Azure Private Link & Snowflake

Business Critical Feature

This feature requires Business Critical (or higher).

If you are using Business Critical (or higher) and wish to use Azure Private Link with your account, please contact Snowflake Support and request it to be enabled, as described in this topic.

.

Related Topics

• SnowCD

• SYSTEM$WHITELIST_PRIVATELINK

This topic describes how to configure Azure Private Link to connect your Azure Virtual Network (VNet) to the Snowflake VNet in Azure.

Important

Azure Private Link is not a service provided by Snowflake. It is a Microsoft service that Snowflake enables for use with your Snowflake account.

In this Topic:

Azure Private Link Overview

Azure Private Link provides private connectivity to Snowflake by ensuring that access to Snowflake is through a private IP address. Traffic can only occur from the customer virtual network (VNet) to the Snowflake VNet using the Microsoft backbone and avoids the public Internet. This significantly simplifies the network configuration by keeping access rules private while providing secure and private communication.

The following diagram summarizes the Azure Private Link architecture with respect to the customer VNet and the Snowflake VNet.

From either a virtual machine (1) or through peering (2), you can connect to the Azure Private Link endpoint (3) in your virtual network. That endpoint then connects to the Azure Private Link Service (4) and routes to Snowflake.

Here are the high-level steps to integrate Snowflake with Azure Private Link:

1. Create an Azure Private Link interface endpoint and request approval from Snowflake as described in Configuring Access to Snowflake with Azure Private Link.

2. Contact Snowflake support, and request for approval by providing the value of the created Azure Private Link interface endpoint. After Snowflake approves it, using Azure Portal, verify if the Azure Private Link interface endpoint displays a CONNECTION STATE value of Approved. Verify your account URL and the OCSP URL with Snowflake Support.

3. Update your outbound firewall settings to allow the Snowflake account URL and OCSP URL.

4. Update your DNS server to resolve your account URL and OCSP URL to the Private Link IP address. You can add the DNS entry to your on-premise DNS server or private DNS on your VNet, and use DNS forwarding to direct queries for the entry from other locations where your users will access Snowflake.

5. After the Azure Private Link interface endpoint displays a CONNECTION STATE value of Approved, test your connection to Snowflake with SnowCD (Connectivity Diagnostic Tool) and SYSTEM$WHITELIST_PRIVATELINK.

6. Connect to Snowflake using SnowSQL.

Requirements and Limitations

Before attempting to configure Azure Private Link to connect your Azure VNet to the Snowflake VNet on Azure, evaluate the following requirements and limitations:

• The subnet in which the Azure Private Link endpoint resides in needs to have the network policy disabled. Specifically, the subnet properties need to include the following two attributes:

  "privateLinkServiceNetworkPolicies" : "Disabled",
  "privateEndpointNetworkPolicies" : "Disabled"
  

  Note

  If your corporate network protocols require the subnet in which the Azure Private Link endpoint resides to have network policies enabled, then you must configure a separate subnet that contains only the Azure Private Link endpoint and route requests from other subnets to the subnet containing the Azure Private Link endpoint.

• Use ARM VNets.

• Use IPv4 TCP traffic only.

• If you are using a SaaS application to connect to Snowflake, you cannot use the SaaS application and Azure Private Link together. You can continue to use the SaaS application to connect to Snowflake through pathways that do not use Azure Private Link.

For more information on the requirements and limitations of Microsoft Azure Private Link, see the Microsoft documentation on Private Endpoint Limitations and Private Link Service Limitations.

Configuring Access to Snowflake with Azure Private Link

Attention

This section only covers the Snowflake-specific details for configuring your VNet environment. Also, note that Snowflake is not responsible for the actual configuration of the required firewall updates and DNS records. If you encounter issues with any of these configuration tasks, please contact Microsoft Support directly.

This section describes how to configure your Azure VNet to connect to the Snowflake VNet on Azure using Azure Private Link. After initiating the connection to Snowflake using Azure Private Link, you can determine the approval state of the connection in the Azure portal.

For installation help, see the Microsoft documentation on the Azure CLI or Azure PowerShell.

Complete the Prerequisite Steps and either Option 1: Use Template Files or Option 2: Create Azure Resources Manually to configure your Microsoft Azure VNet and initiate the Azure Private Link connection to Snowflake.

Prerequisite Steps

1. Determine whether multiple Snowflake accounts in the same Azure region will use the same Azure SubscriptionID. During the initial configuration, one Snowflake account and one Azure SubscriptionID are necessary.

   • If you desire to tether multiple Snowflake accounts in the same Azure region to a single Azure SubscriptionID, please contact Snowflake Support while completing Step 2 in Option 1: Use Template Files.

2. Configure secure access to data files in your Azure Blob storage using Configuring an Azure Container for Loading Data.

   • This step ensures that bulk data loading from your Azure Blob storage external stage into Snowflake remains on the Azure networking backbone and does not use the public Internet.

Important

Options 1 and 2 make the following two assumptions:

• Your use case does not involve Using SSO with Azure Private Link.

• It is necessary to create both the subnet and the Azure Private Link endpoint. If your use case requires only the Azure Private Link endpoint, use the corresponding files in Step 1 of Option 1: Use Template Files.

Option 1: Use Template Files

This sequence of steps uses two different configuration files to create and initialize the necessary Azure Private Link resources to use Azure Private Link to connect to Snowflake on Azure. The configuration files are of two types:

Template file

Use this file to create an interface endpoint and a subnet for that endpoint.

Parameters file

Use this file to initialize the resources the template file creates.

Depending on your Azure environment, it may not be necessary to create a dedicated subnet. If you already have a dedicated subnet for the interface endpoint, you can use the corresponding files to create the endpoint in that subnet.

As a representative example, the following steps assume both a dedicated subnet and interface endpoint are necessary.

Caution

The template files and scripts create resources in your Azure environment to facilitate connecting to Snowflake using Azure Private Link. Exercise caution when completing the configuration procedure. For additional help and support, please contact your internal Azure administrator.

1. Evaluate your Azure environment to determine whether you need a dedicated subnet with an Azure Private Link endpoint or only the Azure Private Link endpoint.

   • If you already have a dedicated subnet to use Azure Private Link to connect to Snowflake, it is only necessary to create an Azure Private Link endpoint in this subnet. Therefore, download these two files for use in the next steps:

     • customer-privatelink-endpoint-only-template.json

     • customer-privatelink-endpoint-only-parameters.json

   • If you do not have a dedicated subnet, use the following two files to create a subnet and an Azure Private Link endpoint:

     • customer-privatelink-template.json

     • customer-privatelink-parameters.json

   • Edit the corresponding template file, customer-privatelink-endpoint-only-parameters.json or customer-privatelink-parameters.json. Select the alias from the table that matches the region for your Snowflake on Azure account.

     Region	Alias
     east-us-2	sf-pvlinksvc-azeastus2.cf82bce2-be9d-4dc6-92ee-3de5fb04d191.eastus2.azure.privatelinkservice
     west-us-2	sf-pvlinksvc-azwestus2.7583086f-d856-40b9-9731-d9a96b663bd6.westus2.azure.privatelinkservice
     southeast-asia	sf-pvlinksvc-azsoutheastasia.c4b3ee88-26d1-437f-b89c-e1b1d4a8aa4d.southeastasia.azure.privatelinkservice
     australia-east	sf-pvlinksvc-azaustraliaeast.67b50f2d-bc24-4075-b2b1-ad770fc844d2.australiaeast.azure.privatelinkservice
     canada-central	sf-pvlinksvc-azcanadacentral.70fb0911-94f9-497d-99f8-98eeaea59542.canadacentral.azure.privatelinkservice
     west-europe	sf-pvlinksvc-azwesteurope.44d99e07-8afe-4d7d-92dd-c07db73c9b26.westeurope.azure.privatelinkservice
     us-gov-virginia	sf-pvlinksvc-azusgovvirginia.8e115fbc-6a6f-4632-814b-b8ad6ce29cc4.usgovvirginia.azure.privatelinkservice
     switzerland-north	sf-pvlinksvc-azswitzerlandnorth.27552127-f89d-492d-a7ed-d5746a3e1cdf.switzerlandnorth.azure.privatelinkservice

2. As a representative example using the Azure CLI, execute az account list --output table. Note the output values in the Name and CloudName columns.

   Name     CloudName   SubscriptionId                        State    IsDefault
   -------  ----------  ------------------------------------  -------  ----------
   MyCloud  AzureCloud  13c91033-8b4e-40f7-9031-16c8f69233e3  Enabled  True
   

3. Open a Snowflake Support ticket and share the SubscriptionId value with a note indicating that this value is to use Azure Private Link. Snowflake will then allow this value for auto-approval.

   Important

   It may take up to 48 hours for Snowflake Support to process the ticket and allow the SubscriptionID value. Please wait patiently for Snowflake Support to provide confirmation. After receiving confirmation, continue with the remaining steps in this procedure.

   If you desire to tether multiple Snowflake accounts in the same Azure region to a single Azure SubscriptionID, please contact Snowflake Support.

4. For each parameter in customer-privatelink-parameters.json, update the value to match your environment. For example, replace the virtualNetworkName value of privateLinkConsumer_vnet with myVirtualNetwork.

   • Do not update the string for the snowflakePrivatelinkServiceAlias value.

5. In the Azure CLI, execute the following three commands using the values from the previous step. Note that these values are representative examples.

   az cloud set --name <customer_cloud_name>
   az account set --subscription <customer_subscription_name>
   az group deployment create --resource-group CUSTOMER_RESOURCEGROUP_NAME --template-file customer-privatelink-template.json --parameters customer-privatelink-parameters.json
   

   • Replace <customer_cloud_name> with AzureCloud.

   • Replace <customer_subscription_name> with MyCloud.

   • You can choose an arbitrary name for CUSTOMER_RESOURCE_GROUP.

6. DNS Setup. All requests to Snowflake need to be routed via the Azure Private Link interface endpoint. Update your DNS to resolve the Snowflake account and OCSP URLs to the private IP address of your Azure Private Link interface endpoint.

   • To get the endpoint IP address, navigate to the Azure portal Private Link Center. Click Private endpoints and click on the endpoint.

   • Copy the value for the Private IP address (i.e. 10.0.27.5).

     

   • Configure your DNS to have the following two URLs resolve to the private IP address. You can obtain the exact URLs for your account by executing SYSTEM$WHITELIST_PRIVATELINK.

     Snowflake account

     <account>.<region>.privatelink.snowflakecomputing.com

     OCSP cache server

     ocsp.<account>.<region>.privatelink.snowflakecomputing.com

     Where:

     <region> is the value shown in the Step 1 table that corresponds to your Snowflake alias.

     <account> is your Snowflake account value.

     If you are using the Snowflake Data Marketplace or may use it in the future, it is necessary to create an additional DNS record with the following value or combine the following value with the Snowflake account and OCSP cache server values. This step ensures access to the Snowflake Data Marketplace via an Azure Private Link interface endpoint.

     app.<region>.privatelink.snowflakecomputing.com

     Note

     A full explanation of DNS configuration is beyond the scope of this procedure. For example, you can choose to integrate an Azure Private DNS zone into your environment.

     Please consult your internal Azure and Cloud Infrastructure administrators to configure and resolve the URLs in DNS properly.

7. After verifying your outbound firewall settings and DNS records to include your Azure Private Link account and OCSP URLs, test your connection to Snowflake with SnowCD (Connectivity Diagnostic Tool) and SYSTEM$WHITELIST_PRIVATELINK.

8. Connect to Snowflake using SnowSQL.

You can now connect to Snowflake using Azure Private Link.

Option 2: Create Azure Resources Manually

This sequence of steps manually create and initialize the necessary Azure Private Link resources to use Azure Private Link to connect to Snowflake on Azure.

1. Verify that a dedicated subnet exists to contain the Azure Private Link interface endpoint and that network policies are disabled. For more information, see Disable network policies for private endpoints.

2. As a representative example using the Azure CLI, execute az account list --output table. Note the output values in the Name and CloudName columns.

   Name     CloudName   SubscriptionId                        State    IsDefault
   -------  ----------  ------------------------------------  -------  ----------
   MyCloud  AzureCloud  13c91033-8b4e-40f7-9031-16c8f69233e3  Enabled  True
   

3. Open a Snowflake Support ticket and share the SubscriptionId value with a note indicating that this value is to use Azure Private Link. Snowflake will then allow this value for auto-approval.

   Important

   It may take up to 48 hours for Snowflake Support to process the ticket and allow the SubscriptionID value. Please wait patiently for Snowflake Support to provide confirmation. After receiving confirmation, continue with the remaining steps in this procedure.

   If you desire to tether multiple Snowflake accounts in the same Azure region to a single Azure SubscriptionID, please contact Snowflake Support.

4. Navigate to the Azure portal. Search for Private Link and click Private Link.

   

5. Click Private endpoints and then click Add.

   

6. In the Basics section, complete the Subscription, Resource group, Name, and Region fields for your environment and then click Next: Resource.

   

7. In the Resource section, complete the Connection Method and the Resource ID or Alias Field fields. The Request message value is optional.

   • For Connection Method, select the Connect to an Azure resource by resource ID or alias.

     

   • For Resource ID or Alias Field, select the alias from the table that corresponds to your Snowflake on Azure region. Note that the screenshot in this step uses the alias value for the east-us-2 region as a representative example, and that Azure confirms a valid alias value with a green checkmark.

     Region	Alias
     east-us-2	sf-pvlinksvc-azeastus2.cf82bce2-be9d-4dc6-92ee-3de5fb04d191.eastus2.azure.privatelinkservice
     west-us-2	sf-pvlinksvc-azwestus2.7583086f-d856-40b9-9731-d9a96b663bd6.westus2.azure.privatelinkservice
     southeast-asia	sf-pvlinksvc-azsoutheastasia.c4b3ee88-26d1-437f-b89c-e1b1d4a8aa4d.southeastasia.azure.privatelinkservice
     australia-east	sf-pvlinksvc-azaustraliaeast.67b50f2d-bc24-4075-b2b1-ad770fc844d2.australiaeast.azure.privatelinkservice
     canada-central	sf-pvlinksvc-azcanadacentral.70fb0911-94f9-497d-99f8-98eeaea59542.canadacentral.azure.privatelinkservice
     west-europe	sf-pvlinksvc-azwesteurope.44d99e07-8afe-4d7d-92dd-c07db73c9b26.westeurope.azure.privatelinkservice
     us-gov-virginia	sf-pvlinksvc-azusgovvirginia.8e115fbc-6a6f-4632-814b-b8ad6ce29cc4.usgovvirginia.azure.privatelinkservice
     switzerland-north	sf-pvlinksvc-azswitzerlandnorth.27552127-f89d-492d-a7ed-d5746a3e1cdf.switzerlandnorth.azure.privatelinkservice

8. Return to the Private endpoints section and allow a few minutes to wait. On approval, the Azure Private Link interface endpoint displays a CONNECTION STATE value of Approved.

   

9. DNS Setup. All requests to Snowflake need to be routed via the Azure Private Link interface endpoint. Update your DNS to resolve the Snowflake account and OCSP URLs to the private IP address of your Azure Private Link interface endpoint.

   • To get the endpoint IP address, navigate to Azure portal search bar and enter the name of the endpoint (i.e. the NAME value from Step 6). Locate the Network Interface result and click it.

     

   • Copy the value for the Private IP address (i.e. 10.0.27.5).

     

   • Configure your DNS to have the following two URLs resolve to the private IP address. You can obtain the exact URLs for your account by executing SYSTEM$WHITELIST_PRIVATELINK.

     Snowflake account

     <account>.<region>.privatelink.snowflakecomputing.com

     OCSP cache server

     ocsp.<account>.<region>.privatelink.snowflakecomputing.com

     Where:

     <region> is the value shown in the Step 5 table that corresponds to your Snowflake alias.

     <account> is your Snowflake account value.

     If you are using the Snowflake Data Marketplace or may use it in the future, it is necessary to create an additional DNS record with the following value or combine the following value with the Snowflake account and OCSP cache server values. This step ensures access to the Snowflake Data Marketplace via an Azure Private Link interface endpoint.

     app.<region>.privatelink.snowflakecomputing.com

     Note

     A full explanation of DNS configuration is beyond the scope of this procedure. For example, you can choose to integrate an Azure Private DNS zone into your environment. Please consult your internal Azure and Cloud Infrastructure administrators to configure and resolve the URLs in DNS properly.

10. After verifying your outbound firewall settings and DNS records include your Azure Private Link account and OCSP URLs, test your connection to Snowflake with SnowCD (Connectivity Diagnostic Tool) and SYSTEM$WHITELIST_PRIVATELINK.

11. Connect to Snowflake using SnowSQL.

You can now connect to Snowflake using Azure Private Link.

Using SSO with Azure Private Link

Snowflake supports using SSO with Azure Private Link. For more information, click here.

Blocking Public Access — Optional

After testing the Azure Private Link connectivity with Snowflake, you can optionally block public access to Snowflake using Network Policies.

Configure the CIDR block range to block public access to Snowflake using your organization’s IP address range. This range can be from within your virtual network.

Once the CIDR Block ranges are set, only IP addresses within the CIDR block range can access Snowflake.

To block public access using a network policy:

1. Create a new network policy or edit an existing network policy. Add the CIDR block range for your organization.

2. Activate the network policy for your account.