Managing Network Policies

Network policies provide options for managing network configurations to the Snowflake service.

Currently, network policies allow restricting access to your account based on user IP address. Effectively, a network policy enables you to create an IP whitelist, which can also include an IP blacklist.

All network policy management can be performed through either the web interface or SQL.

In this Topic:

Note

Only security administrators (i.e. users with the SECURITYADMIN role) or higher can create, alter, or drop network policies.

Overview

By default, Snowflake allows users to connect to the service from any computer or device IP address. A security administrator can create a network policy to allow or deny access to a single IP address or a list of addresses. Network policies currently support only IPv4 (Internet Protocol version 4) addresses.

A network policy consists of the following properties:

Allowed IP list
A set of IPv4 addresses and optional subnets that are allowed access to the Snowflake account. The property value is stored in a comma-separated list in the format <ip_address>/<subnet>, <ip_address>/<subnet>, ....
Blocked IP list
A set of IPv4 addresses and optional subnets that are denied access to the Snowflake account. The property value is stored in a comma-separated list in the format <ip_address>/<subnet>, <ip_address>/<subnet>, ....

For the complete list of properties, see CREATE NETWORK POLICY.

To activate a network policy for your account, associate the network policy with your account using the NETWORK_POLICY account parameter.

Creating Network Policies

You can create a network policy through the web interface or using SQL.

Using the Web Interface

  1. Click on AccountPolicies.

    Snowflake Policies page
  2. Click the Create button.

    Snowflake Create Network Policy dialog
  3. In the Name field, enter a name for the network policy.

  4. In the Allowed IP Addresses list, enter one or more comma-separated IPv4 addresses that are allowed access to the Snowflake account.

    Note

    In the Allowed IP Addresses and Blocked IP Addresses lists, each IP address can cover a range of addresses using Classless Inter-Domain Routing (CIDR) notation (i.e. <ip_address>/<optional_prefix_length>).

  5. In the Blocked IP Addresses list, optionally enter one or more comma-separated IPv4 addresses that are denied access to the Snowflake account.

    Note

    • When a network policy includes values in both the Allowed IP Addresses and Blocked IP Addresses lists, Snowflake applies the blocked IP address list first.
    • Do not add 0.0.0.0/0 to the Blocked IP Addresses list. Because Snowflake resolves this list first, you would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to define the allowed IP address list. Snowflake automatically blocks all IP addresses not included in the allowed list.
  6. Enter other information for the network policy, as needed, and click Finish. Snowflake displays a success message.

After creating a network policy, you must activate it before Snowflake enforces the policy. For information, see Associating a Network Policy with Your Account.

Note

Before you activate a network policy, your current IP address must be included in the Allowed IP Addresses list; otherwise, the Activate action returns an error. In addition, your current IP address cannot be included in the Blocked IP Addresses list.

Examples

Create a network policy with the following properties:

  • Allow all IP addresses in the range of 192.168.1.0 to 192.168.1.255 (via CIDR notation 192.168.1.0/24), except 192.168.1.99, which is explicitly blocked.
  • Deny all other IP addresses.
- Allowed IP Addresses: 192.168.1.0/24
- Blocked IP Addresses: 192.168.1.99

Create a network policy that allows only the IP addresses 192.168.1.0 and 192.168.1.100 to access your account:

- Allowed IP Addresses: 192.168.1.0,192.168.1.100
- Blocked IP Addresses: N/A

Using SQL

Use the CREATE NETWORK POLICY command to create a network policy.

Associating a Network Policy with Your Account

After creating a network policy, you must associate it with your account before Snowflake enforces the policy. When associated with your account, the network policy restricts access to your account based on the allowed IP address list and blocked IP address list. Any user who attempts to log in from an IP address restricted by the rules is denied access. In addition, when a network policy is associated with your account, any restricted users who are already logged into Snowflake are prevented from executing further queries.

A security administrator can create multiple network policies; however, only one network policy can be associated with an account at any one time. Associating a network policy with your account automatically removes the currently-associated network policy (if any).

Using the Web Interface

  1. Click on AccountPolicies.

    Snowflake web interface Policies page
  2. Click on a policy to select it.

    Snowflake web interface Policies page
  3. Click the Activate button in the right panel. Snowflake displays a success message.

Using SQL

Use the ALTER ACCOUNT command along with the NETWORK_POLICY account parameter to associate a network policy with your Snowflake account.

Modifying Network Policies

Network policies can be modified through the web interface or using SQL, specifically to add or remove IP addresses from the list of allowed and blocked addresses.

Using the Web Interface

  1. Click on AccountPolicies.

    Snowflake Policies page
  2. Click on a policy to select it.

    Snowflake web interface Policies page
  3. Click the Edit button in the right panel.

    Snowflake network policy edit panel
  4. Modify the fields as necessary.

    • To remove an IP address from the Allowed IP Addresses or Blocked IP Addresses list, click the x beside the entry.
    • To add an IP address to either list, enter one or more comma-separated IPv4 addresses in the appropriate field, and press the Enter key.
  5. Click Save. Snowflake displays a success message.

Using SQL

Use the ALTER NETWORK POLICY command to modify a network policy.

Viewing Network Policies

You can view information about the network policies for your account through the web interface or using SQL.

Using the Web Interface

  1. Click on AccountPolicies.

    Snowflake Policies page
  2. Click on a policy to select it. The Allowed IP Addresses and Blocked IP Addresses lists (in the right panel) display the IPv4 addresses that are allowed or denied access to your account, respectively.

Using SQL

Use the following commands to view information about one or more network policies: