Azure Private Link and Snowflake¶

Requirements and limitations¶

Before attempting to configure Azure Private Link to connect your Azure VNet to the Snowflake VNet on Azure, note the following:

• In Azure at the subnet level, optionally enable a network policy for the Private Endpoint.

  Verify that the TCP ports 443 and 80 allow traffic to 0.0.0.0 in the network security group of the Private Endpoint network card.

  For help with the port configuration, contact your internal Azure administrator.

• Use ARM VNets.

• Use IPv4 TCP traffic only.

• Currently, the self-service enablement process described in this topic does not support authorizing a managed Private Endpoint from Azure Data Factory, Synapse, or other managed services.

  For details on how to configure a managed private endpoint for this use case, see this article (in the Snowflake community).

For more information on the requirements and limitations of Microsoft Azure Private Link, see the Microsoft documentation on Private Endpoint Limitations and Private Link Service Limitations.

Procedure¶

This procedure manually creates and initializes the necessary Azure Private Link resources to use Azure Private Link to connect to Snowflake on Azure. Note that this procedure assumes that your use case does not involve Using SSO with Azure Private Link (in this topic).

1. As a representative example using the Azure CLI, execute az account list --output table. Note the output values in the Name, SubscriptionID and CloudName columns.

   Name     CloudName   SubscriptionId                        State    IsDefault
   -------  ----------  ------------------------------------  -------  ----------
   MyCloud  AzureCloud  13c...                                Enabled  True
   

   Copy

2. Navigate to the Azure portal. Search for Private Link and click Private Link.

   

3. Click Private endpoints and then click Add.

   

4. In the Basics section, complete the Subscription, Resource group, Name, and Region fields for your environment and then click Next: Resource.

   

5. In the Resource section, complete the Connection method and the Resource ID or alias Field fields.

   • For Connection Method, select the Connect to an Azure resource by resource ID or alias.

     

   • In Snowflake, execute SYSTEM$GET_PRIVATELINK_CONFIG and input the value for privatelink-pls-id into the Resource ID or alias field. Note that the screenshot in this step uses the alias value for the east-us-2 region as a representative example, and that Azure confirms a valid alias value with a green checkmark.

   • If you receive an error message regarding the alias value, contact Snowflake Support to receive the resource ID value and then repeat this step using the resource ID value.

6. Return to the Private endpoints section and allow a few minutes to wait. On approval, the Private Endpoint displays a CONNECTION STATE value of Pending. This value will update to Approved after completing the authorization in the next step.

   

7. Enable your Snowflake account on Azure to use Azure Private Link by completing the following steps:

   • In your command line environment, record the private endpoint resource ID value using the following Azure CLI network command:

     az network private-endpoint show
     

     Copy

     The private endpoint was created in the previous steps using the template files. The resource ID value takes the following form, which has a truncated value:

     /subscriptions/26d.../resourcegroups/sf-1/providers/microsoft.network/privateendpoints/test-self-service

   • In your command line environment, execute the following Azure CLI account command and save the output. The output will be used as the value for the federated_token argument in the next step.

     az account get-access-token --subscription <SubscriptionID>
     

     Copy

     Extract the access token value from the command output. This value will be used as the federated_token value in the next step. In this example, the values are truncated and the access token value is eyJ...:

     {
        "accessToken": "eyJ...",
        "expiresOn": "2021-05-21 21:38:31.401332",
        "subscription": "0cc...",
        "tenant": "d47...",
        "tokenType": "Bearer"
      }
     

     Copy

     Important

     The user generating the Azure access Token must have Read permissions on the Subscription. The least privilege permission is Microsoft.Subscription/subscriptions/acceptOwnershipStatus/read. Alternatively, the default role Reader grants more coarse-grained permissions.

     The accessToken value is sensitive information and should be treated like a password value — do not share this value.

     If it is necessary to contact Snowflake Support, redact the access token from any commands and URLs before creating a support ticket.

   • In Snowflake, call the SYSTEM$AUTHORIZE_PRIVATELINK function, using the private-endpoint-resource-id value and the federated_token value as arguments, which are truncated in this example:

     USE ROLE ACCOUNTADMIN;
     
     SELECT SYSTEM$AUTHORIZE_PRIVATELINK (
       '/subscriptions/26d.../resourcegroups/sf-1/providers/microsoft.network/privateendpoints/test-self-service',
       'eyJ...'
       );
     

     Copy

   To verify your authorized configuration, call the SYSTEM$GET_PRIVATELINK function in your Snowflake account on Azure. Snowflake returns Account is authorized for PrivateLink. for a successful authorization.

   If it is necessary to disable Azure Private Link in your Snowflake account, call the SYSTEM$REVOKE_PRIVATELINK function, using the argument values for private-endpoint-resource-id and federated_token.

8. DNS Setup. All requests to Snowflake need to be routed via the Private Endpoint. Update your DNS to resolve the Snowflake account and OCSP URLs to the private IP address of your Private Endpoint.

   • To get the endpoint IP address, navigate to Azure portal search bar and enter the name of the endpoint (i.e. the NAME value from Step 5). Locate the Network Interface result and click it.

     

   • Copy the value for the Private IP address (i.e. 10.0.27.5).

     

   • Configure your DNS to have the following endpoint values from the SYSTEM$GET_PRIVATELINK_CONFIG function resolve to the private IP address.

     These endpoint values allow you to access Snowflake, Snowsight, and the Snowflake Marketplace while also using OCSP to determine whether a certificate is revoked when Snowflake clients attempt to connect to an endpoint through HTTPS and connection URLs.

     The values to obtain from the $SYSTEM_GET_PRIVATELINK_CONFIG function are:

     • privatelink-account-url

     • privatelink-connection-ocsp-urls

     • privatelink-connection-urls

     • privatelink-ocsp-url

     • regionless-privatelink-account-url

     • regionless-snowsight-privatelink-url

     • snowsight-privatelink-url

     Note that the values for regionless-snowsight-privatelink-url and snowsight-privatelink-url allow access to Snowsight and the Snowflake Marketplace using private connectivity. However, there is additional configuration if you want to enable URL redirects.

     For details, see Snowsight & Private Connectivity.

     Note

     A full explanation of DNS configuration is beyond the scope of this procedure. For example, you can choose to integrate an Azure Private DNS zone into your environment. Please consult your internal Azure and Cloud Infrastructure administrators to configure and resolve the URLs in DNS properly.

9. After verifying your outbound firewall settings and DNS records include your Azure Private Link account and OCSP URLs, test your connection to Snowflake with SnowCD (Connectivity Diagnostic Tool) and SYSTEM$ALLOWLIST_PRIVATELINK.

10. Connect to Snowflake with your private connectivity account URL.

    Note that if you want to connect to Snowsight via Azure Private Link, follow the instructions in the Snowsight documentation.