AWS PrivateLink とSnowflake¶

This topic describes how to configure AWS PrivateLink to directly connect your Snowflake account to one or more AWS Virtual Private Clouds (VPCs).

このトピックの内容:

AWS PrivateLink: Overview¶

AWS PrivateLink is an AWS service for creating private VPC endpoints that allow direct, secure connectivity between your AWS VPCs and the Snowflake VPC without traversing the public internet. AWS PrivateLink connectivity supports VPC endpoint services and AWS VPCs that are located in the same or in different AWS regions. Cross-region connectivity for AWS PrivateLink allows you to use a custom endpoint service to connect a Snowflake account in a region that is different from your AWS VPC region. Cross-region connectivity isn't currently supported for any platform as a service (PaaS) services, such as Amazon Simple Storage Service (Amazon S3) or key management service (KMS).

For more information, see the AWS blog page, Introducing Cross-Region Connectivity for AWS PrivateLink. For information about finding the region names for your account, see Find the cloud-provider's name of the region for your account.

When writing external functions, you can also use AWS PrivateLink with private endpoints.

If you have an on-premises environment, such as a non-hosted data center, you can use AWS Direct Connect with AWS PrivateLink to connect all your virtual and physical environments in a single, private network.

注釈

AWS Direct Connectは独立した AWS のサービスで、 AWS PrivateLink とは独立して実装する必要があり、このトピックの範囲外です。AWS Direct Connectの実装については、Amazonにお問い合わせください。

Enable AWS PrivateLink¶

注釈

The self-service enablement process in this section doesn't currently support authorizing an AWS account identifier from a managed cloud service or a third-party vendor.

To authorize an AWS account identifier for this use case, please retrieve the AWS account identifier from the vendor, and then contact Snowflake Support.

Snowflakeアカウントで AWS PrivateLink を有効にするには、次のステップを実行します。

フェデレーション認証済みトークンを生成し、出力を保存します。
1. To generate a token, run the AWS CLI STS command on the command line. get-federation-token requires either an identity and access management user in AWS or the AWS account root user. For details, refer to the AWS documentation.
  
  重要
  
  The federated token expires after 12 hours. If you call any of the system functions to authorize, verify, or disable your Snowflake account to use AWS PrivateLink and the token has expired, regenerate the token by running the AWS CLI STS command again.
  aws sts get-federation-token --name sam
  Copy
  後のステップで、このコマンドの出力を SYSTEM$AUTHORIZE_PRIVATELINK 関数の federated_token 引数として指定します。
2. From your generated token, extract the value of the "FederatedUserId" field. For example, if your token contains the following values:
  { ... "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }
  Copy
  Extract 185.... In the next step, you provide this 12-digit number as the aws_id argument for the SYSTEM$AUTHORIZE_PRIVATELINK function.
Using the ACCOUNTADMIN Snowflake system role, call the SYSTEM$AUTHORIZE_PRIVATELINK function to authorize (enable) AWS PrivateLink for your Snowflake account:
```
SELECT SYSTEM$AUTHORIZE_PRIVATELINK ( '<aws_id>' , '<federated_token>' );
```
Copy
条件:
- 'aws_id'
  
  Amazon Web Services（AWS）アカウントを文字列として一意に識別する12桁の識別子。
- 'federated_token'
  
  フェデレーションユーザーのアクセス認証情報を文字列として含むフェデレーショントークン値。
例:
```
USE ROLE ACCOUNTADMIN;

SELECT SYSTEM$AUTHORIZE_PRIVATELINK (
  '185...',
    '{
      "Credentials": {
        "AccessKeyId": "ASI...",
        "SecretAccessKey": "enw...",
        "SessionToken": "Fwo...",
        "Expiration": "2021-01-07T19:06:23+00:00"
      },
      "FederatedUser": {
        "FederatedUserId": "185...:sam",
        "Arn": "arn:aws:sts::185...:federated-user/sam"
      },
      "PackedPolicySize": 0
     }'
  );
```
Copy
To verify your configuration, call the SYSTEM$GET_PRIVATELINK function in your Snowflake account on AWS. This function uses the same argument values for 'aws_id' and 'federated_token' that were used to authorize your Snowflake account.

SYSTEM$GET_PRIVATELINK returns Account is authorized for PrivateLink. for a successful authorization.
Optional: If you need to disable AWS PrivateLink in your Snowflake account, call the SYSTEM$REVOKE_PRIVATELINK function by using the same argument values for 'aws_id' and 'federated_token'.

To further harden your security posture, Snowflake recommends pinning private endpoints for your Snowflake account. For more information, see インバウンドトラフィックのプライベート接続エンドポイントのピン留め.

Configure your AWS VPC environment¶

注意

This section covers only the Snowflake-specific details for configuring your VPC environment.

Snowflake isn't responsible for the actual configuration of the required AWS VPC endpoints, security group rules, and Domain Name System (DNS) records. If you encounter issues with any of these configuration tasks, please contact AWS Support.

Create and configure your AWS VPC endpoint¶

To create and configure a VPC endpoint in your AWS VPC environment, complete the following steps:

In your Snowflake account, use the ACCOUNTADMIN system role to call the SYSTEM$GET_PRIVATELINK_CONFIG function, and then record the privatelink-vpce-id value.
In your AWS environment, create a VPC endpoint by using the privatelink-vpce-id value from the previous step.

注釈

If the Snowflake region of your VPC endpoint is different from the region of your AWS VPC, you must make two selections that enable cross-region connectivity. In the AWS VPC Console, select Enable Cross Region endpoint, and then select the primary region of the service in Service Settings » Service Region.

詳細な手順については、 AWS ドキュメントのクロスリージョン接続の構成の詳細な設定手順をご参照ください。

For instructions that describe how to find the region name of your account, see Find the cloud-provider's name of the region for your account.
AWS 環境で、Snowflakeの送信接続を VPCE CIDR （クラスレスドメイン間ルーティング）のポート 443 および 80 に接続する、サービスのセキュリティグループを承認します。

For more information, see the following topics in the AWS documentation:

Find the cloud-provider's name of the region for your account¶

Snowflake and the cloud provider that hosts your Snowflake account use similar, but different names for the region that hosts the Snowflake service. You can use system functions to find region names that you use to establish connectivity across regions. To determine the cloud-provider's name of the region that hosts your Snowflake account, take the following steps:

Run the CURRENT_REGION and SHOW REGIONS commands.
In the output returned by SHOW REGIONS, find a row that shows a value in the snowflake_region column that matches the output returned by SELECT CURRENT REGION.

The value in this row's region column is the cloud-provider's name of the region that hosts your Snowflake account.

In the following example, us-west-2 is the cloud-provider's name of the region that hosts the Snowflake account named AWS_US_WEST.

SELECT CURRENT_REGION();

Copy

Output:

+------------------+
| CURRENT_REGION() |
|------------------|
| AWS_US_WEST_2    |
+------------------+

Copy

SHOW REGIONS;

Copy

Output:

+------------------+-------+-----------|-----------------+
| snowflake_region | cloud | region    | display_name    |
|------------------|-------|-----------|-----------------|
| AWS_US_WEST_2    | aws   | us-west-2 | US West (Oregon)|
+------------------+-------+-----------+-----------------+

Copy

VPC ネットワークを構成する¶

To access Snowflake by using an AWS PrivateLink endpoint, you must create Canonical Name (CNAME) records in your DNS to resolve the appropriate endpoint values from the SYSTEM$GET_PRIVATELINK_CONFIG function to the DNS name of your VPC endpoint.

SYSTEM$GET_PRIVATELINK_CONFIG の出力から取得する値は、プライベート接続を使用してアクセスするSnowflakeの機能によって異なります。取り得る値の説明については、戻り値を参照してください。

regionless-snowsight-privatelink-url と snowsight-privatelink-url の値により、プライベート接続を使用して Snowsight と Snowflake Marketplace にアクセスできることに注意してください。ただし、 URL リダイレクトを有効にする場合は、追加の構成があります。情報については、 Snowsightおよびプライベート接続をご覧ください。

DNS 構成の詳細については、内部の AWS 管理者にお問い合わせください。

重要

The structure of the Online Certificate Status Protocol (OCSP) cache server host name depends on the version of your installed clients, as described in Configure your Snowflake clients:

If you use the listed version or a later version, use the format shown in Configure your Snowflake clients, which enables better DNS resolution when you have multiple Snowflake accounts --- for example, dev, test, and production --- in the same region. When updating client drivers and using OCSP with PrivateLink, update the firewall rules to allow the OCSP host name.
If you use an earlier client version, then the OCSP cache server host name takes the form ocsp.region_id.privatelink.snowflakecomputing.com without an account identifier.
Your DNS record must resolve to private IP addresses within your VPC. If it resolves to public IP addresses, the record isn't configured correctly.

ステップ3:Amazon S3用 AWS VPC インターフェイスエンドポイントを作成する¶

This step is required for Amazon S3 traffic from Snowflake clients to stay on the AWS backbone. The Snowflake clients (such as Snowflake CLI, SnowSQL, JDBC driver, and so on) require access to Amazon S3 to perform various runtime operations.

If your AWS VPC network doesn't allow access to the public internet, you can configure private connectivity to internal stages or more gateway endpoints to the Amazon S3 host names required by the Snowflake clients.

There are three options to configure access to Amazon S3. The first two options avoid the public internet and the third option uses the public internet:

内部ステージの AWS VPC インターフェイスエンドポイントを構成します。このオプションをお勧めします。
Configure an Amazon S3 gateway endpoint. For more information, see the following Attention section.
Don't configure an interface endpoint or a gateway endpoint. This results in access that uses the public internet.

注意

To prevent communications between an Amazon S3 bucket and an AWS VPC with Snowflake from using the public internet, you can set up an Amazon S3 gateway endpoint in the same AWS region as the Amazon S3 bucket. This prevents communications on the public internet because AWS PrivateLink only allows communications between VPCs, and the Amazon S3 bucket isn't included in the VPC.

You can configure the Amazon S3 gateway endpoint to limit access to specific users, Amazon S3 resources, routes, and subnets; however, Snowflake doesn't require this configuration. For more information, see Gateway endpoints for Amazon S3.

To limit Amazon S3 gateways to use only Amazon S3 resources for Snowflake, choose one of the following options:

Use the specific Amazon S3 host name addresses that is used by your Snowflake account in your AWS endpoint policies. For the complete list of host names that are used by your account, see SYSTEM$ALLOWLIST.
Use an Amazon S3 host name pattern that matches the Snowflake S3 host names in your AWS endpoint policies. With this option, there are two possible types of connections to Snowflake: VPC-to-VPC or On-Premises-to-VPC.

Based on your connection type, complete the following instructions:

VPC ツー VPC:

Ensure that the Amazon S3 gateway endpoint exists. Optionally modify the Amazon S3 gateway endpoint policy to match the specific host name patterns that are shown in the following Amazon S3 Hostnames table.

オンプレミスツー VPC:

Define a setup to include the Amazon S3 host name patterns in the firewall or proxy configuration if Amazon S3 traffic isn't permitted on the public gateway.

ゲートウェイエンドポイントがアカウントのSnowflake管理S3バケットと明示的に一致する必要がない場合は、次の表に示すAmazon S3ホスト名パターンを使用してゲートウェイエンドポイントを作成できます。

Amazon S3ホスト名

メモ

すべての地域

sfc-*-stage.s3.amazonaws.com:443

None.

US 東部以外のすべての地域

sfc-*-stage.s3-<地域ID>.amazonaws.com:443

The pattern uses a hyphen (-) before the region ID.

sfc-*-stage.s3.<地域ID>.amazonaws.com:443

The pattern uses a period (.) before the region ID.

Amazon S3ホスト名	メモ
すべての地域
`sfc-*-stage.s3.amazonaws.com:443`	None.
US 東部以外のすべての地域
`sfc-*-stage.s3-<地域ID>.amazonaws.com:443`	The pattern uses a hyphen (`-`) before the region ID.
`sfc-*-stage.s3.<地域ID>.amazonaws.com:443`	The pattern uses a period (`.`) before the region ID.

For information about creating gateway endpoints, see Gateway VPC endpoints.

Snowflakeに接続する¶

Before you connect to Snowflake, you can optionally use the Snowflake Connectivity Diagnostic tool (SnowCD) to evaluate the network connection with Snowflake and AWS PrivateLink.

詳細については、 SnowCD および SYSTEM$ALLOWLIST_PRIVATELINK をご参照ください。

それ以外の場合は、プライベート接続アカウント URL を使用してSnowflakeに接続します。

If you want to connect to Snowsight through AWS PrivateLink, follow the instructions in the Snowsight documentation.

Block public access --- Recommended¶

After you test private connectivity to Snowflake by using AWS PrivateLink, you can optionally block public access to Snowflake. This means that users can access Snowflake only if their connection request originates from an IP address within a particular CIDR block range specified in a Snowflake network policy.

To block public access by using a network policy:

Create a new network policy or edit an existing network policy.
組織の CIDR ブロック範囲を追加します。
アカウントのネットワークポリシーをアクティブにします。

For more information, see ネットワークポリシーを使用したネットワークトラフィックの制御.

Configure your Snowflake clients¶

以下のセクションでは、特定のユースケースに対応するSnowflakeクライアントの構成方法について説明します。

Snowflakeクライアントが OCSP キャッシュサーバーをサポートしていることを確認する¶

The Snowflake OCSP cache server mitigates connectivity issues between Snowflake clients and the server. To enable your installed Snowflake clients to use the OCSP server cache, ensure that you use the following client versions:

Snowflake CLI 3.0.0 (or higher)
SnowSQL 1.1.57 (or higher)
Python Connector 1.8.2 (or higher)
JDBC Driver 3.8.3 (or higher)
ODBC Driver 2.19.3 (or higher)

注釈

The Snowflake OCSP cache server listens on port 80, which is why you were instructed in Create and configure your AWS VPC endpoint to configure your AWS PrivateLink VPCE security group to accept both port 80 and port 443, which is required for all other Snowflake traffic.

Specify a host name for Snowflake clients¶

Each Snowflake client requires a host name to connect to your Snowflake account.

The host name is the same as the host name that you specified in the CNAME records in VPC ネットワークを構成する.

This step isn't applicable to access the Snowflake Marketplace.

たとえば、 xy12345 という名前のアカウントの場合、

If the account is in US West, the host name is xy12345.us-west-2.privatelink.snowflakecomputing.com.
If the account is in EU (Frankfurt), the host name is xy12345.eu-central-1.privatelink.snowflakecomputing.com.

重要

The method for specifying the host name differs depending on the client:

For the Spark connector and the ODBC and JDBC drivers, specify the entire host name.
For all the other clients, don't specify the entire host name. Instead, specify the account identifier with the privatelink segment, which is <account_identifier>.privatelink. Snowflake concatenates this name with snowflakecomputing.com to dynamically construct the host name.

For more information about specifying the account name or host name for a Snowflake client, see the documentation for each client.

AWS PrivateLink と SSO の併用¶

Snowflakeは、AWS PrivateLinkでSSOの使用をサポートしています。詳細については、次をご参照ください。

AWS PrivateLink でのクライアントリダイレクトの使用¶

Snowflakeは、 AWS PrivateLink でのクライアントリダイレクトの使用をサポートしています。

詳細については、クライアント接続のリダイレクトをご参照ください。

プライベート接続での複製と Tri-Secret Secure の使用¶

Snowflakeは、ターゲットアカウントで Tri-Secret Secure またはこの機能を有効にするかどうかに関係なく、ソースアカウントからターゲットアカウントへのデータの複製をサポートします。

トラブルシューティング¶

PrivateLink で発生する可能性のある問題をトラブルシューティングするには、次のSnowflakeコミュニティの記事をご参照ください。