Manage private connectivity endpoints: Azure

This topic provides information on how to manage private connectivity endpoints for use with private connectivity to an external service.

Provision private connectivity endpoints

You can create a private connectivity endpoint by calling the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function. For example, for your Snowflake account on Microsoft Azure:

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to the Microsoft Azure API Management service in your Microsoft Azure VNet:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'aztest1-external-function-api.azure.net',
  'Gateway'
  );
Copy
Private endpoint with ID "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/32bd3122-bfbd-417d-8620-1a02fd68fcf8" to resource "/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api" has been provisioned successfully. Please note down the endpoint ID and approve the connection from it on the Azure portal.

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to an external service using external network access:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver/databases/testdb',
  'testdb.database.windows.net',
  'sqlServer'
  );
Copy
"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Provision a private endpoint to allow Snowflake to connect to an external stage for Microsoft Azure:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo',
  'storagedemo.blob.core.windows.net',
  'blob'
);
Copy
"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Snowflake calls the APIs for the cloud platform that hosts your Snowflake account to create the endpoint and updates the related networking configurations.

List private connectivity endpoints

You can list the private connectivity endpoints that you create by calling the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO system function. For example, for your Snowflake account on Microsoft Azure:

SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
Copy
[
   {
      "host": "aztest1-external-function-api.azure-api.net",
      "status": "APPROVED",
      "resource_id":  "/subscriptions/fa57a1f0-b4e6-4847-9c00-95f39520f35e/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/apim-pe"
   }
]
Copy

Deprovision private connectivity endpoints

You can delete an existing private connectivity endpoint by calling the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function. For example, for your Snowflake account on Microsoft Azure:

Deprovision a private endpoint to prevent Snowflake on Microsoft Azure from connecting to the Microsoft Azure API Management service in your Microsoft Azure VNet:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'Gateway'
  );
Copy
Private endpoint with id "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/5ef8fd34-07db-4583-b0dd-0e2360398ed3" successfully marked for deletion. Before it is fully deleted in 7-8 days, it can be restored.

Deprovision a private endpoint to prevent Snowflake on Microsoft Azure from connecting to an external service using external network access:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver/databases/testdb',
  'sqlServer'
  );
Copy
"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" deprovisioned successfully"

Deprovision a private endpoint to prevent Snowflake from connecting to an external stage for Microsoft Azure:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
  'storagedemo.blob.core.windows.net',
  'blob'
);
Copy
"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" deprovisioned successfully"

Restore a deprovisioned private connectivity endpoint

You can restore a private connectivity endpoint that you deprovisioned within 7 days of deprovisioning it by calling the SYSTEM$RESTORE_PRIVATELINK_ENDPOINT system function. After 7 days, the endpoint cannot be restored and you need to provision a new endpoint.

Restore a private endpoint to allow Snowflake on Microsoft Azure to connect to the Azure API Management service in your Azure VNet:

SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/my_rg/providers/Microsoft.Sql/servers/my_db_server',
  'sqlServer'
);
Copy
Private endpoint with id ''/subscriptions/66666666-7777-8888-9999-0000000000/resourcegroups/rg/providers/microsoft.network/privateendpoints/00000000-1111-2222-3333-4444444444'' restored successfully.

Troubleshooting

Microsoft Azure external services: You cannot access a specified subscription

Error

 
(LinkedAuthorizationFailed) The client has permission to perform action '<action_name>' on scope '<service_name>', however the current tenant '<tenant_id>' is not authorized to access linked subscription '<subscription_id'.

Code: LinkedAuthorizationFailed

Message: The client has permission to perform action '<action_name>' on scope '<service_name>', however the current tenant '<tenant_id>' is not authorized to access linked subscription '<subscription_id>'.

Cause

The private endpoint that maps to the external service does not have the correct information to access the subscription.

Solution

  1. Call the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function to delete the endpoint for the external service.

  2. Call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to recreate the endpoint for the external service. Be sure to specify the correct subscription, hostname, and subresource values.

  3. Replace the network rule and be sure to specify the correct hostname value in the VALUE_LIST property.
Language: English