Private connectivity for Notebooks in Workspaces¶

This topic describes how to use AWS PrivateLink, Azure Private Link, or Google Private Service Connect when accessing Notebooks in Workspaces.

Google Cloud Private Service Connect prerequisites¶

To access Notebooks in Workspaces with Google Private Service Connect:

  1. Set up private connectivity for your Snowflake account.

  2. Set up private connectivity for Snowsight.

In addition, your account must already use Streamlit in Snowflake over Google Private Service Connect.

Configure access to Notebooks in Workspaces¶

  • To determine the hostname, call SYSTEM$GET_PRIVATELINK_CONFIG in your Snowflake account. Use the value returned for the app-service-privatelink-url key. This URL is used to route traffic to Snowflake-hosted app services, including Snowflake Notebooks, over AWS PrivateLink, Azure Private Link, or Google Private Service Connect.

Note

You can set up a new VPC endpoint for Notebooks in Workspaces or create a DNS record to the same VPC endpoint of your Snowflake account, as shown in the following example:

  • Record name: *.abcd.privatelink.snowflake.app

  • Type: CNAME

  • Route traffic to: same VPC as your Snowflake traffic.

Hostname routing at an account level is currently not supported.

Security considerations¶

Notebooks serve both HTTPS-encrypted traffic and WebSocket-encrypted traffic. The Notebooks browser client application is contained in a third-party, cross-origin iframe within Snowsight. This enables strict cross-site browser isolation control.

Notebooks in Workspaces use a separate URL scheme for specific security requirements. Notebook URLs have their own top-level domain that does not share any elements with Snowsight. Each notebook has a unique origin.

Note

When using AWS PrivateLink, Azure Private Link, or Google Private Service Connect, you control the DNS resolution; Snowflake does not control private connectivity DNS records.

Language: English