circle-info
Watch Kaiya's Agent Mode auto plan multi-step, multi-join analysis.
Take me to the videoarrow-up-right
search

Azure PrivateLink

Integrate Snowflake with Azure Private Link in Tellius—configure private endpoints, DNS zones, and secure connections for enhanced data protection.

hashtag
What is an Azure PrivateLink?

Azure Private Link is a feature in Microsoft Azure that enables customers to access Azure services, such as Snowflake, over a private endpoint within their virtual network.

By leveraging Azure Private Link, Snowflake users can access their data warehouse without going over the public internet, improving data security and reducing latency. With this setup, users can establish a private endpoint for Snowflake within their Azure virtual network and connect to Snowflake using private IP addresses.

hashtag
Pre-requisites

  • An Azure subscription with permission to create a virtual network.

  • An existing virtual network in Azure with a subnet that can be dedicated to the Snowflake Private Link endpoint.

  • A Snowflake account with a virtual private cloud (VPC) enabled and network policies configured.

  • A Snowflake user account with the ACCOUNTADMIN role or equivalent privileges to create a private link endpoint.

  • A virtual machine or client machine with connectivity to the Azure virtual network and the ability to access the Snowflake account using a private IP address.

circle-info

Please note that if Tellius is hosting the infrastructure, then the Tellius team will take care of all the steps on the Azure side. Contact [email protected] for further assistance.

hashtag
Setting up Snowflake

Obtain PrivateLink resource ID and accessToken from Snowflake console

  1. Log in to the Snowflake Console as the admin user

  2. Open a blank worksheet and run the following command:

select SYSTEM$GET_PRIVATELINK_CONFIG() using role ACCOUNTADMIN;

  1. Save the JSON output to be used later

  2. Note down the resourceId and accessToken values from the JSON output

hashtag
Create a Private endpoint in Azure

  1. Log in to the Azure Portal.

  2. Search for Private Link service and open it.

Private Link

  1. Click on Private endpoints and then on Create.

Private endpoints

  1. Enter the resource group name of the Kubernetes cluster for which it needs to be linked (for example, POC9).

  2. Enter a name for the private endpoint and click on Next.

Creating a private endpoint -> Basics

  1. Choose the option Connect to an Azure resource by resource ID or alias.

  2. Open the saved Snowflake JSON output and copy the privatelink-pls-id value for Resource ID/Alias.

Creating a private endpoint -> Resource

  1. Click on Next and choose the virtual network as the same network as that of the Kubernetes cluster. The subnet will be auto-populated for the subnet of the cluster/vnet.

Creating a private endpoint -> Virtual network

  1. Click on Next until you reach the Review and Create page. Then click on Create.

  2. Since the Private Endpoint is in a “Pending” state, and to move it to the “Approved” state, the following needs to be executed on Azure CLI. Note down the resource ID output from the Azure CLI command:

hashtag
Obtain accessToken for Private Endpoint from Azure CLI

  1. Run the following Azure CLI command to get the accessToken, and the same will be used as federated_token in the next step.

  1. The output looks similar to the following:

  1. Save the JSON output to be used later. Also, note down the accessToken value from the JSON output.

hashtag
Authorize Private Link in Snowflake

  1. Log in to the Snowflake Console as the admin user.

  2. Open a blank worksheet and run the following command:

  1. Replace <resourceId> and <accessToken> with the values obtained in steps 1 and 3.

  2. Once done, “Private Link is authorized” message will be displayed.

Private Link is authorized” message

hashtag
Approve Private Endpoint in Azure

  1. Run the following Azure CLI command to approve the Private Endpoint:

  1. Replace <private-endpoint-id> with the value obtained in step 2

  2. Now, the Private Endpoint is in "Approved" state in the Azure Portal.

  3. Copy the private endpoint IP as it is needed to route requests via Private DNS. (e.g., 10.240.0.5).

Private endpoint IP

hashtag
Create Private DNS Zone in Azure

  1. Go to Private DNS Zones in the Azure Portal and click on Create.

  2. Enter the name "privatelink.snowflakecomputing.com" and click on Create.

Creating private DNS

hashtag
Add Record Sets to Private DNS Zone

  1. Open the created Private DNS Zone and click on Create record set.

  2. Enter the following details for the first record set:

  • Record type: A

  • Name: <privatelink-account-url> (from the saved Snowflake JSON output)

  • IPv4 address: <private-endpoint-IP> (note down from the Azure Portal)

  • TTL: 30 seconds

  1. Create another record set for OCSP Cache Server using the same process

  • Record type: A

  • Name: <privatelink-ocsp-url> (from the saved Snowflake JSON output)

  • IPv4 address: <private-endpoint-IP> (note down from the Azure Portal)

  • TTL: 30 seconds

Adding record sets

hashtag
Test the Private Link Connection

  1. Use the Snowflake console to test the private link connection by running queries.

  2. Verify whether the queries are running successfully.

hashtag
Add the Virtual Network links to the Private DNS Zone

  1. Go to the Private DNS Zone and click on Virtual network links. Click on Add.

  2. Populate the name and choose the same virtual network as that of the Kubernetes cluster that needs to be linked with. Click on Okay to create.

Adding virtual network link

  1. Finally, navigate to the private endpoint that you had created earlier, in the DNS Configuration section. Click on Add configuration.

  2. Populate the values for the Private DNS Zone that has been created and click on Add.

Private DNS zone

Users can now test the data source connection to their snowflake account.

hashtag
Reference

PreviousIntegrating Snowflake with Okta via OAuthNextAWS PrivateLink

Was this helpful?