Azure Private Link Snowflake

This blog describes how to configure Azure Private Link to connect to Azure Virtual Network with Snowflake.

Overview

Azure Private Link gives us ability to connect to snowflake within a Private Network that resides on Azure. This Setup provides a secure access to snowflake without exposing/traversing thru public internet.

Private Link is not technically a tunnel in the traditional sense; instead, it refers to a dedicated pathway within a cloud provider's network that allows for private communication between different virtual networks or services without exposing traffic to the public internet, essentially acting like a "logical tunnel" by keeping data isolated within the provider's infrastructure.

High Level Architecture Diagram

We will be configuring Azure and Snowflake according to diagram above. After successful connection, Azure Services within the virtual network will be able to connect to Snowflake using a Private URL(which is not accessable via Public Internet)

NOTE: Make sure that Snowflake account's Edition must be Business Critical or Above and Snowflake must be in Azure Region.

Just 5 Simple Steps

Create a Private Endpoint(in Azure)
Connect private endpoint via Resource ID(can be extracted from snowflake)
Authorize Azure private link from snowflake(using Private Link ID and Access Token)
Configure Firewall and DNS Settings
Connect to Snowflake Using Private URL.

Requirements

Before trying to connect Azure Private Link with Snowflake make sure you meet following requirements:

An Azure Private Virtual Network for private endpoint
Use TCP/IP v4 only
A Snowflake account in Business Ciritical or higer Edition
For more details on requirements and limitation of Azure Private Link, see the offical docs on Private Endpoint Limitations and Private Link Service Limitations.
For more details on requirements and limitation of Snowflake, see the official docs on Snowflake Limitations

Let's Begin

Step 1 :

Open Azure portal and create a Resource Group to manage all related resources

Step 2 :

Create a virtual Network in which our Private Link and other Azure Services are going to reside.

For sake of simplicity and this demonstration, We will keep all default values and will only change those which are necessary

Step 3:

Let's create a Private endpoint

In Basics Section, Select Subscription, Resource Group and Name.

In Resource Section, Select "Connect to an Azure resource by resource ID or alias"

In Snowflake, execute following command and input the value for privatelink-pls-id into the Resource ID or alias field.

SELECT

KEY, VALUE::TEXT

FROM TABLE(

FLATTEN(INPUT =>PARSE_JSON(SYSTEM$GET_PRIVATELINK_CONFIG()))

);

- In Virtual Network Section, Select the virtual network that we created in Step 2

- We will skip DNS configuration for now, We are going to configure DNS in later sections.

Step 4:

After successful deployment, we should be able to see:
- Connection Status : Pending
- Request Response: Awaiting Approval

- This approval is required from Snowflake end. In order to approve this, we need two things:
  1. Resource ID of our Private Link endpoint.
  2. Access token for our Azure Subscription
- We can get Private link endpoint Resource Id by clicking JSON View

- Copy this Resource ID somewhere safe, we are going to need this after few steps

- Next we need Access token for Azure subscription that we are using, Easiest way to get access token is using Azure CLI.
- Install Azure CLI using offical docs here
- After installing, open terminal/command prompt and run following command
- az login
- A Browser pop up will open that will require login to Azure Portal. After successful login, return to Terminal/command prompt window and run following command to get access token
- az account get-access-token --subscription <SubscriptionID>
- We can get Subscription Id from Azure itself

- From the output of above command, we need entire access token

- Get the Private Link Resource ID from above step and access token to create statement in Snowflake.
- Run following command in Snowflake to authorize Private Link from Snowflake End

SELECT SYSTEM$AUTHORIZE_PRIVATELINK (

'PRIVATE_LINK_RESOURCE_ID',

'ACCESS_TOKEN'

);

- We can confrim that Private Link is Authorized successfully by going back to Azure. Connection Status should be Approved

At this point we are done with Snowflake configuration. We can run following command in snowflake to confirm that azure is connected.

SELECT system$get_privatelink_authorized_endpoints();

Output should give us Endpoint ID, Link Identifier and other necessary details

DNS Configuration

We can now navigate to Private link NIC(Network Interface Card) to get the Private IP address of our endpoint. We can put that IP address in one of the VM(should be in same Vnet as Private Link) but it is going to give us 404 Error because snowflake expects us to access snowflake using a domain name rather than IP address, So we need to add entries in our DNS server for snowflake private link URL.

In our Case, Private IP address of our Snowflake Endpoint is 10.0.0.4. We need to map all the domain names given by snowflake with this static private IP address in our DNS

Use following command in snowflake to get all the Domain names which we need to put in DNS entries.

WITH CTE AS (

SELECT

G.KEY,

G.VALUE,

G.SEQ

FROM TABLE (FLATTEN(INPUT => PARSE_JSON(SYSTEM$ALLOWLIST_PRIVATELINK()))) F,

LATERAL FLATTEN(INPUT => F.VALUE) G

)

SELECT

MAX(CASE WHEN KEY = 'host' THEN VALUE::TEXT END) AS HOST,

MAX(CASE WHEN KEY = 'port' THEN VALUE::NUMBER END) AS PORT,

MAX(CASE WHEN KEY = 'type' THEN VALUE::TEXT END) AS TYPE

FROM CTE

GROUP BY SEQ;

Most Important are SNOWFLAKE_DEPLOYMENT and OSCP_CACHE but to use private link for stage, duo etc. we will put all of these URLs in our DNS server.

NOTE: We will map all of these names to static Private IP address. In our case 10.0.0.4

Private DNS Configuration

In Production Environment, DNS configuration should be done by Azure Administrator. Azure Admin must make the mapping of Domain names and Private IP in their public DNS server. If one doesn't have a defined DNS Server in their environment then we can use Private DNS within Azure.

For sake of simplicity, we will be using Private DNS Server to resolve Snowflake Private Link domain to IP address(Private).

Head over to Azure Portal and Search for "Private DNS Zones"

Make sure that you put name if your Private DNS Zone as snowflakecomputing.com.

This is because snowflake requires its URLs to be resolved by snowflakecomputing.com only, if we put any name as dns name for ex private.dns, then URL will become XXXX.privatelink.snowflakecomputing.com.private.dns, which snowflake is going to deny.

So by keeping our domain name as snowflakecomputing.com, our final URL will be XXXX.privatelink.snowflakecomputing.com

Create the DNS zone with all default configuration.

2. Navigate to your Private dns and click on Virtual Network Links.

We are going to create a new Virtual network Link, this is going to link our DNS to Virtual Network where our Private Link endpoint and other Azure resources resides.

3. Add a new Virtual Network Link and select the Vnet where our Private Link Endpoint resides

4. In DNS Sidebar, go to Recordsets

5. We need to add new Record Set entiry for each URL(given by snowflake commend) mentioned in above step

Make sure that we only put URL upto privatelink and NOT include snowflakecomputing.com at the end because our private DNS name is snowflakecomputing.com. So full URL will automatically be resolved. Also we need to map each entry to Private Link Endpoint IP Address which we got from step above.

6. Final Entries should look something link this

7. Now we need to configure DNS in private endpoint. Navigate to Private Endpoint and Click on "DNS Configuration"

8. Click on "Add Configuration"

9. Select your Private DNS which we created named as snowflakecomputing.com. Leave rest of the fields at default and Click "Add"

At this point our Private Link is successfully configured and we should be able to connect to snowflake using Private link URL.

Test Connection

To Test our connectivity, we will create a Windows10 VM because we need browser to open URL.
Win10 VM should be in same Vnet as our private link
Along with a Public IP(used to connect to VM) we will also get a Private IP because we are in a Azure Virtual Network. In our case our VM's private IP is 10.0.0.5

4. RDP into Win10 VM and open a browser and put snowflake private link URL and hit Enter.

Block Public Connectivity (optional but recommended)

Snowflake recommends to block Public access to snowflake after Private Link is configured. From snowflake end, we can use Network Policies to restrict access of snowflake from given IP address/ IP address range.

To block public access using a network policy:

Create a new network policy or edit an existing network policy. Add the CIDR block range for your organization. In our case it would be our Azure Virtual Network(10.0.0.0/16)
Activate the network policy for your account/user.

I recommend to Activate Network Policy on User basis to block Public access and you should leave at least one high privileged user to access snowflake via Public Internet to ensure a fail-safe if something goes wrong with our Azure private link but it also leave potential loophole. Of course the whole point to use Private connectivity to omit using public internet at the first place. If you decide to keep a high privileged user to access snowflake via Public Internet then I recommend to use SSO and MFA enforced for the user. Hope you don't have to go thru below section🙃

Troubleshoot

After entering Snowflake Privatelink URL, if you see somethink like this then there is a mis-configuration or a step is missed.

Instead of putting Privatelink URL into browser, try entering the IP address of privatelink endpoint. In our case that would be 10.0.0.4

If you see something like this "Error 404 not found", then your Privatelink is configured successfully but your DNS configuration is either incomplete or misconfigured. This happens because snowflake is expecting a URL thru which it can be accessed NOT using a IP address.

To confirm that DNS configuration is the actual problem, then use nslookup from win10 VM command prompt and try to resolve private link URL

nslookup <snowflake private endpoint URL>

If URL is resolved to Private IP of Endpoint, then we are good otherwise we are 100% sure that DNS is the issue.

ITS ALWAYS DNS

If you can't see snowflake error page after entering private IP address of snowflake then double check each configuration step by step.
Connect with Azure admin to figure out and resolve DNS issues. They may need to do DNS forwarding somewhere within their system. DNS is very subjective to organization so its really tough to say anything concrete in this blog.
I have kept this Blog as much detailed as I can which is one of the reason its too big. It is easy to miss out steps written may be above or below screenshots. Make sure you follow each step carefully.
Feel free to connect with me via Socials provided at the end of this blog

References

Google Sites

Report abuse