DOCUMENTATION
/
Getting Started
Guides
Developer
Reference
Releases
Tutorials
Status
  1. Overview
    • Snowflake Horizon Catalog
    • Applications and tools for connecting to Snowflake
    • Virtual warehouses
    • Databases, Tables, & Views
    • Data types
      • Data Integration
        1. Snowflake Openflow
        2. Apache Iceberg™
          1. Apache Iceberg™ Tables
          2. Snowflake Open Catalog
      • Data Engineering
        1. Data Loading
        2. Dynamic Tables
        3. Streams and Tasks
        4. dbt Projects on Snowflake
        5. Data Unloading
      • Migrations
      • Queries
      • Listings
      • Collaboration
      • Snowflake AI & ML
      • Alerts & Notifications
      • Security
          1. Authentication
          2. Authentication policies
            • Multi-factor authentication (MFA)
            • Federated authentication and SSO
            • Key-pair authentication and rotation
            • Programmatic access tokens
              • OAuth
              • Workload identity federation
                • API authentication and secrets
                  • Network security
                  • Malicious IP protection
                    • Network policies
                      • Network rules
                        • Private connectivity
                        • Inbound private connectivity
                            1. AWS PrivateLink
                              • Azure Private Link
                                • Google Cloud Private Service Connect
                                  • Enforce privatelink-only access
                                    • Pinning Private Connectivity Endpoints
                                      • To Snowflake internal stages
                                      • AWS VPC interface endpoints for internal stages
                                        • Azure private endpoints for internal stages
                                      • Outbound private connectivity
                                      • Administration and authorization
                                      • Trust Center
                                      • Sessions and session policies
                                      • SCIM support
                                      • Access control
                                      • Encryption
                                  • Data Governance
                                  • Privacy
                                  • Organizations & Accounts
                                  • Business continuity & data recovery
                                  • Performance Optimization
                                  • Cost & Billing
                                  GuidesSecurityInbound private connectivityEnforce privatelink-only access

                                  Enforce privatelink-only access¶

                                  Snowflake logo in black (no text) Feature — Open

                                  Available to all accounts that are Business Critical Edition (or later).

                                  To inquire about upgrading, please contact Snowflake Support.

                                  In preview, this feature is supported on AWS and Azure cloud platforms.

                                  This feature is not available in the People’s Republic of China.

                                  Overview¶

                                  Each Snowflake customer can access their Snowflake account using their customer-specific, dedicated account URLs and generic Snowflake UI URLs. Enabling private connectivity establishes private URLs for your account. After establishing private connectivity, the private URLs that you use to connect to Snowflake must include “privatelink”. For example, the host URL can have the following formats:

                                  • Account Name: https://<orgname>-<account_name>.privatelink.snowflakecomputing.com

                                  • Connection Name: https://<orgname>-<connectionname>.privatelink.snowflakecomputing.com

                                  • Account Locator (legacy): https://<account_locator>.<region>.privatelink.snowflakecomputing.com

                                  Accounts that use only privatelink for inbound connections to Snowflake are also known as “privatelink-only” accounts. For more information about using URLs to connect to your Snowflake account, see Connecting with a URL.

                                  You can harden your security posture by disabling public access to your privatelink-only accounts. For example, after you disable public access to your privatelink-only accounts, anyone attempting to “guess” your Snowflake account URL by providing a public URL sees a static web page that displays: HTTP - 404 account not found. Snowflake Core Service checks requests incoming from the public internet before requesting authorization. Returning HTTP - 404 account not found provides no indication that the account exists. In this way, disabling public access protects your privatelink-only accounts.

                                  Important

                                  You must enable private connectivity to the Snowflake service before disabling public access to your privatelink-only accounts. You must have logged into Snowflake using a private endpoint at least once before disabling public access. Any SaaS service that does not support private connectivity cannot connect to Snowflake after disabling public access to your privatelink-only accounts.

                                  Disabling public access to your privatelink-only accounts:

                                  • Disables access to all Snowflake service endpoints only.

                                  • Does not affect public access to internal stage buckets.

                                  • Does not sever any existing connections to your customer account.

                                  Granular network access restrictions¶

                                  You can define granular access to your account by creating network rules that restrict network access through specific private endpoint IDs. You can also define network rules to limit or deny publicly-routed sessions. For more information, see CREATE NETWORK RULE.

                                  To enforce the access definitions, you can create network policies that use your network rule definitions. For more information, see Controlling network traffic with network policies.

                                  Note

                                  Blocking access to private endpoints using network rules is not (yet) supported on Google Cloud.

                                  Disable public access to your privatelink-only accounts¶

                                  To disable public access to all Snowflake service endpoints in your Snowflake account:

                                  1. Verify or establish private connectivity to your account.

                                  2. Call the SYSTEM$ENFORCE_PRIVATELINK_ACCESS_ONLY function.

                                  Restore public access to your privatelink-only accounts¶

                                  To restore public access to all Snowflake service endpoints in your Snowflake account, call the SYSTEM$DISABLE_PRIVATELINK_ACCESS_ONLY function.

                                  Restrict access to the function that restores public access¶

                                  Customers who want to restrict their account administrators from restoring public access for inbound network traffic must request that Snowflake modify their account.

                                  To restrict access to the SYSTEM$DISABLE_PRIVATELINK_ACCESS_ONLY function:

                                  1. Contact Snowflake Support.

                                  2. Request that Snowflake restrict access to the SYSTEM$DISABLE_PRIVATELINK_ACCESS_ONLY function for your account.

                                  Was this page helpful?

                                  Visit Snowflake
                                  Join the conversation
                                  Develop with Snowflake
                                  Share your feedback
                                  Read the latest on our blog
                                  Get your own certification
                                  Privacy NoticeSite TermsCookies Settings© 2025 Snowflake, Inc. All Rights Reserved.
                                  1. Overview
                                  2. Disable public access to your privatelink-only accounts
                                  3. Restore public access to your privatelink-only accounts
                                  4. Restrict access to the function that restores public access
                                  1. Private connectivity for inbound network traffic
                                  2. SYSTEM$ENFORCE_PRIVATELINK_ACCESS_ONLY
                                  Language: English
                                  • English
                                  • Français
                                  • Deutsch
                                  • 日本語
                                  • 한국어
                                  • Português