Set up external access for Snowflake Notebooks

By default, Snowflake restricts network traffic requests from external endpoints. In order to access external endpoints, you need to create an external network access integration. This topic describes how you can set up external network access for your notebook.

Enable existing external access integrations (EAI)

Note

This must be executed using the ACCOUNTADMIN role.

  1. Sign in to Snowsight.

  2. Select Projects » Notebooks.

  3. To access the external access configuration, select the more actions for worksheet on the top right of your notebook.

  4. Select Notebook settings and select the External access pane.

  5. You will see a list of external access integrations that is available to you. You can select the toggles next to each integration to enable or disable them.

Provision external access integration

External access integrations, alongside their underlying network rules, need to be created and provisioned by an organization admin.

Create external access integration

There are two steps in creating an external access integration for notebooks.

  1. Create a network rule to define a set of IP addresses or domains using the CREATE NETWORK RULE command.

  2. Create an external access integration to specify the allowed list of network rules using the CREATE EXTERNAL ACCESS INTEGRATION command.

The following examples show how to set up external access for common data science and machine learning sites.

Create an external access integration for PyPI:

CREATE OR REPLACE NETWORK RULE pypi_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('pypi.org', 'pypi.python.org', 'pythonhosted.org',  'files.pythonhosted.org');

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION pypi_access_integration
ALLOWED_NETWORK_RULES = (pypi_network_rule)
ENABLED = true;
Copy

Create an external access integration for HuggingFace:

CREATE OR REPLACE NETWORK RULE hf_network_rule
MODE = EGRESS
TYPE = HOST_PORT
VALUE_LIST = ('huggingface.co', 'cdn-lfs.huggingface.co');

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION hf_access_integration
ALLOWED_NETWORK_RULES = (hf_network_rule)
ENABLED = true;
Copy

Allow all network access with one external access integration:

CREATE OR REPLACE NETWORK RULE allow_all_rule
MODE= 'EGRESS'
TYPE = 'HOST_PORT'
VALUE_LIST = ('0.0.0.0:443','0.0.0.0:80');

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION allow_all_integration
ALLOWED_NETWORK_RULES = (allow_all_rule)
ENABLED = true;
Copy

Provision external access integration

After you create the EAIs, you must grant the USAGE privilege on the integration to an account role.

You can grant the USAGE privilege on the integrations with the following commands:

GRANT USAGE ON INTEGRATION pypi_access_integration TO ROLE my_notebook_role;
GRANT USAGE ON INTEGRATION hf_access_integration TO ROLE my_notebook_role;
GRANT USAGE ON INTEGRATION allow_all_access_integration TO ROLE my_notebook_role;
Copy

Note

It is important to grant the USAGE privilege on the integration to the role that creates the notebooks. USAGE granted to the PUBLIC role will not work.

For detailed syntax, see external network access.

Enable integrations

After you create and provision EAIs, make sure to restart the notebook session. Now, you should see the access integrations you created in the external access pane. To enable the new integrations, see Enable existing external access integrations (EAI).

Additional resources

Language: English