AWS PrivateLink et Snowflake¶
This topic describes how to configure AWS PrivateLink to directly connect your Snowflake account to one or more AWS Virtual Private Clouds (VPCs).
Dans ce chapitre :
AWS PrivateLink: Overview¶
AWS PrivateLink is an AWS service for creating private VPC endpoints that allow direct, secure connectivity between your AWS VPCs and the Snowflake VPC without traversing the public internet. AWS PrivateLink connectivity supports VPC endpoint services and AWS VPCs that are located in the same or in different AWS regions. Cross-region connectivity for AWS PrivateLink allows you to use a custom endpoint service to connect a Snowflake account in a region that is different from your AWS VPC region. Cross-region connectivity isn’t currently supported for any platform as a service (PaaS) services, such as Amazon Simple Storage Service (Amazon S3) or key management service (KMS).
Pour plus d’informations, voir la page de blog AWS intitulée Présentation de la connectivité interrégionale pour AWS PrivateLink.
When writing external functions, you can also use AWS PrivateLink with private endpoints.
If you have an on-premises environment, such as a non-hosted data center, you can use AWS Direct Connect with AWS PrivateLink to connect all your virtual and physical environments in a single, private network.
Note
AWS Direct Connect est un service AWS distinct qui doit être mis en œuvre indépendamment d’AWS PrivateLink et n’est pas abordé dans ce chapitre. Pour plus d’informations sur la mise en œuvre de AWS Direct Connect, contactez Amazon.
Enable AWS PrivateLink¶
Note
The self-service enablement process in this section doesn’t currently support authorizing an AWS account identifier from a managed cloud service or a third-party vendor.
To authorize an AWS account identifier for this use case, please retrieve the AWS account identifier from the vendor, and then contact Snowflake Support.
Pour activer AWS PrivateLink pour votre compte Snowflake, effectuez les étapes suivantes :
Générez un jeton fédéré, puis enregistrez la sortie.
To generate a token, run the AWS CLI STS command on the command line.
get-federation-tokenrequires either an identity and access management user in AWS or the AWS account root user. For details, refer to the AWS documentation.Important
The federated token expires after 12 hours. If you call any of the system functions to authorize, verify, or disable your Snowflake account to use AWS PrivateLink and the token has expired, regenerate the token by running the AWS CLI STS command again.
aws sts get-federation-token --name sam
Dans une étape ultérieure, vous fournirez la sortie de cette commande comme argument
federated_tokenpour la fonction SYSTEM$AUTHORIZE_PRIVATELINK.From your generated token, extract the value of the
"FederatedUserId"field. For example, if your token contains the following values:{ ... "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }
Extract
185.... In the next step, you provide this 12-digit number as theaws_idargument for the SYSTEM$AUTHORIZE_PRIVATELINK function.
Using the ACCOUNTADMIN Snowflake system role, call the SYSTEM$AUTHORIZE_PRIVATELINK function to authorize (enable) AWS PrivateLink for your Snowflake account:
SELECT SYSTEM$AUTHORIZE_PRIVATELINK ( '<aws_id>' , '<federated_token>' );
Où :
'aws_id'L’identificateur à 12 chiffres qui identifie de manière unique votre compte Amazon Web Services (AWS) sous forme de chaîne.
'federated_token'La valeur du jeton fédéré qui contient les identifiants d’accès pour un utilisateur fédéré sous forme de chaîne.
Par exemple :
USE ROLE ACCOUNTADMIN; SELECT SYSTEM$AUTHORIZE_PRIVATELINK ( '185...', '{ "Credentials": { "AccessKeyId": "ASI...", "SecretAccessKey": "enw...", "SessionToken": "Fwo...", "Expiration": "2021-01-07T19:06:23+00:00" }, "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }' );
To verify your configuration, call the SYSTEM$GET_PRIVATELINK function in your Snowflake account on AWS. This function uses the same argument values for
'aws_id'and'federated_token'that were used to authorize your Snowflake account.SYSTEM$GET_PRIVATELINK returns
Account is authorized for PrivateLink.for a successful authorization.Optional: If you need to disable AWS PrivateLink in your Snowflake account, call the SYSTEM$REVOKE_PRIVATELINK function by using the same argument values for
'aws_id'and'federated_token'.
To further harden your security posture, Snowflake recommends pinning private endpoints for your Snowflake account. For more information, see Épingler les points de terminaison de la connectivité privée pour le trafic entrant.
Configure your AWS VPC environment¶
Attention
This section covers only the Snowflake-specific details for configuring your VPC environment.
Snowflake isn’t responsible for the actual configuration of the required AWS VPC endpoints, security group rules, and Domain Name System (DNS) records. If you encounter issues with any of these configuration tasks, please contact AWS Support.
Create and configure your AWS VPC endpoint¶
To create and configure a VPC endpoint in your AWS VPC environment, complete the following steps:
In your Snowflake account, use the ACCOUNTADMIN system role to call the SYSTEM$GET_PRIVATELINK_CONFIG function, and then record the
privatelink-vpce-idvalue.In your AWS environment, create a VPC endpoint by using the
privatelink-vpce-idvalue from the previous step.Note
Si la région Snowflake de votre point de terminaison VPC est différent de la région de votre VPC AWS, vous devez effectuer deux sélections qui activent la connectivité interrégionale. Dans la console VPC AWS, sélectionnez Enable Cross Region endpoint, puis sélectionnez la région principale du service dans Service Settings » Service Region.
Pour des instructions complètes, voir la procédure de configuration étape par étape pour configurer la connectivité interrégionale dans la documentation d’AWS.
Dans votre environnement AWS, autorisez un groupe de services de sécurité qui connectent la connexion sortante Snowflake aux ports
443et80du CIDR (Classless Inter-Domain Routing) du VPCE.
For more information, see the following topics in the AWS documentation:
Configurer votre réseau VPC¶
To access Snowflake by using an AWS PrivateLink endpoint, you must create Canonical Name (CNAME) records in your DNS to resolve the appropriate endpoint values from the SYSTEM$GET_PRIVATELINK_CONFIG function to the DNS name of your VPC endpoint.
Les valeurs à obtenir à partir de la sortie de SYSTEM$GET_PRIVATELINK_CONFIG dépendent des fonctions de Snowflake auxquelles vous accédez en utilisant une connexion privée. Pour une description des valeurs possibles, voir Valeurs de retour.
Notez que les valeurs pour regionless-snowsight-privatelink-url et snowsight-privatelink-url permettent l’accès à Snowsight et Snowflake Marketplace en utilisant une connectivité privée. Cependant, il y a une configuration supplémentaire si vous voulez activer les redirections d’URL. Pour plus d’informations, consultez Snowsight & Connectivité privée.
Pour obtenir de l’aide supplémentaire sur la configuration de DNS, veuillez contacter votre administrateur AWS interne.
Important
The structure of the Online Certificate Status Protocol (OCSP) cache server host name depends on the version of your installed clients, as described in Configure your Snowflake clients:
If you use the listed version or a later version, use the format shown in Configure your Snowflake clients, which enables better DNS resolution when you have multiple Snowflake accounts — for example, dev, test, and production — in the same region. When updating client drivers and using OCSP with PrivateLink, update the firewall rules to allow the OCSP host name.
If you use an earlier client version, then the OCSP cache server host name takes the form
ocsp.region_id.privatelink.snowflakecomputing.comwithout an account identifier.Your DNS record must resolve to private IP addresses within your VPC. If it resolves to public IP addresses, the record isn’t configured correctly.
Créer des points de terminaison d’interface VPC AWS pour Amazon S3¶
This step is required for Amazon S3 traffic from Snowflake clients to stay on the AWS backbone. Snowflake clients, such as SnowSQL and JDBC driver, require access to Amazon S3 to perform various runtime operations.
If your AWS VPC network doesn’t allow access to the public internet, you can configure private connectivity to internal stages or more gateway endpoints to the Amazon S3 host names required by the Snowflake clients.
There are three options to configure access to Amazon S3. The first two options avoid the public internet and the third option uses the public internet:
Configurer un point de terminaison d’interface AWS VPC pour des zones de préparation internes. Cette option est recommandée.
Configure an Amazon S3 gateway endpoint. For more information, see the following Attention section.
Don’t configure an interface endpoint or a gateway endpoint. This results in access that uses the public internet.
Attention
To prevent communications between an Amazon S3 bucket and an AWS VPC with Snowflake from using the public internet, you can set up an Amazon S3 gateway endpoint in the same AWS region as the Amazon S3 bucket. This prevents communications on the public internet because AWS PrivateLink only allows communications between VPCs, and the Amazon S3 bucket isn’t included in the VPC.
You can configure the Amazon S3 gateway endpoint to limit access to specific users, Amazon S3 resources, routes, and subnets; however, Snowflake doesn’t require this configuration. For more information, see Gateway endpoints for Amazon S3.
To limit Amazon S3 gateways to use only Amazon S3 resources for Snowflake, choose one of the following options:
Use the specific Amazon S3 host name addresses that is used by your Snowflake account in your AWS endpoint policies. For the complete list of host names that are used by your account, see SYSTEM$ALLOWLIST.
Use an Amazon S3 host name pattern that matches the Snowflake S3 host names in your AWS endpoint policies. With this option, there are two possible types of connections to Snowflake: VPC-to-VPC or On-Premises-to-VPC.
Based on your connection type, complete the following instructions:
- VPC-à-VPC:
Ensure that the Amazon S3 gateway endpoint exists. Optionally modify the Amazon S3 gateway endpoint policy to match the specific host name patterns that are shown in the following Amazon S3 Hostnames table.
- Sur-site-à-VPC:
Define a setup to include the Amazon S3 host name patterns in the firewall or proxy configuration if Amazon S3 traffic isn’t permitted on the public gateway.
Si vous n’exigez pas que les points de terminaison de votre passerelle correspondent explicitement aux compartiments S3 gérés par Snowflake de votre compte, vous pouvez utiliser les modèles de noms d’hôte Amazon S3 indiqués dans le tableau suivant pour créer des points de terminaison de passerelle :
Noms d’hôtes Amazon S3
Remarques
Toutes les régions
sfc-*-stage.s3.amazonaws.com:443None.
Toutes les régions autres que US Est
sfc-*-stage.s3-<id_région>.amazonaws.com:443The pattern uses a hyphen (
-) before the region ID.sfc-*-stage.s3.<id_région>.amazonaws.com:443The pattern uses a period (
.) before the region ID.
For information about creating gateway endpoints, see Gateway VPC endpoints.
Se connecter à Snowflake¶
Before you connect to Snowflake, you can optionally use the Snowflake Connectivity Diagnostic tool (SnowCD) to evaluate the network connection with Snowflake and AWS PrivateLink.
Pour plus d’informations, voir SnowCD et SYSTEM$ALLOWLIST_PRIVATELINK.
Sinon, connectez-vous à Snowflake avec votre URL de compte de connectivité privée.
If you want to connect to Snowsight through AWS PrivateLink, follow the instructions in the Snowsight documentation.
Block public access — Recommended¶
After you test private connectivity to Snowflake by using AWS PrivateLink, you can optionally block public access to Snowflake. This means that users can access Snowflake only if their connection request originates from an IP address within a particular CIDR block range specified in a Snowflake network policy.
To block public access by using a network policy:
Create a new network policy or edit an existing network policy.
Ajoutez la plage de blocage CIDR pour votre organisation.
Activez la politique réseau pour votre compte.
For more information, see Contrôle du trafic réseau avec des politiques réseau.
Configure your Snowflake clients¶
Les sections suivantes décrivent comment configurer les clients Snowflake pour des cas d’utilisation spécifiques.
S’assurer que les clients Snowflake prennent en charge le serveur de cache OCSP¶
The Snowflake OCSP cache server mitigates connectivity issues between Snowflake clients and the server. To enable your installed Snowflake clients to use the OCSP server cache, ensure that you use the following client versions:
SnowSQL 1.1.57 or later
Python Connector 1.8.2 or later
JDBC Driver 3.8.3 or later
ODBC Driver 2.19.3 or later
Note
The Snowflake OCSP cache server listens on port 80, which is why you were instructed in Create and configure your AWS VPC endpoint
to configure your AWS PrivateLink VPCE security group to accept both port 80 and port 443, which is required for all other
Snowflake traffic.
Specify a host name for Snowflake clients¶
Each Snowflake client requires a host name to connect to your Snowflake account.
The host name is the same as the host name that you specified in the CNAME records in Configurer votre réseau VPC.
This step isn’t applicable to access the Snowflake Marketplace.
Par exemple, pour un compte nommé xy12345 :
If the account is in US West, the host name is
xy12345.us-west-2.privatelink.snowflakecomputing.com.If the account is in EU (Frankfurt), the host name is
xy12345.eu-central-1.privatelink.snowflakecomputing.com.
Important
The method for specifying the host name differs depending on the client:
For the Spark connector and the ODBC and JDBC drivers, specify the entire host name.
For all the other clients, don’t specify the entire host name. Instead, specify the account identifier with the
privatelinksegment, which is<account_identifier>.privatelink. Snowflake concatenates this name withsnowflakecomputing.comto dynamically construct the host name.
For more information about specifying the account name or host name for a Snowflake client, see the documentation for each client.
Utilisation de SSO avec AWS PrivateLink¶
Snowflake prend en charge l’utilisation de SSO avec AWS PrivateLink. Pour plus d’informations, voir :
Utilisation de la redirection des clients avec AWS PrivateLink¶
Snowflake prend en charge l’utilisation de la redirection des clients avec AWS PrivateLink.
Pour plus d’informations, voir Redirection des connexions des clients.
Utilisation de la réplication et de Tri-Secret Secure avec une connectivité privée¶
Snowflake prend en charge la réplication de vos données du compte source vers le compte cible, que vous activiez ou non Tri-Secret Secure ou cette fonctionnalité dans le compte cible.
Résolution des problèmes¶
Pour résoudre les problèmes que vous pourriez rencontrer avec PrivateLink, consultez les articles suivants de la communauté Snowflake :