Manage private connectivity endpoints: Azure¶
This topic provides information on how to manage private connectivity endpoints for use with private connectivity to an external service. The examples are specific to Microsoft Azure.
Provision private connectivity endpoints¶
You can create a private connectivity endpoint by calling the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function. For example, for your Snowflake account on Microsoft Azure:
Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to the Microsoft Azure API Management service in your Microsoft Azure VNet:
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
'/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
'aztest1-external-function-api.azure.net',
'Gateway'
);
Private endpoint with ID "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/32bd3122-bfbd-417d-8620-1a02fd68fcf8" to resource "/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api" has been provisioned successfully. Please note down the endpoint ID and approve the connection from it on the Azure portal.
Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to an external service using external network access:
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
'/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver/databases/testdb',
'testdb.database.windows.net',
'sqlServer'
);
"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"
Provision a private endpoint to allow Snowflake to connect to an external stage for Microsoft Azure:
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
'/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo',
'storagedemo.blob.core.windows.net',
'blob'
);
"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"
Snowflake calls the APIs for the cloud platform that hosts your Snowflake account to create the endpoint and updates the related networking configurations.
List private connectivity endpoints¶
You can list the private connectivity endpoints that you create by calling the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO system function. For example, for your Snowflake account on Microsoft Azure:
SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
[
{
"provider_resource_id": "/subscriptions/11111111-2222-3333-4444-5555555555/...",
"subresource": "sqlServer",
"snowflake_resource_id": "/subscriptions/fa57a1f0-b4e6-4847-9c00-95f39520f...",
"host": "testdb.database.windows.net",
"endpoint_state": "CREATED",
"status": "Approved",
}
]
Note
You can also query the OUTBOUND_PRIVATELINK_ENDPOINTS view in the ACCOUNT_USAGE schema to list the private endpoints in your account.
Deprovision private connectivity endpoints¶
You can delete an existing private connectivity endpoint by calling the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function. For example, for your Snowflake account on Microsoft Azure:
Deprovision a private endpoint to prevent Snowflake on Microsoft Azure from connecting to the Microsoft Azure API Management service in your Microsoft Azure VNet:
SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
'/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
'Gateway'
);
Private endpoint with id "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/5ef8fd34-07db-4583-b0dd-0e2360398ed3" successfully marked for deletion. Before it is fully deleted in 7-8 days, it can be restored.
Deprovision a private endpoint to prevent Snowflake on Microsoft Azure from connecting to an external service using external network access:
SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
'/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver/databases/testdb',
'sqlServer'
);
"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" deprovisioned successfully"
Deprovision a private endpoint to prevent Snowflake from connecting to an external stage for Microsoft Azure:
SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
'storagedemo.blob.core.windows.net',
'blob'
);
"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" deprovisioned successfully"
Restore a deprovisioned private connectivity endpoint¶
You can restore a private connectivity endpoint that you deprovisioned within 7 days of deprovisioning it by calling the SYSTEM$RESTORE_PRIVATELINK_ENDPOINT system function. After 7 days, the endpoint cannot be restored and you need to provision a new endpoint.
Restore a private endpoint to allow Snowflake on Microsoft Azure to connect to the Azure API Management service in your Azure VNet:
SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT(
'/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/my_rg/providers/Microsoft.Sql/servers/my_db_server',
'sqlServer'
);
Private endpoint with id ''/subscriptions/66666666-7777-8888-9999-0000000000/resourcegroups/rg/providers/microsoft.network/privateendpoints/00000000-1111-2222-3333-4444444444'' restored successfully.
Troubleshooting¶
Microsoft Azure external services: You cannot access a specified subscription¶
Error |
(LinkedAuthorizationFailed) The client has permission to perform action '<action_name>' on scope '<service_name>', however the current tenant '<tenant_id>' is not authorized to access linked subscription '<subscription_id'.
Code: LinkedAuthorizationFailed
Message: The client has permission to perform action '<action_name>' on scope '<service_name>', however the current tenant '<tenant_id>' is not authorized to access linked subscription '<subscription_id>'.
|
---|---|
Cause |
The private endpoint that maps to the external service does not have the correct information to access the subscription. |
Solution |
|