AWS PrivateLink 및 Snowflake¶
This topic describes how to configure AWS PrivateLink to directly connect your Snowflake account to one or more AWS Virtual Private Clouds (VPCs).
이 항목의 내용:
AWS PrivateLink: Overview¶
AWS PrivateLink is an AWS service for creating private VPC endpoints that allow direct, secure connectivity between your AWS VPCs and the Snowflake VPC without traversing the public internet. AWS PrivateLink connectivity supports VPC endpoint services and AWS VPCs that are located in the same or in different AWS regions. Cross-region connectivity for AWS PrivateLink allows you to use a custom endpoint service to connect a Snowflake account in a region that is different from your AWS VPC region. Cross-region connectivity isn’t currently supported for any platform as a service (PaaS) services, such as Amazon Simple Storage Service (Amazon S3) or key management service (KMS).
자세한 내용은 AWS 블로그 페이지, `Introducing Cross-Region Connectivity for AWS PrivateLink<https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink>`_를 참조하세요.
When writing external functions, you can also use AWS PrivateLink with private endpoints.
If you have an on-premises environment, such as a non-hosted data center, you can use AWS Direct Connect with AWS PrivateLink to connect all your virtual and physical environments in a single, private network.
참고
AWS Direct Connect는 AWS PrivateLink와 별도로 구현해야 하는 별개의 AWS 서비스이며 이 항목의 설명 범위에 해당하지 않습니다. AWS Direct Connect 구현 방법과 관련해서는 Amazon에 문의하십시오.
Enable AWS PrivateLink¶
참고
The self-service enablement process in this section doesn’t currently support authorizing an AWS account identifier from a managed cloud service or a third-party vendor.
To authorize an AWS account identifier for this use case, please retrieve the AWS account identifier from the vendor, and then contact Snowflake Support.
Snowflake 계정의 AWS PrivateLink를 활성화하려면 다음 단계를 완료하십시오.
페더레이션 토큰을 생성한 다음, 출력을 저장합니다.
To generate a token, run the AWS CLI STS command on the command line.
get-federation-tokenrequires either an identity and access management user in AWS or the AWS account root user. For details, refer to the AWS documentation.중요
The federated token expires after 12 hours. If you call any of the system functions to authorize, verify, or disable your Snowflake account to use AWS PrivateLink and the token has expired, regenerate the token by running the AWS CLI STS command again.
aws sts get-federation-token --name sam
이후 단계에서 이 명령의 출력을 SYSTEM$AUTHORIZE_PRIVATELINK 함수에 대한
federated_token인자로 제공합니다.From your generated token, extract the value of the
"FederatedUserId"field. For example, if your token contains the following values:{ ... "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }
Extract
185.... In the next step, you provide this 12-digit number as theaws_idargument for the SYSTEM$AUTHORIZE_PRIVATELINK function.
Using the ACCOUNTADMIN Snowflake system role, call the SYSTEM$AUTHORIZE_PRIVATELINK function to authorize (enable) AWS PrivateLink for your Snowflake account:
SELECT SYSTEM$AUTHORIZE_PRIVATELINK ( '<aws_id>' , '<federated_token>' );
여기서
'aws_id'AWS(Amazon Web Services) 계정을 문자열로 고유하게 식별하는 12자리 식별자입니다.
'federated_token'페더레이션 사용자에 대한 액세스 자격 증명을 문자열로 포함하는 페더레이션 토큰 값입니다.
예:
USE ROLE ACCOUNTADMIN; SELECT SYSTEM$AUTHORIZE_PRIVATELINK ( '185...', '{ "Credentials": { "AccessKeyId": "ASI...", "SecretAccessKey": "enw...", "SessionToken": "Fwo...", "Expiration": "2021-01-07T19:06:23+00:00" }, "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }' );
To verify your configuration, call the SYSTEM$GET_PRIVATELINK function in your Snowflake account on AWS. This function uses the same argument values for
'aws_id'and'federated_token'that were used to authorize your Snowflake account.SYSTEM$GET_PRIVATELINK returns
Account is authorized for PrivateLink.for a successful authorization.Optional: If you need to disable AWS PrivateLink in your Snowflake account, call the SYSTEM$REVOKE_PRIVATELINK function by using the same argument values for
'aws_id'and'federated_token'.
To further harden your security posture, Snowflake recommends pinning private endpoints for your Snowflake account. For more information, see 인바운드 트래픽을 위한 비공개 연결 엔드포인트 고정하기.
Configure your AWS VPC environment¶
주의
This section covers only the Snowflake-specific details for configuring your VPC environment.
Snowflake isn’t responsible for the actual configuration of the required AWS VPC endpoints, security group rules, and Domain Name System (DNS) records. If you encounter issues with any of these configuration tasks, please contact AWS Support.
Create and configure your AWS VPC endpoint¶
To create and configure a VPC endpoint in your AWS VPC environment, complete the following steps:
In your Snowflake account, use the ACCOUNTADMIN system role to call the SYSTEM$GET_PRIVATELINK_CONFIG function, and then record the
privatelink-vpce-idvalue.In your AWS environment, create a VPC endpoint by using the
privatelink-vpce-idvalue from the previous step.참고
VPC 엔드포인트의 Snowflake 리전이 AWS VPC의 리전과 다른 경우 리전 간 연결을 활성화하는 두 가지 항목을 선택해야 합니다. AWS VPC 콘솔에서 Enable Cross Region endpoint`를 선택한 다음, :extui:`Service Settings » :extui:`Service Region`에서 서비스의 기본 리전을 선택합니다.
전체 지침은 AWS 설명서에서 `리전 간 연결 구성<https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/>`_에 대한 단계별 설정 절차를 참조하세요.
AWS 환경에서 VPCE CIDR(클래스 없는 도메인 간 라우팅)의
443및80포트로 Snowflake 송신 연결을 연결하는 서비스의 보안 그룹에 권한을 부여합니다.
For more information, see the following topics in the AWS documentation:
VPC 네트워크 구성하기¶
To access Snowflake by using an AWS PrivateLink endpoint, you must create Canonical Name (CNAME) records in your DNS to resolve the appropriate endpoint values from the SYSTEM$GET_PRIVATELINK_CONFIG function to the DNS name of your VPC endpoint.
SYSTEM$GET_PRIVATELINK_CONFIG의 출력에서 얻는 값은 비공개 연결을 사용하여 액세스하는 Snowflake 기능에 따라 다릅니다. 가능한 값에 대한 설명은 :ref:`값 반환<label-get_privatelink_config_output>`을 참조하세요.
regionless-snowsight-privatelink-url 및 snowsight-privatelink-url 의 값은 비공개 연결을 사용하여 Snowsight 및 Snowflake Marketplace 에 대한 액세스를 허용합니다. 하지만 URL 리디렉션을 사용하려는 경우 추가 구성이 있습니다. 자세한 내용은 Snowsight & 비공개 연결 섹션을 참조하십시오.
DNS 구성과 관련한 추가적인 지원이 필요한 경우 내부 AWS 관리자에게 문의하십시오.
중요
The structure of the Online Certificate Status Protocol (OCSP) cache server host name depends on the version of your installed clients, as described in Configure your Snowflake clients:
If you use the listed version or a later version, use the format shown in Configure your Snowflake clients, which enables better DNS resolution when you have multiple Snowflake accounts — for example, dev, test, and production — in the same region. When updating client drivers and using OCSP with PrivateLink, update the firewall rules to allow the OCSP host name.
If you use an earlier client version, then the OCSP cache server host name takes the form
ocsp.region_id.privatelink.snowflakecomputing.comwithout an account identifier.Your DNS record must resolve to private IP addresses within your VPC. If it resolves to public IP addresses, the record isn’t configured correctly.
Amazon S3용 AWS VPC 인터페이스 엔드포인트 생성하기¶
This step is required for Amazon S3 traffic from Snowflake clients to stay on the AWS backbone. Snowflake clients, such as SnowSQL and JDBC driver, require access to Amazon S3 to perform various runtime operations.
If your AWS VPC network doesn’t allow access to the public internet, you can configure private connectivity to internal stages or more gateway endpoints to the Amazon S3 host names required by the Snowflake clients.
There are three options to configure access to Amazon S3. The first two options avoid the public internet and the third option uses the public internet:
내부 스테이지 를 위한 AWS VPC 인터페이스 엔드포인트를 구성합니다. 이 옵션이 권장 옵션입니다.
Configure an Amazon S3 gateway endpoint. For more information, see the following Attention section.
Don’t configure an interface endpoint or a gateway endpoint. This results in access that uses the public internet.
주의
To prevent communications between an Amazon S3 bucket and an AWS VPC with Snowflake from using the public internet, you can set up an Amazon S3 gateway endpoint in the same AWS region as the Amazon S3 bucket. This prevents communications on the public internet because AWS PrivateLink only allows communications between VPCs, and the Amazon S3 bucket isn’t included in the VPC.
You can configure the Amazon S3 gateway endpoint to limit access to specific users, Amazon S3 resources, routes, and subnets; however, Snowflake doesn’t require this configuration. For more information, see Gateway endpoints for Amazon S3.
To limit Amazon S3 gateways to use only Amazon S3 resources for Snowflake, choose one of the following options:
Use the specific Amazon S3 host name addresses that is used by your Snowflake account in your AWS endpoint policies. For the complete list of host names that are used by your account, see SYSTEM$ALLOWLIST.
Use an Amazon S3 host name pattern that matches the Snowflake S3 host names in your AWS endpoint policies. With this option, there are two possible types of connections to Snowflake: VPC-to-VPC or On-Premises-to-VPC.
Based on your connection type, complete the following instructions:
- VPC-VPC 연결:
Ensure that the Amazon S3 gateway endpoint exists. Optionally modify the Amazon S3 gateway endpoint policy to match the specific host name patterns that are shown in the following Amazon S3 Hostnames table.
- 온프레미스-VPC 연결:
Define a setup to include the Amazon S3 host name patterns in the firewall or proxy configuration if Amazon S3 traffic isn’t permitted on the public gateway.
게이트웨이 엔드포인트가 계정의 Snowflake 관리형 S3 버킷과 명시적으로 일치할 필요가 없는 경우 다음 테이블에 표시된 Amazon S3 호스트 이름 패턴을 사용하여 게이트웨이 엔드포인트를 생성할 수 있습니다.
Amazon S3 호스트 이름
참고
모든 리전
sfc-*-stage.s3.amazonaws.com:443None.
US 동부를 제외한 모든 리전
sfc-*-stage.s3-<리전_id>.amazonaws.com:443The pattern uses a hyphen (
-) before the region ID.sfc-*-stage.s3.<리전_id>.amazonaws.com:443The pattern uses a period (
.) before the region ID.
For information about creating gateway endpoints, see Gateway VPC endpoints.
Snowflake에 연결하기¶
Before you connect to Snowflake, you can optionally use the Snowflake Connectivity Diagnostic tool (SnowCD) to evaluate the network connection with Snowflake and AWS PrivateLink.
자세한 내용은 SnowCD 및 SYSTEM$ALLOWLIST_PRIVATELINK 를 참조하십시오.
그렇지 않으면 비공개 연결 계정 URL 로 Snowflake에 연결합니다.
If you want to connect to Snowsight through AWS PrivateLink, follow the instructions in the Snowsight documentation.
Block public access — Recommended¶
After you test private connectivity to Snowflake by using AWS PrivateLink, you can optionally block public access to Snowflake. This means that users can access Snowflake only if their connection request originates from an IP address within a particular CIDR block range specified in a Snowflake network policy.
To block public access by using a network policy:
Create a new network policy or edit an existing network policy.
조직에서 사용할 CIDR 블록 범위를 추가합니다.
사용자 계정에서 네트워크 정책을 사용하도록 설정합니다.
For more information, see 네트워크 정책으로 네트워크 트래픽 제어하기.
Configure your Snowflake clients¶
다음 섹션에서는 특정 사용 사례에 맞게 Snowflake 클라이언트를 구성하는 방법을 설명합니다.
Snowflake 클라이언트의 OCSP 캐시 서버 지원 여부 확인하기¶
The Snowflake OCSP cache server mitigates connectivity issues between Snowflake clients and the server. To enable your installed Snowflake clients to use the OCSP server cache, ensure that you use the following client versions:
SnowSQL 1.1.57 or later
Python Connector 1.8.2 or later
JDBC Driver 3.8.3 or later
ODBC Driver 2.19.3 or later
참고
The Snowflake OCSP cache server listens on port 80, which is why you were instructed in Create and configure your AWS VPC endpoint
to configure your AWS PrivateLink VPCE security group to accept both port 80 and port 443, which is required for all other
Snowflake traffic.
Specify a host name for Snowflake clients¶
Each Snowflake client requires a host name to connect to your Snowflake account.
The host name is the same as the host name that you specified in the CNAME records in VPC 네트워크 구성하기.
This step isn’t applicable to access the Snowflake Marketplace.
예를 들어, 이름이 xy12345 인 계정에서:
If the account is in US West, the host name is
xy12345.us-west-2.privatelink.snowflakecomputing.com.If the account is in EU (Frankfurt), the host name is
xy12345.eu-central-1.privatelink.snowflakecomputing.com.
중요
The method for specifying the host name differs depending on the client:
For the Spark connector and the ODBC and JDBC drivers, specify the entire host name.
For all the other clients, don’t specify the entire host name. Instead, specify the account identifier with the
privatelinksegment, which is<account_identifier>.privatelink. Snowflake concatenates this name withsnowflakecomputing.comto dynamically construct the host name.
For more information about specifying the account name or host name for a Snowflake client, see the documentation for each client.
AWS PrivateLink에서 SSO 사용하기¶
Snowflake는 AWS PrivateLink에서 SSO를 사용하도록 지원합니다. 자세한 내용은 다음을 참조하십시오.
AWS PrivateLink에서 클라이언트 리디렉션 사용하기¶
Snowflake는 AWS PrivateLink에서 클라이언트 리디렉션 사용을 지원합니다.
자세한 내용은 클라이언트 연결 리디렉션하기 섹션을 참조하십시오.
비공개 연결과 함께 복제 및 Tri-Secret Secure 사용하기¶
Snowflake는 대상 계정에서 Tri-Secret Secure 또는 이 기능을 활성화하는지에 관계없이 원본 계정에서 대상 계정으로의 데이터 복제를 지원합니다.
문제 해결하기¶
PrivateLink에서 발생할 수 있는 문제를 해결하려면 다음 Snowflake 커뮤니티 문서를 참조하세요.