Network rules are schema-level objects that group network identifiers into logical units.
Snowflake features that restrict network traffic can reference network rules rather than defining network identifiers directly in the feature. For example, a network policy can reference a network rule that includes IP addresses to control access to the Snowflake service and internal stages based on those addresses. You could also use a network rule when accessing an external network location from a UDF or Procedure.
A network rule does not define whether its identifiers should be allowed or blocked. The Snowflake feature that uses the network rule specifies whether the identifiers in the rule are permitted or prohibited.
Supported Network Identifiers¶
Administrators need to be able to restrict access based on the network identifier associated with the origin or destination of a request. Network rules allow administrators to allow or block the following network identifiers:
- Incoming requests
- Outgoing requests
Domains, including an optional port range
Each network rule contains a list of one or more network identifiers of the same type. The network rule’s
TYPE property indicates
the type of identifiers that are included in the rule. For example, if the
TYPE property is
IPV4, then the network rule’s
value list must contain valid IPv4 addresses or address ranges in CIDR notation.
Incoming vs. Outgoing Requests¶
The mode of a network rule indicates whether the Snowflake feature that uses the rule restricts incoming or outgoing requests.
Network policies protect the Snowflake service and internal stages from incoming traffic. When a network rule is used with a network policy, the administrator can set the mode to one of the following:
The behavior of the
INGRESSmode depends on the value of the network rule’s
TYPE=IPV4, by default the network rule controls access to the Snowflake service only.
If the account administrator enables the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter, then
TYPE=IPV4also protects an AWS internal stage.
TYPE=AWSVPCEID, then the network rule controls access to the Snowflake service only.
If you want to restrict access to the AWS internal stage based on the VPCE ID of an interface endpoint, you must create a separate network rule using the
Controls access to an AWS internal stage without restricting access to the Snowflake service. Using this mode requires the following:
The account administrator must enable the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter.
TYPEproperty of the network rule must be
For accounts on Microsoft Azure, you cannot use a network rule to restrict access to the internal stage. However, you can block all public network traffic from accessing the internal stage.
Administrators can use network rules with features that control where requests can be sent. In these cases, the administrator defines the network rule with the following mode:
Indicates that the network rule is used for traffic sent from Snowflake.
Currently used with external network access, which allows a UDF or procedure to send requests to an external network location.
Creating a Network Rule¶
An administrator executes the CREATE NETWORK RULE command to create a new network rule, specifying a list of network identifiers along with the type of those identifiers.
The administrator uses the
MODE parameter to indicate whether the network rule is used to restrict incoming or outgoing requests.
If the administrator does not include the
MODE parameter, it defaults to
INGRESS, which means the network rule is used by
network policies to restrict incoming network traffic to the Snowflake service.
Creating a network rule does not define whether it is allowing or blocking the network identifiers. Administrators specify those restrictions when configuring the Snowflake feature that uses the network rule.
Example: Network rule for network policy
Code in the following example uses a custom role to create a network rule that can be used to allow or block traffic from a range of IP addresses to the Snowflake service:
CREATE ROLE network_admin; GRANT USAGE ON DATABASE securitydb TO ROLE network_admin; GRANT USAGE ON SCHEMA securitydb.myrules TO ROLE network_admin; GRANT CREATE NETWORK RULE ON SCHEMA securitydb.myrules TO ROLE network_admin; USE ROLE network_admin; CREATE NETWORK RULE cloud_network MODE = INGRESS TYPE = IPV4 VALUE_LIST = ('220.127.116.11/27');
Modifying a Network Rule¶
The owner of a network rule can execute the ALTER NETWORK RULE command to replace the rule’s network identifiers and comment. You cannot add or remove individual network identifiers to the network rule; existing identifiers are lost when adding new values.
MODE of the network rule cannot be modified.
For example, the owner of a network rule can modify it so it can be used to allow or block traffic from a new range of IPv4 addresses:
ALTER NETWORK RULE cloud_network SET VALUE_LIST = ('18.104.22.168/27');
The owner of the network rule could also remove all network identifiers from the rule:
ALTER NETWORK RULE cloud_network UNSET VALUE_LIST;
Replication of Network Rules¶
Network rules are schema-level objects and are replicated with the database in which they are contained.
For information about replicating the network policies that use network rules, see Replicating network policies.
Privileges and Commands¶
CREATE NETWORK RULE on SCHEMA
Creates a new network rule.
OWNERSHIP on NETWORK RULE
Modifies an existing network rule.
OWNERSHIP on NETWORK RULE
Removes an existing network rule from the system.
OWNERSHIP on NETWORK RULE
Describes the properties of an existing network rule.
OWNERSHIP on NETWORK RULE or USAGE on SCHEMA
Lists all of the network rules in the system.