Private connectivity for Snowflake Notebooks¶

AWS PrivateLink prerequisites¶

To access Snowflake Notebooks with AWS PrivateLink:

1. Set up private connectivity for your Snowflake account.

2. Set up private connectivity for Snowsight.

In addition, the customer account must be:

• In an AWS commercial region.

• Already using Streamlit in Snowflake over AWS PrivateLink. Notebooks relies on the Streamlit engine for execution and uses Streamlit widgets to render cell outputs.

Azure Private Link prerequisites¶

To access Snowflake Notebooks with Azure Private Link:

1. Set up private connectivity for your Snowflake account.

2. Set up private connectivity for Snowsight.

In addition, the customer account must be:

• In an Azure commercial region.

• Already using Streamlit in Snowflake over Azure Private Link. Notebooks relies on the Streamlit engine for execution and uses Streamlit widgets to render cell outputs.

Configure access to Snowflake Notebooks¶

To determine the hostname:

• Call SYSTEM$GET_PRIVATELINK_CONFIG in your Snowflake account. The Notebooks hostname is displayed under the app-service-privatelink-url key, which is the wildcard URL required for routing Notebooks application traffic through AWS PrivateLink or Azure Private Link.

Hostname routing at an account level is currently not supported.

Security considerations¶

Notebooks apps serve both HTTPS-encrypted traffic and WebSocket-encrypted traffic. The Notebooks browser client application is mounted in a third-party, cross-origin iframe within Snowsight. This enables strict cross-site browser isolation control.

Snowflake Notebooks use a separate URL scheme for specific security requirements. Notebook URLs have their own top-level domain that does not share any elements with Snowsight. Each notebook has a unique origin.