Network Policies

Network policies provide options for managing network configurations to the Snowflake service.

Currently, network policies allow restricting access to your account based on user IP address. Effectively, a network policy enables you to create an IP whitelist, as well as an IP blacklist, if desired.

All network policy management can be performed through either the web interface or SQL.

Note

Only account administrators and security administrators (i.e. users with the ACCOUNTADMIN or SECURITYADMIN role) can create, alter, or drop network policies.

In this Topic:

Overview

By default, Snowflake allows users to connect to the service from any computer or device IP address. A security administrator (or higher) can create a network policy to allow or deny access to a single IP address or a list of addresses. Network policies currently support only IPv4 (Internet Protocol version 4) addresses.

Network Policy Properties

A network policy consists of the following properties:

Allowed IPs:

(Required)

A list of IPv4 addresses (with optional subnets) that are allowed access to the Snowflake account.

Blocked IPs:

(Optional)

A list of IPv4 addresses (with optional subnets) that are denied access to the Snowflake account. Note that this list is not required because any addresses that are not included the allowed IP list are automatically blocked. The blocked IP list is used primarily to deny specific addresses within a range of addresses in the allowed IP list.

Both address lists are expressed as a comma-separated string in the form of:

ip_address[/subnet] , ip_address[/subnet] , ...

For more details about the properties that can be specified for a network policy, see CREATE NETWORK POLICY.

CIDR Notation

Snowflake supports specifying ranges of IP addresses using CIDR (Classless Inter-Domain Routing) notation. In CIDR notation, the optional subnet is expressed as a decimal number that represents the prefix length:

ip_address[/prefix_length]

For example, 192.168.1.0/24 represents all IP addresses in the range of 192.168.1.0 to 192.168.1.255.

Examples of Allowed / Blocked Address Lists

The following example uses CIDR notation to allows all IP addresses in the range of 192.168.1.0 to 192.168.1.255, except 192.168.1.99, which is explicitly blocked. In addition, all other IP addresses are blocked:

- Allowed IP Addresses: 192.168.1.0/24
- Blocked IP Addresses: 192.168.1.99

The following example allows only the 192.168.1.0 and 192.168.1.100 IP addresses to access your account:

- Allowed IP Addresses: 192.168.1.0,192.168.1.100
- Blocked IP Addresses: N/A

Network Policy Activation

To activate a network policy for your account, you associate the network policy with your account using the ALTER ACCOUNT command and the NETWORK_POLICY account parameter.

Creating a Network Policy

You can create a network policy using either the web interface or SQL:

Web Interface:Click on Account Account tab » Policies
SQL:Execute a CREATE NETWORK POLICY statement.

In the web interface:

  1. The Policies page appears

    Snowflake Policies page
  2. Click the Create button. The Create Network Policy dialog appears:

    Snowflake Create Network Policy dialog
  3. In the Name field, enter a name for the network policy.

  4. In the Allowed IP Addresses field, enter one or more IPv4 addresses that are allowed access to this Snowflake account, separated by commas.

    Note

    To block all IP addresses except for a set of specific addresses, you only need to define an allowed IP address list. Snowflake automatically blocks all IP addresses not included in the allowed list.

  5. In the Blocked IP Addresses field, optionally enter one or more IPv4 addresses that are denied access to this Snowflake account, separated by commas. Note that this field is not required and is used primarily to deny specific addresses in a range of addresses in the allowed list.

    Caution

    • When a network policy includes values in both the allowed and blocked IP address lists, Snowflake applies the blocked IP address list first.
    • Do not add 0.0.0.0/0 to the blocked IP address list. 0.0.0.0/0 is interpreted to be “all IPv4 addresses on the local machine”. Because Snowflake resolves this list first, this would block your own access. Also, note that it is not necessary to include this IP address in the allowed IP address list.
  6. Enter other information for the network policy, as needed, and click Finish. Snowflake displays a success message.

After creating a network policy, you must activate it before Snowflake enforces the policy. For details, see Activating a Network Policy for Your Account (in this topic).

Note

To activate a network policy, your current IP address must be included in the Allowed IP Addresses list; otherwise, when you click the Activate button, an error is returned. In addition, your current IP address cannot be included in the Blocked IP Addresses list.

Activating a Network Policy for Your Account

After creating a network policy, you must activate it by associating it with your account before Snowflake enforces the policy.

Once the policy is associated with your account, Snowflake restricts access to your account based on the allowed IP address list and blocked IP address list. Any user who attempts to log in from an IP address restricted by the rules is denied access. In addition, when a network policy is associated with your account, any restricted users who are already logged into Snowflake are prevented from executing further queries.

A security administrator (or higher) can create multiple network policies; however, only one network policy can be associated with an account at any one time. Associating a network policy with your account automatically removes the currently-associated network policy (if any).

You can associate a network policy with your account using either the web interface or SQL:

Web Interface:Click on Account Account tab » Policies
SQL:Execute an ALTER ACCOUNT statement that sets the network policy using the NETWORK_POLICY account parameter.

In the web interface:

  1. Click on a policy to select it and populate the side panel on the right:

    Snowflake Policies page
  2. Click the Activate button in the right panel. Snowflake displays a success message.

Modifying a Network Policy

Network policies can be modified through the web interface or using SQL, specifically to add or remove IP addresses from the list of allowed and blocked addresses:

Web Interface:Click on Account Account tab » Policies
SQL:Execute an ALTER NETWORK POLICY statement.

In the web interface:

  1. Click on a policy to select it and populate the side panel on the right:

    Snowflake Policies page
  2. Click the Edit button in the right panel:

    Snowflake network policy edit panel
  3. Modify the fields as necessary:

    • To remove an IP address from the Allowed IP Addresses or Blocked IP Addresses list, click the x next to the entry.
    • To add an IP address to either list, enter one or more comma-separated IPv4 addresses in the appropriate field, and click the Add button.
  4. Click Save. Snowflake displays a success message.

Viewing Network Policies

You can view information about the network policies for your account through the web interface or using SQL:

Web Interface:

Click on Account Account tab » Policies » <policy_name>

SQL:

Execute one of the following statements: