Manage private connectivity endpoints: AWS¶

This topic provides information on how to manage private connectivity endpoints for use with outbound private connectivity to AWS.

Provision private connectivity endpoints¶

You can use the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create a private connectivity endpoint by specifying the service or resource, and the hostname. You must use the ACCOUNTADMIN role when using this system function.

Note

If you are using private connectivity for an external stage or external volume, you must use a wildcard character (*) when specifying the hostname. Using the wildcard does not mean that all S3 buckets are accessed over a private connection. Only buckets referenced by a Snowflake object that is enabled for private connectivity (that is, the external stage or external volume) can be accessed via the VPC endpoint.

The SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function accepts a provider service name and host name as its arguments. You can obtain these values by using the describe-vpc-endpoint-services subcommand from the AWS command line. As described in the AWS documentation, this AWS subcommand returns a JSON object with a ServiceName field and a PrivateDnsName field. Use the following table to determine which values to use for the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument

describe-vpc-endpoint-services output

provider_service_name

ServiceName

host_name

PrivateDnsName

If you are using private connectivity for external stages or external volumes, you must use the value with a wildcard.

For example, to create a PrivateLink with external access to Amazon S3, execute the following SQL statement to configure an endpoint for us-west-2:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.us-west-2.s3',
  '*.s3.us-west-2.amazonaws.com'
);
Copy

If the target service is a VPC endpoint service, the endpoint service needs to allow Snowflake to connect to it. Before creating an endpoint, add the value of privatelink-account-principal from the output of SYSTEM$GET_PRIVATELINK_CONFIG as an allowed principal of the VPC endpoint service.

The following SQL statement configures an endpoint to a VPC endpoint service. Note that the service must be in the same region as your Snowflake account:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.vpce.us-west-2.vpce-svc-012345678910f1234',
  'my.onprem.storage.com'
);
Copy

After you create an endpoint, there is a delay before you can use the endpoint. For information about checking the status of a created endpoint, see SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO.

Set up connectivity to an endpoint that can’t be accessed directly¶

Not every service allows Snowflake to connect directly to specific instances through an interface endpoint. In these cases, you can instead enable access to the service by setting up a proxy and exposing the service as a VPC endpoint service.

For a walkthrough specific to Amazon RDS, see the blog post Connecting To Amazon RDS Using Private Connectivity from Snowflake.

Discover whether a service is available for direct access¶

Snowflake can usually access an AWS service directly through private connectivity if one of the following is true:

  • The DNS name of the service—its PrivateDnsName value from the output of AWS DescribeVpcEndpointServices—is prefixed with a wildcard.

    If the service’s DNS name starts with a wildcard character *, it’s likely that AWS supports directly accessing individual resources on that service. The DNS name is usually in this form:

    *.<service>.<region>.amazonaws.com
    
    Copy
  • The service is purely data-plane. AWS Bedrock Runtime is an example.

    To discover this about a given service, see the AWS documentation and blog posts.

Access a service when direct access is not available¶

When a service is not available through direct access via an interface endpoint, you can enable access to the service by setting up a proxy and exposing the service as a VPC endpoint service.

Examples of such services include the following:

  • Amazon EC2 instances at ec2.us-west-2.amazonaws.com

  • Amazon Relational Database Service (RDS) servers at rds.us-west-2.amazonaws.com

Set up AWS for access through a proxy¶

To expose a service instance through a proxy, you set up a virtual private cloud (VPC) and load balancer on AWS, then create a Snowflake private link endpoint using the service name and load balancer DNS name of the AWS endpoint service.

The following describes the basic steps:

  1. On AWS, create a virtual private cloud (VPC) with subnets spanning three different availability zones.

    Choose initial availability zones (for example, az1 and az2) for your resources; Snowflake might not support newer AZs in some regions. Ensure that endpoints and other resources are created in the same availability zones to avoid cross-zone traffic.

  2. In network settings for the service instance you want to access, ensure that the instance is in the VPC you created.

  3. Create a target group that contains the service instance you want to access.

  4. Create a network load balancer that forwards traffic to the target group you created.

  5. Create an endpoint service with the network load balancer you created.

    Record the endpoint service name—endpoint_service_name—for use when setting up Snowflake for access to the service.

  6. In Snowflake, execute the following query to retrieve the Snowflake account principal to allow the creation of endpoints:

    SELECT key, value FROM TABLE(FLATTEN(INPUT => PARSE_JSON(SYSTEM$GET_PRIVATELINK_CONFIG())));
    
    Copy
  7. From the results of the query, locate the privatelink-account-principal key and note its value.

  8. On AWS, for the endpoint service you created, update the Allow principals section to add a principal whose ARN is the privatelink-account-principal key value from Snowflake.

  9. In Snowflake, create a private endpoint to the AWS endpoint service you created.

    When you execute the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function, use the following values as arguments:

    SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument

    Value from AWS configuration

    provider_service_name

    AWS endpoint Service name—the endpoint_service_name value—from the details section of the endpoint service.

    host_name

    DNS Name from the network load balancer you created.

  10. On AWS, approve the PrivateLink connection:

    1. Navigate to the endpoint connections for the endpoint service you created.

    2. Select the relevant endpoint connection in a pending state.

    3. Click Accept Endpoint Connection Request.

  11. Verify the endpoint status by running the following query.

    Ensure that the endpoint status changed from pendingAcceptance to available.

    SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
    
    Copy

Remove a private connectivity endpoint to services¶

You can use the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function to remove a private connectivity endpoint by specifying the service or resource.

After the endpoint is removed, the endpoint is put on a queue to be deleted after 7 days.

You need to use the ACCOUNTADMIN role when using this system function.

For example, to remove a PrivateLink with external access to Amazon S3, execute the following SQL statement:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
Copy

Restore a private connectivity endpoint to services¶

You can use the SYSTEM$RESTORE_PRIVATELINK_ENDPOINT system function to restore a removed private connectivity endpoint that is still on the deletion queue by specifying the service or resource. If the endpoint is not found on the deletion queue, then you cannot restore the endpoint.

You need to use the ACCOUNTADMIN role when using this system function.

For example, to restore a PrivateLink with external access to Amazon S3, execute the following SQL statement:

SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
Copy

List all private connectivity endpoints to services¶

You can use the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO system function to list all private connectivity endpoints, and information about the endpoints, in your account.

You need to use the ACCOUNTADMIN role when using this system function.

For example, to list all AWS PrivateLink endpoints with AWS services, execute the following SQL statement:

SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
Copy

For a description of the fields of the JSON object returned by the function, see Returns.

Note

You can also query the OUTBOUND_PRIVATELINK_ENDPOINTS view in the ACCOUNT_USAGE schema to list the private endpoints in your account.