranges generated from Snowflake through the resource’s network firewall.

You can generate a list of Snowflake egress IP address ranges (as Classless Inter-Domain Routing (CIDR) addresses) that you can use to represent Snowflake in allowing access through your external server’s network firewall.

Supported uses¶

Using egress IP addresses you generate with Snowflake, you can allow ingress access from the following Snowflake features:

External access from UDFs and procedures
Snowpark Container Services external access and Snowflake Openflow on Snowpark Container Services

Generate egress IP address ranges¶

You can generate IP address ranges that Snowflake uses for egress traffic by using the SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES function.

The generated IP addresses expire, so for ongoing needs you should set up a means to automate refreshing your external server’s firewall with fresh egress IP addressess, as described in Automate IP address range refreshes.

To generate and use Snowflake egress IP addresses, follow these steps:

Call SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES to get the current and upcoming IP ranges and their expiration times.

The following code shows example output of the function.

SELECT SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES();

Copy

{
  "ipv4_prefix": "153.45.150.0/24",
  "expires" : "2025-06-30T23:59:59Z"
},
{
  "ipv4_prefix": "153.45.151.0/24",
  "expires" : "2025-06-30T23:59:59Z"
}

Copy

Use the IP ranges you obtain to update firewall rules by using APIs, CLIs, or configuration management tools, as described in Automate IP address range refreshes.

Automate IP address range refreshes¶

Snowflake egress IP addresses expire. To keep access secure, you must update the Snowflake egress IP addresses allowed through your external server’s firewall so that they’re current.

To keep IP addresses fresh, implement a mechanism to trigger these updates to your external server regularly, such as daily or weekly. You might do this, for example, by using your environment’s tools.

To make updates, follow these steps in your script:

Retrieve Snowflake egress IP address ranges by using SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES.
Compare the newly-retrieved ranges with those you’re currently using.

You can avoid unnecessary changes by only making updates if the address ranges are different.
- If they aren’t different, have your script use expiration dates to set a time to check again, such as a few days before the expiration.
- If the newly-retrieved list is different, update your firewall rule programmatically with the new addresses. You can then have the script set a new date to check, such as a few days before the new expiration.
Log changes made by the script and set up alerts on successful updates or failures.

Automate updates using your environment’s tools¶

You can automate the tasks needed to keep Snowflake IP addresses fresh by using scripts and tools. The following describes two examples:

Scripting with APIs and CLIs on cloud providers such as AWS, Azure, and Google Cloud.

For cloud environments, you can write scripts by using tools such as Python, PowerShell, and Bash. Your tools can perform the following tasks:
1. Call SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES to retrieve the latest IP address ranges and expiration dates.
2. Use the cloud provider’s API or CLI to update security group rules, network ACLs, or firewall policies.
3. Schedule scripts that perform these actions to run periodically (such as daily or weekly) or based on expiry dates using cron jobs. You can run these by using stored procedures with Snowflake tasks.
Infrastructure-as-code (IaC) tools

You can use tools such as Terraform, Ansible, or CloudFormation to manage firewall rules as code. The approach described below also provides version control and audit trails for firewall rule changes.

Using these tools, you can perform the following tasks:
1. Define firewall rules in IaC configurations.
2. Call SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES to retrieve the latest IP address ranges and expiration dates.
3. When new Snowflake egress IP ranges are available, update your IaC configuration with the new ranges.
4. Apply the changes by using your IaC tool, ensuring that firewall rules are updated programmatically and idempotently.