Google Cloud Private Service Connect & Snowflake¶
This topic describes concepts and how to configure Google Cloud Private Service Connect to connect your Google Cloud Virtual Private Cloud (VPC) network subnet to your Snowflake account hosted on Google Cloud Platform without traversing the public Internet.
Note that Google Cloud Private Service Connect is not a service provided by Snowflake. It is a Google service that Snowflake enables for use with your Snowflake account.
If you are using Business Critical Edition (or higher) and wish to use Google Cloud Private Service Connect with your account, please contact Snowflake Support and request it to be enabled.
In this Topic:
Google Cloud Private Service Connect provides private connectivity to Snowflake by ensuring that access to Snowflake is through a private IP address. Snowflake appears as a resource in your network (i.e. customer network), but the traffic flows one-way from the your VPC to Snowflake VPC over the Google networking backbone. This setup significantly simplifies the network configuration while providing secure and private communication.
The following diagram summarizes the Google Cloud Private Service Connect architecture with respect to the customer Google Cloud VPC and the Snowflake service.
The Google Compute Engine (i.e. a virtual machine) connects to a private, virtual IP address which routes to a forwarding rule (1). The forwarding rule connects to the service attachment through a private connection (2). The connection is routed through a load balancer (3) that redirects to Snowflake (4).
Google Private Service Connect does not offer native support for the following two use cases:
Cross-region private connectivity.
On-premises connections to Snowflake.
A possible workaround is to create a proxy farm and route to the forwarding rule.
Note that the Google Cloud subnet that connects to the forwarding rule must be in the same cloud region as your Snowflake account.
For help with the setup, please contact your internal Google Cloud administrator.
This section describes how to configure Google Cloud Private Service Connect to connect to Snowflake.
This section only covers the Snowflake-specific details for configuring your Google Cloud VPC environment. Also, note that Snowflake is not responsible for the actual configuration of the required firewall updates and DNS records.
If you encounter issues with any of these configuration tasks, please contact Google Support directly.
For installation help, see the Google documentation on the Cloud SDK: Command Line Interface.
Contact Snowflake Support and provide a list of your Google Cloud
<project_id>values and the corresponding URLs that you use to access Snowflake with a note to enable Google Cloud Private Service Connect. After receiving a response from Snowflake Support, continue to the next step.
In a Snowflake worksheet in the Worksheets tab, run the SYSTEM$GET_PRIVATELINK_CONFIG function with the ACCOUNTADMIN system role, and save the command output for use in the following steps:
use role accountadmin; select key, value from table(flatten(input=>parse_json(system$get_privatelink_config())));
In a command line interface (e.g. the Terminal application), update the gcloud library to the latest version:
gcloud components update
Authenticate to Google Cloud Platform using the following command:
gcloud auth login
In your Google Cloud VPC, set the the project ID in which the forwarding rule should reside.
gcloud config set project <project_id>
To obtain a list of project IDs, execute the following command:
gcloud projects list --sort-by=projectId
In your Google Cloud VPC, create a virtual IP address:
gcloud compute addresses create <customer_vip_name> \ --subnet=<subnet_name> \ --addresses=<customer_vip_address> --region=<region>
gcloud compute addresses create psc-vip-1 \ --subnet=psc-subnet \ --addresses=192.168.3.3 \ --region=us-central1 # returns Created [https://www.googleapis.com/compute/v1/projects/docstest-123456/regions/us-central1/addresses/psc-vip-1].
<customer_vip_name>specifies the name of the virtual IP rule (i.e.
<subnet_name>specifies the name of the subnet.
<customer_vip_address>: all private connectivity URLs resolve to this address. Specify an IP address from your network or use CIDR notation to specify a range of IP addresses.
<region>specifies the cloud region where your Snowflake account is located.
Create a forwarding rule to have your subnet route to the Private Service Connect endpoint and then to the Snowflake service endpoint:
gcloud compute forwarding-rules create <name> \ --region=<region> \ --network=<network_name> \ --address=<customer_vip_name> \ --target-service-attachment=<privatelink-gcp-service-attachment>
gcloud compute forwarding-rules create test-psc-rule \ --region=us-central1 \ --network=psc-vpc \ --address=psc-vip-1 \ --target-service-attachment=projects/us-central1-deployment1-c8cc/regions/us-central1/serviceAttachments/snowflake-us-central1-psc # returns Created [https://www.googleapis.com/compute/projects/mdlearning-293607/regions/us-central1/forwardingRules/test-psc-rule].
<name>specifies the name of the forwarding rule.
<region>specifies the cloud region where your Snowflake account is located.
<network_name>specifies the name of the network for this forwarding rule.
psc-vip-1) of the virtual IP address created in the previous step.
<privatelink-gcp-service-attachment>specifies the endpoint for the Snowflake service (see step 2).
Use the following command to verify the forwarding-rule was created successfully:
gcloud compute forwarding-rules list --regions=<region>
The cloud region in this command must match the cloud region where your Snowflake account is located.
For example, if your Snowflake account is located in the
For a complete list of Google Cloud regions and their formatting, see Viewing a list of available regions.
Update your DNS settings. All requests to Snowflake need to be routed through the Private Service Connect endpoint. Update your DNS settings so that the URLs in step 1 (
privatelink-ocsp-url) resolve to the VIP address that you created (<customer_vip_address>).
In Snowflake, use the following values from the SYSTEM$GET_PRIVATELINK_CONFIG output:
. If you are using any of the following features or may use these features in the future, it is necessary to create an additional DNS record with the following values or combine the following values with the Snowflake account and OCSP cache server values. This step ensures access to these features through the Google Cloud Private Service Connect Endpoint.
- Snowflake Data Marketplace or Snowsight
region_idonly includes the region value and not the cloud platform segment. For example, if your region is US Central1 (Iowa), use
For more information, see Account Identifiers.
A full explanation of DNS configuration is beyond the scope of this procedure. For example, you can choose to integrate a private DNS zone into your environment using Cloud DNS. Please consult your internal Google Cloud and cloud infrastructure administrators to configure and resolve the URLs in DNS properly.
Test your connection to Snowflake using SnowCD (Connectivity Diagnostic Tool).
Connect to Snowflake with your private connectivity account URL.
You can now connect to Snowflake using Google Cloud Private Service Connect.
Using SSO with Google Private Service Connect¶
Snowflake supports using SSO with Google Cloud Private Service Connect. For more information, see:
Using Client Redirect with Google Cloud Private Service Connect¶
Snowflake supports using Client Redirect with Google Cloud Private Service Connect.
For more information, see Redirecting Client Connections.
Blocking Public Access — Optional¶
After testing the Google Cloud Private Service Connect connectivity with Snowflake, you can optionally block public access to Snowflake using Network Policies.
Configure the CIDR block range to block public access to Snowflake using your organization’s IP address range. This range can be from within your virtual network.
Once the CIDR Block ranges are set, only IP addresses within the CIDR block range can access Snowflake.
To block public access using a network policy:
Create a new network policy or edit an existing network policy. Add the CIDR block range for your organization.
Activate the network policy for your account.