# Google Cloud Private Service Connect & Snowflake¶

This topic describes concepts and how to configure Google Cloud Private Service Connect to connect your Google Cloud Virtual Private Cloud (VPC) network subnet to your Snowflake account hosted on Google Cloud Platform without traversing the public Internet.

Note that Google Cloud Private Service Connect is not a service provided by Snowflake. It is a Google service that Snowflake enables for use with your Snowflake account.

In this Topic:

## Overview¶

Google Cloud Private Service Connect provides private connectivity to Snowflake by ensuring that access to Snowflake is through a private IP address. Snowflake appears as a resource in your network (i.e. customer network), but the traffic flows one-way from the your VPC to Snowflake VPC over the Google networking backbone. This setup significantly simplifies the network configuration while providing secure and private communication.

The following diagram summarizes the Google Cloud Private Service Connect architecture with respect to the customer Google Cloud VPC and the Snowflake service.

The Google Compute Engine (i.e. a virtual machine) connects to a private, virtual IP address which routes to a forwarding rule (1). The forwarding rule connects to the service attachment through a private connection (2). The connection is routed through a load balancer (3) that redirects to Snowflake (4).

### Considerations¶

Google Private Service Connect does not offer native support for the following two use cases:

• Cross-region private connectivity.

• On-premises connections to Snowflake.

A possible workaround is to create a proxy farm and route to the forwarding rule.

Note that the Google Cloud subnet that connects to the forwarding rule must be in the same cloud region as your Snowflake account.

### Limitations¶

• The Snowflake system functions for self-service management are not supported. For details, see Current Limitations for Accounts on GCP.

• Currently, using the account name URL format for private connectivity to the Snowflake service with SnowSQL, connectors, and drivers is not supported. As a workaround, use the account locator format with SnowSQL, connectors, and drivers.

For details, see:

## Configuration Procedure¶

This section describes how to configure Google Cloud Private Service Connect to connect to Snowflake.

Attention

This section only covers the Snowflake-specific details for configuring your Google Cloud VPC environment. Also, note that Snowflake is not responsible for the actual configuration of the required firewall updates and DNS records.

For installation help, see the Google documentation on the Cloud SDK: Command Line Interface.

1. Contact Snowflake Support and provide a list of your Google Cloud <project_id> values and the corresponding URLs that you use to access Snowflake with a note to enable Google Cloud Private Service Connect. After receiving a response from Snowflake Support, continue to the next step.

Important

If you are using VPC Service Controls in your VPC, ensure that the policy allows access to the Snowflake service before contacting Snowflake Support.

If this action is not taken, Snowflake will not be able to add your project ID to the Snowflake service attachment allow list. The result is that you will be blocked from being able to connect to Snowflake using this feature.

2. In a Snowflake worksheet in the Worksheets tab, run the SYSTEM$GET_PRIVATELINK_CONFIG function with the ACCOUNTADMIN system role, and save the command output for use in the following steps: use role accountadmin; select key, value from table(flatten(input=>parse_json(system$get_privatelink_config())));

3. In a command line interface (e.g. the Terminal application), update the gcloud library to the latest version:

gcloud components update

4. Authenticate to Google Cloud Platform using the following command:

gcloud auth login

5. In your Google Cloud VPC, set the the project ID in which the forwarding rule should reside.

gcloud config set project <project_id>


To obtain a list of project IDs, execute the following command:

gcloud projects list --sort-by=projectId


gcloud compute addresses create <customer_vip_name> \
--subnet=<subnet_name> \
--region=<region>


For example:

gcloud compute addresses create psc-vip-1 \
--subnet=psc-subnet \
--region=us-central1

# returns



Where:

• <customer_vip_name> specifies the name of the virtual IP rule (i.e. psc-vip-1).

• <subnet_name> specifies the name of the subnet.

• <customer_vip_address>: all private connectivity URLs resolve to this address. Specify an IP address from your network or use CIDR notation to specify a range of IP addresses.

• <region> specifies the cloud region where your Snowflake account is located.

.

7. Create a forwarding rule to have your subnet route to the Private Service Connect endpoint and then to the Snowflake service endpoint:

gcloud compute forwarding-rules create <name> \
--region=<region> \
--network=<network_name> \


For example:

gcloud compute forwarding-rules create test-psc-rule \
--region=us-central1 \
--network=psc-vpc \
--target-service-attachment=projects/us-central1-deployment1-c8cc/regions/us-central1/serviceAttachments/snowflake-us-central1-psc

# returns



Where:

• <name> specifies the name of the forwarding rule.

• <region> specifies the cloud region where your Snowflake account is located.

• <network_name> specifies the name of the network for this forwarding rule.

• <customer_vip_name> specifies the <name> value (i.e. psc-vip-1) of the virtual IP address created in the previous step.

• <privatelink-gcp-service-attachment> specifies the endpoint for the Snowflake service (see step 2).

.

8. Use the following command to verify the forwarding-rule was created successfully:

gcloud compute forwarding-rules list --regions=<region>


The cloud region in this command must match the cloud region where your Snowflake account is located.

For example, if your Snowflake account is located in the europe-west-2 region, replace <region> with europe-west2.

For a complete list of Google Cloud regions and their formatting, see Viewing a list of available regions.

9. Update your DNS settings. All requests to Snowflake need to be routed through the Private Service Connect endpoint. Update your DNS settings so that the URLs in step 1 (privatelink-account-url and privatelink-ocsp-url) resolve to the VIP address that you created (<customer_vip_address>).

In Snowflake, use the following values from the SYSTEM\$GET_PRIVATELINK_CONFIG output:

privatelink-account-url and privatelink-ocsp-url.

. If you are using any of the following features or may use these features in the future, it is necessary to create an additional DNS record with the following values or combine the following values with the Snowflake account and OCSP cache server values. This step ensures access to these features through the Google Cloud Private Service Connect Endpoint.

Snowflake Data Marketplace or Snowsight

app.<region_id>.privatelink.snowflakecomputing.com

Note that region_id only includes the region value and not the cloud platform segment. For example, if your region is US Central1 (Iowa), use us-central1.

Organizations

<org_name>-<account_name>.privatelink.snowflakecomputing.com

Note

A full explanation of DNS configuration is beyond the scope of this procedure. For example, you can choose to integrate a private DNS zone into your environment using Cloud DNS. Please consult your internal Google Cloud and cloud infrastructure administrators to configure and resolve the URLs in DNS properly.

10. Test your connection to Snowflake using SnowCD (Connectivity Diagnostic Tool).

11. Connect to Snowflake with your private connectivity account URL.

You can now connect to Snowflake using Google Cloud Private Service Connect.

## Using Client Redirect with Google Cloud Private Service Connect¶

Snowflake supports using Client Redirect with Google Cloud Private Service Connect.

## Blocking Public Access — Optional¶

After testing the Google Cloud Private Service Connect connectivity with Snowflake, you can optionally block public access to Snowflake using Network Policies.