Manage private connectivity endpoints: AWS¶
This topic provides information on how to manage private connectivity endpoints for use with outbound private connectivity to AWS.
Provision private connectivity endpoints¶
You can use the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create a private connectivity endpoint by specifying the service or resource, and the hostname. You must use the ACCOUNTADMIN role when using this system function.
Note
If you are using private connectivity for an external stage or external volume, you must use a wildcard character (*
) when specifying
the hostname. Using the wildcard does not mean that all S3 buckets are accessed over a private connection. Only buckets referenced by a
Snowflake object that is enabled for private connectivity (that is, the external stage or external volume) can be accessed via the
VPC endpoint.
The SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function accepts a provider service name and host name as its arguments. You can obtain these
values by using the describe-vpc-endpoint-services
subcommand from the AWS command line. As described in the
AWS documentation, this AWS
subcommand returns a JSON object with a ServiceName
field and a PrivateDnsName
field. Use the following table to determine
which values to use for the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function:
SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument |
|
---|---|
|
|
|
If you are using private connectivity for external stages or external volumes, you must use the value with a wildcard. |
For example, to create a PrivateLink with external access to Amazon S3, execute the following SQL statement to configure an endpoint for
us-west-2
:
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
'com.amazonaws.us-west-2.s3',
'*.s3.us-west-2.amazonaws.com'
);
If the target service is a VPC endpoint service, the endpoint service needs to allow Snowflake
to connect to it. Before creating an endpoint, add the value of privatelink-account-principal
from the output of SYSTEM$GET_PRIVATELINK_CONFIG as an allowed principal of the VPC endpoint service.
The following SQL statement configures an endpoint to a VPC endpoint service. Note that the service must be in the same region as your Snowflake account:
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
'com.amazonaws.vpce.us-west-2.vpce-svc-012345678910f1234',
'my.onprem.storage.com'
);
After you create an endpoint, there is a delay before you can use the endpoint. For information about checking the status of a created endpoint, see SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO.
Set up connectivity to an endpoint that can’t be accessed directly¶
Not every service allows Snowflake to connect directly to specific instances through an interface endpoint. In these cases, you can instead enable access to the service by setting up a proxy and exposing the service as a VPC endpoint service.
For a walkthrough specific to Amazon RDS, see the blog post Connecting To Amazon RDS Using Private Connectivity from Snowflake.
Discover whether a service is available for direct access¶
Snowflake can usually access an AWS service directly through private connectivity if one of the following is true:
The DNS name of the service—its
PrivateDnsName
value from the output of AWS DescribeVpcEndpointServices—is prefixed with a wildcard.If the service’s DNS name starts with a wildcard character
*
, it’s likely that AWS supports directly accessing individual resources on that service. The DNS name is usually in this form:*.<service>.<region>.amazonaws.com
The service is purely data-plane. AWS Bedrock Runtime is an example.
To discover this about a given service, see the AWS documentation and blog posts.
Access a service when direct access is not available¶
When a service is not available through direct access via an interface endpoint, you can enable access to the service by setting up a proxy and exposing the service as a VPC endpoint service.
Examples of such services include the following:
Amazon EC2 instances at
ec2.us-west-2.amazonaws.com
Amazon Relational Database Service (RDS) servers at
rds.us-west-2.amazonaws.com
Set up AWS for access through a proxy¶
To expose a service instance through a proxy, you set up a virtual private cloud (VPC) and load balancer on AWS, then create a Snowflake private link endpoint using the service name and load balancer DNS name of the AWS endpoint service.
The following describes the basic steps:
On AWS, create a virtual private cloud (VPC) with subnets spanning three different availability zones.
Choose initial availability zones (for example, az1 and az2) for your resources; Snowflake might not support newer AZs in some regions. Ensure that endpoints and other resources are created in the same availability zones to avoid cross-zone traffic.
In network settings for the service instance you want to access, ensure that the instance is in the VPC you created.
Create a target group that contains the service instance you want to access.
Create a network load balancer that forwards traffic to the target group you created.
Create an endpoint service with the network load balancer you created.
Record the endpoint service name—
endpoint_service_name
—for use when setting up Snowflake for access to the service.In Snowflake, execute the following query to retrieve the Snowflake account principal to allow the creation of endpoints:
SELECT key, value FROM TABLE(FLATTEN(INPUT => PARSE_JSON(SYSTEM$GET_PRIVATELINK_CONFIG())));
From the results of the query, locate the
privatelink-account-principal
key and note its value.On AWS, for the endpoint service you created, update the Allow principals section to add a principal whose ARN is the
privatelink-account-principal
key value from Snowflake.In Snowflake, create a private endpoint to the AWS endpoint service you created.
When you execute the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function, use the following values as arguments:
SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument
Value from AWS configuration
provider_service_name
AWS endpoint Service name—the
endpoint_service_name
value—from the details section of the endpoint service.host_name
DNS Name from the network load balancer you created.
On AWS, approve the PrivateLink connection:
Navigate to the endpoint connections for the endpoint service you created.
Select the relevant endpoint connection in a pending state.
Click Accept Endpoint Connection Request.
Verify the endpoint status by running the following query.
Ensure that the endpoint status changed from
pendingAcceptance
toavailable
.SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
Remove a private connectivity endpoint to services¶
You can use the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function to remove a private connectivity endpoint by specifying the service or resource.
After the endpoint is removed, the endpoint is put on a queue to be deleted after 7 days.
You need to use the ACCOUNTADMIN role when using this system function.
For example, to remove a PrivateLink with external access to Amazon S3, execute the following SQL statement:
SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
Restore a private connectivity endpoint to services¶
You can use the SYSTEM$RESTORE_PRIVATELINK_ENDPOINT system function to restore a removed private connectivity endpoint that is still on the deletion queue by specifying the service or resource. If the endpoint is not found on the deletion queue, then you cannot restore the endpoint.
You need to use the ACCOUNTADMIN role when using this system function.
For example, to restore a PrivateLink with external access to Amazon S3, execute the following SQL statement:
SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
List all private connectivity endpoints to services¶
You can use the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO system function to list all private connectivity endpoints, and information about the endpoints, in your account.
You need to use the ACCOUNTADMIN role when using this system function.
For example, to list all AWS PrivateLink endpoints with AWS services, execute the following SQL statement:
SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
[
{
"provider_service_name": "com.amazonaws.us-west-2.s3",
"snowflake_endpoint_name": "vpce-123456789012abcdea",
"endpoint_state": "CREATED",
"host": "*.s3.us-west-2.amazonaws.com",
"status": "Available"
},
...
]
For a description of the fields of the JSON object returned by the function, see Returns.
Note
You can also query the OUTBOUND_PRIVATELINK_ENDPOINTS view in the ACCOUNT_USAGE schema to list the private endpoints in your account.