CREATE NETWORK RULE

Creates a network rule or replaces an existing network rule.

See also:

ALTER NETWORK RULE , DROP NETWORK RULE , SHOW NETWORK RULES , DESCRIBE NETWORK RULE

Syntax

CREATE [ OR REPLACE ] NETWORK RULE <name>
   TYPE = { IPV4 | AWSVPCEID | AZURELINKID | HOST_PORT }
   VALUE_LIST = ( '<value>' [, '<value>', ... ] )
   MODE = { INGRESS | INTERNAL_STAGE | EGRESS }
   [ COMMENT = '<string_literal>' ]
Copy

Required Parameters

name

Identifier for the network rule.

The identifier value must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are case-sensitive.

For more details, see Identifier requirements.

TYPE = { IPV4 | AWSVPCEID | AZURELINKID | HOST_PORT }

Specifies the type of network identifiers being allowed or blocked. A network rule can have only one type.

  • IPV4 indicates that the network rule will allow or block network traffic based on the IPv4 address of the request origin.

  • AWSVPCEID indicates that the network rule will allow or block network traffic over AWS PrivateLink.

  • AZURELINKID indicates that the network rule will allow or block network traffic over Azure Private Link.

  • HOST_PORT indicates that the network rule will allow outgoing network traffic based on the domain of the request destination.

    When TYPE = HOST_PORT, the MODE parameter should be set to EGRESS.

VALUE_LIST = ( 'value' [, 'value', ... ] )

Specifies the network identifiers that will be allowed or blocked.

Valid values in the list are determined by the type of network rule:

  • When TYPE = IPV4, each value must be a valid IPv4 address or range of addresses.

  • When TYPE = AWSVPCEID, each value must be a valid VPCE ID of an AWS S3 endpoint. VPC IDs are not supported.

  • When TYPE = AZURELINKID, each value must be a valid LinkID of an Azure private endpoint. Execute the SYSTEM$GET_PRIVATELINK_AUTHORIZED_ENDPOINTS function to retrieve the LinkID associated with an account.

  • When TYPE = HOST_PORT, each value must be a valid domain. Optionally, it can also include a port or range of ports. For example, VALUE_LIST = ('example.com', 'company.com:8080-8090').

MODE = { INGRESS | INTERNAL_STAGE | EGRESS }

Specifies what is restricted by the network rule.

INGRESS

The behavior of the INGRESS mode depends on the value of the network rule’s TYPE property.

  • If TYPE=IPV4, by default the network rule controls access to the Snowflake service only.

    If the account administrator enables the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter, then MODE=INGRESS and TYPE=IPV4 also protects an AWS internal stage.

  • If TYPE=AWSVPCEID, then the network rule controls access to the Snowflake service only.

INTERNAL_STAGE

Allows or block requests to an AWS internal stage without restricting access to the Snowflake service. Using this mode requires the following:

EGRESS

Allows Snowflake to send requests to an external destination.

Default: INGRESS

Optional Parameters

COMMENT = 'string_literal'

Specifies a comment for the network rule.

Default: No value

Access Control Requirements

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege

Object

Notes

CREATE NETWORK RULE

Schema

Only the ACCOUNTADMIN and SECURITYADMIN roles, along with the schema owner, have this privilege by default. It can be granted to additional roles as needed.

For instructions on creating a custom role with a specified set of privileges, see Creating Custom Roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage Notes

  • When specifying IP addresses for a network rule, Snowflake supports ranges of IP addresses using Classless Inter-Domain Routing (CIDR) notation.

    For example, 192.168.1.0/24 represents all IPv4 addresses in the range of 192.168.1.0 to 192.168.1.255.

  • Regarding metadata:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.

Examples

Create a network rule that is used to allow or block traffic from an AWS S3 endpoint to the internal stage:

CREATE NETWORK RULE corporate_network
  TYPE = AWSVPCEID
  VALUE_LIST = ('vpce-123abc3420c1931')
  MODE = INTERNAL_STAGE
  COMMENT = 'corporate privatelink endpoint';
Copy

Create a network rule that is used to allow or block traffic from a range of IP addresses to the Snowflake service and internal stage:

CREATE NETWORK RULE cloud_network
  TYPE = IPV4
  VALUE_LIST = ('47.88.25.32/27')
  COMMENT ='cloud egress ip range';
Copy

Create a network rule that is used to allow a domain and domain/port combination when Snowflake is sending requests to external destinations:

CREATE NETWORK RULE external_access_rule
  TYPE = HOST_PORT
  MODE = EGRESS
  VALUE_LIST = ('example.com', 'company.com:443');
Copy