Introduction to private connectivity

This topic summarizes concepts of private connectivity in Snowflake. Additional topics summarize how to manage the private connectivity resources to connect to these external services and the list of Snowflake features that support private connectivity resources.

For details, see these topics:

About private connectivity

Your connection to Snowflake can be routed over the public Internet or through a private IP address associated with the cloud platform that hosts your Snowflake account. The main advantage of using all of these private connectivity offerings is enhanced security because the private IP address is associated with a private network in the cloud platform.

Your private connectivity options are as follows:

To the Snowflake Service

When the routing is through a private IP address from your VPC or VNET to the Snowflake VPC or VNet, that is private connectivity to the Snowflake Service. These connections use AWS PrivateLink, Azure Private Link, or Google Cloud Private Service Connect. The service depends on the cloud platform that hosts your Snowflake account.

To internal stages

Similarly, you can use private connectivity to connect to Snowflake internal stages for accounts on AWS and Azure. This is private connectivity to Snowflake internal stages.

To external services

You can connect to services that Snowflake does not implement directly. These connections start in the VPC or VNet that hosts your Snowflake account and point to a different location. Some examples include calling an external function or using Snowflake Connectors. When these connections are routed through a private IP address, that is private connectivity to an external service. When you configure these features, Snowflake handles the DNS updates and related networking for you.

Billing and pricing

There is an additional billing charge to use private connectivity to external services. You pay for the private connectivity endpoint and any data processed. These charges are aggregated and appear as Outbound Privatelink in your bill.

For the list of currently supported features, see Features that can use private connectivity to an external service.

Basic workflow

Each external service feature has its own prerequisites and configuration procedures to set up Snowflake and the external service. However, there are common steps to establish private connectivity to the external service.

For example, a Snowflake account administrator (user with the ACCOUNTADMIN role) or a user that has a role with the appropriate privileges can do the following:

  1. Complete any prerequisite configuration for the external feature or service.

  2. In Snowflake, provision a private connectivity endpoint to connect to the external service.

  3. Authorize the private connectivity endpoint.

  4. Retrieve the private connectivity endpoint URL that points to the external service.

  5. Integrate the private connectivity endpoint URL into the Snowflake configuration of your external service feature.

  6. Deprovision private connectivity endpoints that are not actively being used to avoid cloud platform limitations.

Tip

These steps are self-service but might require collaboration with different parties to complete the setup. Consult with the administrators that own the different services before starting.

The placement of these steps depends on the external service. For details, refer to the configuration procedure for each external service.

Scaling considerations

The following table summarizes known limitations associated with cloud providers regarding private connectivity to an external service.

Cloud platform

Limit

Notes

Azure

Resource scoped endpoint

There must be a 1:1 mapping between the private endpoint, the resource to which the endpoint connects, and the VNet that hosts your Snowflake account.

Endpoint resource uniqueness

If a private endpoint is already authorized for a resource, you cannot create a new private endpoint and authorize it for the same resource. If you want to have a different private endpoint authorized for the resource, deprovision the existing private endpoint and then authorize the other private endpoint.

5 active private endpoints per Snowflake account plus all private endpoints that are deprovisioned within 7 days.