Azure Private Link provides private connectivity to Snowflake by ensuring that access to Snowflake is through a private IP address. Traffic can only occur from the customer virtual network (VNet) to the Snowflake VNet using the Microsoft backbone and avoids the public Internet. This significantly simplifies the network configuration by keeping access rules private while providing secure and private communication.
The following diagram summarizes the Azure Private Link architecture with respect to the customer VNet and the Snowflake VNet.
From either a virtual machine (1) or through peering (2), you can connect to the Private Link Endpoint (3) in your virtual network. That endpoint then connects to the Private Link Service (4) and routes to Snowflake.
Here are the high-level steps to integrate Snowflake with Azure Private Link:
Contact Snowflake support, and request for approval providing value of the created Azure Private Link Interface Endpoint. After Snowflake approves it, using Azure Portal verify if Private Link Interface Endpoint displays a CONNECTION STATE value of Approved. Verify your account URL and the OCSP URL with Snowflake Support.
If you have outbound firewalls, update them to allow the Snowflake account URL and OCSP URL.
Update your DNS server to resolve your account URL and OCSP URL to the Private Link IP address. You can add the DNS entry to your on-premise DNS server or private DNS on your VNet, and DNS forward to it from other places from where you’ll be accessing Snowflake.
If you cannot have this limitation, you need to have a separate subnet that contains only the Private Link Endpoint and have other subnets route their request to Privatelink Endpoint subnet. The script Snowflake provides takes this approach and creates a separate subnet for the Private Link Endpoint.
Verify that your Azure VNet and the Snowflake Azure VNet on Azure are located in the same Azure region. If your Azure VNet is in a different region, then peer it to the VNet in the same Azure region as Snowflake. Azure Private Link supports access from both other peered VNets as well as on-premises resources connected via Express Route or VPN.
Azure Private Link does not yet support proxy protocol version 2 (PPv2). Therefore, you can’t block access to your Snowflake public endpoint through a Snowflake network policy.
Configuring Access to Snowflake with Azure Private Link¶
This section only covers the Snowflake-specific details for configuring your VNet environment. Also, note that Snowflake is not responsible for the actual configuration of the required firewall updates and DNS records. If you encounter issues with any of these configuration tasks, please contact Microsoft Support directly.
This section describes how to configure your Azure VNet to connect to the Snowflake VNet on Azure using Azure Private Link.
Currently, Microsoft supports configuring and initiating the Azure Private Link connection using either the Azure CLI or Azure PowerShell. After initiating the connection, you can determine the approval state of the connection in the Azure portal.
Complete the following steps to configure your Microsoft Azure VNet and initiate the Azure Private Link connection to Snowflake. As a representative example, the following procedure uses commands for the Azure CLI.
The following template files and the scripts below create resources in your Azure environment to facilitate connecting to Snowflake using Azure Private Link. Exercise caution when making the modifications shown below. For additional help and support, please contact your internal Azure administrator.
The template file creates two Azure resources: an Interface Endpoint and a subnet for that endpoint.
The parameters file helps to initialize the two resources in the next step.
For each parameter in customer-privatelink-parameters.json, update the value to match your environment. For example, replace the virtualNetworkName value of privateLinkConsumer_vnet with myVirtualNetwork.
You do not need to change the value of the Snowflake Private Link Service Alias name snowflakePrivatelinkServiceAlias.
In the Azure CLI, execute azaccountlist--outputtable. Note the output values in the Name and CloudName columns.
Name CloudName SubscriptionId State IsDefault
------- ---------- ------------------------------------ ------- ----------
MyCloud AzureCloud 13c91033-8b4e-40f7-9031-16c8f69233e3 Enabled True
Contact Snowflake support and share the SubscriptionId value. Snowflake will then whitelist this value for autoapproval.
Wait for Snowflake to confirm that your SubscriptionID is set for autoapproval before continuing with the following steps.
In the Azure CLI, execute the following three commands using the values from the previous step. Note that these values are representative examples.
Replace <customer_cloud_name> with AzureCloud.
Replace <customer_subscription_name> with MyCloud.
You can choose an arbitrary name for CUSTOMER_RESOURCE_GROUP.
az cloud set --name <customer_cloud_name>
az account set --subscription <customer_subscription_name>
az group deployment create --resource-group CUSTOMER_RESOURCEGROUP_NAME --template-file customer-privatelink-template.json --parameters customer-privatelink-parameters.json
Navigate to the Azure portal. Search for Private Link and click Private Link (Preview).
Click Private endpoints and then click Add.
In the Basics section, complete the Subscription, Resource group, Name, and Region fields for your environment and then click Next: Resource.
In the Resource sections, complete the Connection Method and the Resource ID or Alias Field option.
For Connection Method, select the Connect to an Azure resource by resource ID or alias.
For Resource ID or Alias Field, select the alias from the table that corresponds to your Snowflake on Azure region.
Return to the Private endpoints section and allow a few minutes to wait. On approval, the Private Link Interface Endpoint displays a CONNECTION STATE value of Approved.
DNS Setup. All requests to Snowflake need to be routed via the Private Link Endpoint, Therefore, we need a DNS update to resolve the Snowflake account and OCSP URLs to the private IP address of your Private Link Endpoint Interface.
To get the Endpoint IP address, navigate to Azure portal search bar and type for the name of the Endpoint (i.e. the NAME value from Step 6). Locate the Network Interface result and click it.
Copy the value for the Private IP address (i.e. 10.0.27.5).
Configure your DNS to have the following two URLs resolve to the private IP address.