Private connectivity to external volumes for Google Cloud

This topic describes how to configure outbound private connectivity to an external volume on Google Cloud Storage (GCS). The primary difference between outbound public connectivity and outbound private connectivity is how you set the USE_PRIVATELINK_ENDPOINT property for the external volume.

When the external volume is configured to use private connectivity, your connection to the Google Cloud Storage service goes through the Google Cloud internal network. By configuring your external volume to use outbound private connectivity, you add additional security to your data-unloading operations by blocking public access to the storage account.

For more information about using external volumes to connect to your external cloud storage for Iceberg tables, see Configure an external volume.

Note

You can use Google Cloud Private Service Connect to access Snowflake-managed Iceberg tables and Iceberg tables that use a catalog integration for object storage. You currently cannot use private connectivity to access Iceberg tables that use other catalog integrations.

Outbound private connectivity costs

You pay for each private connectivity endpoint along with total data processed. For pricing of these items, see the Snowflake Service Consumption Table.

You can explore the cost of these items by filtering on the following service types when querying billing views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas:

  • OUTBOUND_PRIVATELINK_ENDPOINT

  • OUTBOUND_PRIVATELINK_DATA_PROCESSED

For example, you can query the USAGE_IN_CURRENCY_DAILY view and filter on these service types.

Considerations

You can configure outbound public connectivity and outbound private connectivity for the same cloud storage service. If you want to do this, create a dedicated external volume for outbound public connectivity and specify USE_PRIVATELINK_ENDPOINT = FALSE.

Limitations

Outbound private connectivity to Google Cloud Storage volumes does not support multi-region buckets.

Specify private connectivity for an external volume

The USE_PRIVATELINK_ENDPOINT property of an external volume determines whether it is accessed through private connectivity or by traversing the public network. To use private connectivity, set USE_PRIVATELINK_ENDPOINT = TRUE when creating or modifying an external volume, as shown in the following examples.

Use the following syntax to create an external volume:

CREATE OR REPLACE EXTERNAL VOLUME <ext_volume_name>
  STORAGE_LOCATIONS =
  (
    (
      NAME = 'my-gcs-loc'
      STORAGE_PROVIDER = 'gcs'
      STORAGE_BASE_URL = 'gcs://<bucket>/<prefix>/'
      USE_PRIVATELINK_ENDPOINT = [ TRUE | FALSE ]
    )
  )
  ALLOW_WRITES=true;
Copy

Use the following syntax to alter an existing external volume:

ALTER EXTERNAL VOLUME <ext_volume_name>
  UPDATE STORAGE_LOCATION = '<storage_location_name>'
  USE_PRIVATELINK_ENDPOINT = [ TRUE | FALSE ]
Copy

The DESCRIBE EXTERNAL VOLUME command includes the USE_PRIVATELINK_ENDPOINT property and its value.

Provision a private endpoint

Use the following steps to provision a private endpoint for your Google Cloud Storage volume:

  1. In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function. Provide as arguments a regional Storage API endpoint and host name. For example:

    USE ROLE ACCOUNTADMIN;

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'storage.us-east4.rep.googleapis.com',
  'storage.us-east4.rep.googleapis.com');
    Copy

    Note

    Snowflake supports only Google Cloud regional Storage API endpoints. Google Cloud multi-region buckets aren’t supported.

    Using SYSTEM$PROVISION_PRIVATELINK_ENDPOINT to provision a private endpoint in your Snowflake VNet to enable Snowflake to connect to external Google Cloud Storage over private connectivity. Only buckets referenced by an external volume that has the USE_PRIVATELINK_ENDPOINT property enabled can be accessed using the endpoint.

  2. In Snowflake, call the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO function.

    When the output of SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO includes "status": "APPROVED", your connection from Snowflake to your storage account can use private connectivity.

    You can continue with the next steps while awaiting the "APPROVED" status.

Configure external volume access

Use the following steps to configure private connectivity to your external storage volume:

  1. Create the external volume, and set the USE_PRIVATELINK_ENDPOINT property to TRUE. For example:

    CREATE EXTERNAL VOLUME external_volume
  STORAGE_LOCATIONS =
  (
    (
      NAME = 'my-gcs-loc'
      STORAGE_PROVIDER = 'gcs'
      STORAGE_BASE_URL =  'gcs://<bucket>/<prefix>/'
      USE_PRIVATELINK_ENDPOINT = true
    )
  )
  ALLOW_WRITES=true;
    Copy

  2. Use the CREATE ICEBERG TABLE command to create an Iceberg table that references the external volume. For example:

    CREATE ICEBERG TABLE rand_table (data STRING)
  BASE_LOCATION='table'
  EXTERNAL_VOLUME=external_volume
  CATALOG='snowflake';
    Copy

  3. After the private endpoint has “APPROVED” status, test unloading data from Snowflake to the external volume.

Disable private connectivity

If you no longer require private connectivity for the external volume, you can set the USE_PRIVATELINK_ENDPOINT property for the volume to FALSE, and then call the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function tp deprovision the endpoint. For example:

ALTER EXTERNAL VOLUME <ext_volume_name>
  UPDATE STORAGE_LOCATION = '<storage_location_name>'
  USE_PRIVATELINK_ENDPOINT = false;

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT('storage.us-east4.rep.googleapis.com');
Copy
Language: English