Network Policies

Network policies provide options for managing network configurations to the Snowflake service.

Network policies allow restricting access to your account based on user IP address. Effectively, a network policy enables you to create an IP allowed list, as well as an IP blocked list, if desired.

In this Topic:

Overview

By default, Snowflake allows users to connect to the service from any computer or device IP address. A security administrator (or higher) can create a network policy to allow or deny access to a single IP address or a list of addresses. Network policies currently support only Internet Protocol version 4 (i.e. IPv4) addresses.

An administrator with sufficient permissions can create any number of network policies. A network policy is not enabled until it is activated at the account or individual user level. To activate a network policy, modify the account or user properties and assign the network policy to the object. Only a single network policy can be assigned to the account or a specific user at a time.

CIDR Notation

Snowflake supports specifying ranges of IP addresses using Classless Inter-Domain Routing (i.e. CIDR) notation. In CIDR notation, the optional subnet is expressed as a decimal number that represents the prefix length:

ip_address[/prefix_length]

For example, 192.168.1.0/24 represents all IP addresses in the range of 192.168.1.0 to 192.168.1.255.

Examples of Allowed / Blocked Address Lists

Snowflake does not allow setting a network policy that blocks your current IP address. An error message results while trying to create a network policy that blocks the current IP address.

The following are representative examples to define allowed and blocked IP address ranges using a Snowflake network policy.

Allow all IP addresses in the range of 192.168.1.0 to 192.168.1.255, except 192.168.1.99, which is explicitly blocked. In addition, all other IP addresses are blocked:

- Allowed IP Addresses: 192.168.1.0/24
- Blocked IP Addresses: 192.168.1.99

Allow only the 192.168.1.0 and 192.168.1.100 IP addresses to access your account:

- Allowed IP Addresses: 192.168.1.0,192.168.1.100
- Blocked IP Addresses: N/A

Assuming the current IP address is 192.168.1.0, block all other IP addresses.

- Allowed IP addresses: 192.168.1.0
- Blocked IP addresses: 192.168.1.0/0

Important

If the CIDR notation in the allowed or blocked IP address uses /0 as the prefix_length, then Snowflake evaluates that CIDR notation as 0.0.0.0.

IP addresses with the /0 prefix_length are valid, however, exercise caution with this notation. Depending on the network policy, using the 0 prefix could result in allowing all IP addresses or blocking all but the current IP address.

Bypassing a Network Policy

It is possible to temporarily bypass a network policy for a set number of minutes by configuring the user object property MINS_TO_BYPASS_NETWORK_POLICY, which can be viewed by executing DESCRIBE USER. Only Snowflake can set the value for this object property. Please contact Snowflake Support to set a value for this property.

Creating Network Policies

Note

Only security administrators (i.e. users with the SECURITYADMIN role) or higher or a role with the global CREATE NETWORK POLICY privilege can create network policies. Ownership of a network policy can be transferred to another role.

You can create a network policy using Snowsight, the classic web interface, or SQL:

Snowsight
  1. Click Admin » Security » Network Policies.

  2. Click the + Network Policy button in the top-right corner of the page. The New network policy dialog opens.

  3. Specify the following properties:

    Property

    Description

    Policy Name

    Identifier for the network policy; must be unique for your account.

    The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object").

    Identifiers enclosed in double quotes are also case-sensitive.

    For more details, see Identifier Requirements.

    Allowed IP Addresses

    Comma-separated list of one or more IPv4 addresses that are allowed access to your Snowflake account. This is referred to as the allowed list. Snowflake automatically blocks all IP addresses not included in the allowed list.

    Each IP address can cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation.

    For information, see CIDR Notation (in this topic).

    For examples, see Examples of Allowed / Blocked Address Lists (in this topic).

    Blocked IP Addresses

    Comma-separated list of one or more IPv4 addresses that are denied access to your Snowflake account. This is referred to as the blocked list.

    Set this parameter only when you are allowing access to a range of IP addresses in the Allowed IP Addresses list and want to deny access to one or more IP addresses within the range.

    Each IP address can cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation.

    For information, see CIDR Notation (in this topic).

    For examples, see Examples of Allowed / Blocked Address Lists (in this topic).

    Comment

    Specifies a comment for the network policy.

  4. Click the Create network policy button.

Classic Web Interface
  1. Click Account Account tab » Policies. The Policies page appears.

  2. Click the Create button. The Create Network Policy dialog appears.

  3. In the Name field, enter a name for the network policy.

  4. In the Allowed IP Addresses field, enter one or more IPv4 addresses that are allowed access to this Snowflake account, separated by commas.

    Note

    To block all IP addresses except for a set of specific addresses, you only need to define an allowed IP address list. Snowflake automatically blocks all IP addresses not included in the allowed list.

  5. In the Blocked IP Addresses field, optionally enter one or more IPv4 addresses that are denied access to this Snowflake account, separated by commas. Note that this field is not required and is used primarily to deny specific addresses in a range of addresses in the allowed list.

    Caution

    • When a network policy includes values in both the allowed and blocked IP address lists, Snowflake applies the blocked IP address list first.

    • Do not add 0.0.0.0/0 to the blocked IP address list. 0.0.0.0/0 is interpreted to be “all IPv4 addresses on the local machine”. Because Snowflake resolves this list first, this would block your own access. Also, note that it is not necessary to include this IP address in the allowed IP address list.

  6. Enter other information for the network policy, as needed, and click Finish.

SQL

Execute a CREATE NETWORK POLICY statement.

Viewing Network Policies

View information about the network policies through Snowsight, the classic web interface, or using SQL:

Note

Only the role with the OWNERSHIP privilege on the network policy, or a higher role, can view details on the network policy.

Snowsight

Select Admin » Security » Network Policies » <policy_name>.

Classic Web Interface

Click Account Account tab » Policies » <policy_name>.

SQL

Execute one of the following statements:

Activating a Network Policy for Your Account

To enforce a network policy for all users in your Snowflake account, activate the network policy for your account.

Note

If a network policy is activated for an individual user, the user-level network policy takes precedence. For information about activating network policies at the user level, see Activating Network Policies for Individual Users (in this topic).

Note

This action is limited to either of the following roles:

  • Security administrators (i.e. users with the SECURITYADMIN role), or a higher role.

  • A role that has been granted the global ATTACH POLICY privilege.

Once the policy is associated with your account, Snowflake restricts access to your account based on the allowed IP address list and blocked IP address list. Any user who attempts to log in from an IP address restricted by the rules is denied access. In addition, when a network policy is associated with your account, any restricted users who are already logged into Snowflake are prevented from executing further queries.

A security administrator (or higher) can create multiple network policies; however, only one network policy can be associated with an account at any one time. Associating a network policy with your account automatically removes the currently-associated network policy (if any).

Note that your current IP address must be included in the allowed IP addresses list in the policy. Otherwise, when you activate the policy, Snowflake returns an error. In addition, your current IP address cannot be included in the blocked IP addresses list.

You can associate a network policy with your account using Snowsight, the classic web interface, or SQL:

Snowsight
  1. Click Admin » Security » Network Policies.

  2. Click the Activate Policy button to the right of the policy that you are activating.

Classic Web Interface
  1. Click Account Account tab » Policies.

  2. Click on a policy to select it and populate the side panel on the right.

  3. Click the Activate button in the right panel.

SQL

Execute an ALTER ACCOUNT statement that sets the network policy using the NETWORK_POLICY account parameter.

Activating Network Policies for Individual Users

To enforce a network policy for an specific user in your Snowflake account, activate the network policy for the user. Only a single network policy can be activated for each user at a time; however, different network policies can be activated for different users for granular control. Associating a network policy with a user automatically removes the currently-associated network policy (if any).

Note

Only the role with the OWNERSHIP privilege on both the user and the network policy, or a higher role, can activate a network policy for an individual user.

Once the policy is associated with the user, Snowflake restricts access to the user based on the allowed IP address list and blocked IP address list. If the user with an activated user-level network policy attempts to log in from an IP address restricted by the rules, the user is denied access to Snowflake.

In addition, when a user-level network policy is associated with the user and the user is already logged into Snowflake, if the user’s IP address does not match the user-level network policy rules, Snowflake prevents the user from executing further queries.

To activate a network policy for an individual user, set the NETWORK_POLICY parameter for the user using ALTER USER.

Modifying Network Policies

Network policies can be modified through Snowsight, the classic web interface, or SQL, specifically to add or remove IP addresses from the list of allowed and blocked addresses.

For descriptions of the network policy properties, see Creating Network Policies (in this topic).

Snowsight
  1. Click Admin » Security » Network Policies.

  2. Click the actions () button in the row for a network policy » Edit Policy. The Edit Policy dialog opens.

  3. Edit any of the properties.

  4. Click the Save changes button.

Classic Web Interface
  1. Click Account Account tab » Policies.

  2. Click on a policy to select it and populate the side panel on the right.

  3. Click the Edit button in the right panel.

  4. Modify the fields as necessary:

    • To remove an IP address from the Allowed IP Addresses or Blocked IP Addresses list, click the x next to the entry.

    • To add an IP address to either list, enter one or more comma-separated IPv4 addresses in the appropriate field, and click the Add button.

  5. Click Save.

SQL

Execute an ALTER NETWORK POLICY statement.

Identifying a Network Policy Activated at the Account or User Level

To determine whether a network policy is set on your account or for a specific user, execute the SHOW PARAMETERS command.

Account
SHOW PARAMETERS LIKE 'network_policy' IN ACCOUNT;
User
SHOW PARAMETERS LIKE 'network_policy' IN USER <username>;

For example:

SHOW PARAMETERS LIKE 'network_policy' IN USER jsmith;

Using Replication with Network Policies

Snowflake supports replicating the network policies from the source account to the target account, and also supports using failover/failback with network policies.

Regarding user-level network policies in the source account, note the following:

  • Snowflake does replicate references (i.e. assignments) from the source account to the target account.

  • For the user-level network policy in the source account to be assigned to the same user in the target account:

    • The user must already exist in the target account prior to replicating the network policy, or

    • The replication group must specify USERS and NETWORK POLICIES in the same statement, using either CREATE REPLICATION GROUP or ALTER REPLICATION GROUP.

      Similarly, if using failover/failback, the failover group must also specify USERS and the database (via ALLOWED_DATABASES) containing the password policy in the same statement, using either CREATE FAILOVER GROUP or ALTER FAILOVER GROUP.

For details, see Replication of Security Integrations & Network Policies Across Multiple Accounts.

Back to top