Categories:

User & Security DDL (Network Policies)

CREATE NETWORK POLICY

Creates a network policy.

Note

Only security administrators (i.e. users with the SECURITYADMIN role) or higher can create network policies.

See also:

ALTER NETWORK POLICY , DESCRIBE NETWORK POLICY , DROP NETWORK POLICY , SHOW NETWORK POLICIES

ALTER ACCOUNT

Syntax

CREATE [ OR REPLACE ] NETWORK POLICY <name>
   ALLOWED_IP_LIST = ( '<ip_address>' [ , '<ip_address>' , ... ] )
   [ BLOCKED_IP_LIST = ( '<ip_address>' [ , '<ip_address>' , ... ] ) ]
   [ COMMENT = '<string_literal>' ]

Required Parameters

name

Identifier for the network policy; must be unique for your account.

The identifier value must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"), Identifiers enclosed in double quotes are also case-sensitive.

For more details, see Identifier Requirements.

ALLOWED_IP_LIST = ('ip_address' [ , 'ip_address' , ... ] )

Specifies one or more IPv4 addresses that are allowed access to your Snowflake account. This is referred to as the allowed list. Snowflake automatically blocks all IP addresses not included in the allowed list.

Optional Parameters

BLOCKED_IP_LIST = ('ip_address' [ , 'ip_address' , ... ] )

Specifies one or more IPv4 addresses that are denied access to your Snowflake account. This is referred to as the blocked list.

Set this parameter only when you are allowing access to a range of IP addresses (specified in ALLOWED_IP_LIST), but want to deny access to one or more IP addresses within the range.

Default: No value (i.e. no IP addresses in ALLOWED_IP_LIST are blocked)

COMMENT = 'string_literal'

Specifies a comment for the network policy.

Default: No value

Usage Notes

  • Each ip_address can cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation:

    ip_address[/optional_prefix_length]

    For example:

    192.168.1.0/24

  • When a network policy includes values for both ALLOWED_IP_LIST and BLOCKED_IP_LIST, Snowflake applies the blocked list first.

  • Do not add 0.0.0.0/0 to BLOCKED_IP_LIST. Because Snowflake applies the blocked list first, this would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to ALLOWED_IP_LIST. Snowflake automatically blocks all IP addresses not included in the allowed list.

  • After creating a network policy, you must associate it with your account before Snowflake enforces the policy. You can associate a policy with your account through the ALTER ACCOUNT command, which must be run by a user with the SECURITYADMIN role (or higher).

    For example:

    USE ROLE SECURITYADMIN;
    
    ALTER ACCOUNT SET NETWORK_POLICY = <policy_name>;
    

    For more details, see Parameter Management. Note that NETWORK_POLICY is currently the only account parameter that can be set by users with the SECURITYADMIN role.

  • Before associating a network policy with your account, your current IP address must be included in ALLOWED_IP_LIST; otherwise, the ALTER ACCOUNT command returns an error. In addition, your current IP address cannot be included in BLOCKED_IP_LIST.

Examples

Create a network policy named mypolicy1 with the following properties:

  • Allow all IP addresses in the range of 192.168.1.0 to 192.168.1.255 (via CIDR notation 192.168.1.0/24), except 192.168.1.99, which is explicitly blocked.

  • Deny all other IP addresses.

CREATE NETWORK POLICY mypolicy1 ALLOWED_IP_LIST=('192.168.1.0/24')
                                BLOCKED_IP_LIST=('192.168.1.99');

DESC NETWORK POLICY mypolicy1;

+-----------------+----------------+
| name            | value          |
|-----------------+----------------|
| ALLOWED_IP_LIST | 192.168.1.0/24 |
| BLOCKED_IP_LIST | 192.168.1.99   |
+-----------------+----------------+

Create a network policy named mypolicy2 that allows only the IP addresses 192.168.1.0 and 192.168.1.100 to access your account:

CREATE NETWORK POLICY mypolicy2 ALLOWED_IP_LIST=('192.168.1.0','192.168.1.100');

DESC NETWORK POLICY mypolicy2;

+-----------------+---------------------------+
| name            | value                     |
|-----------------+---------------------------|
| ALLOWED_IP_LIST | 192.168.1.0,192.168.1.100 |
+-----------------+---------------------------+