Azure PrivateLink
What is an Azure PrivateLink?
Azure Private Link is a feature in Microsoft Azure that enables customers to access Azure services, such as Snowflake, over a private endpoint within their virtual network.
By leveraging Azure Private Link, Snowflake users can access their data warehouse without going over the public internet, improving data security and reducing latency. With this setup, users can establish a private endpoint for Snowflake within their Azure virtual network and connect to Snowflake using private IP addresses.
Pre-requisites
An Azure subscription with permission to create a virtual network.
An existing virtual network in Azure with a subnet that can be dedicated to the Snowflake Private Link endpoint.
A Snowflake account with a virtual private cloud (VPC) enabled and network policies configured.
A Snowflake user account with the
ACCOUNTADMIN
role or equivalent privileges to create a private link endpoint.A virtual machine or client machine with connectivity to the Azure virtual network and the ability to access the Snowflake account using a private IP address.
Setting up Snowflake
Obtain PrivateLink resource ID and accessToken from Snowflake console
Log in to the Snowflake Console as the admin user
Open a blank worksheet and run the following command:
Save the JSON output to be used later
Note down the resourceId and accessToken values from the JSON output
Create a Private endpoint in Azure
Log in to the Azure Portal.
Search for Private Link service and open it.
Click on Private endpoints and then on Create.
Enter the resource group name of the Kubernetes cluster for which it needs to be linked (for example, POC9).
Enter a name for the private endpoint and click on Next.
Choose the option Connect to an Azure resource by resource ID or alias.
Open the saved Snowflake JSON output and copy the privatelink-pls-id value for Resource ID/Alias.
Click on Next and choose the virtual network as the same network as that of the Kubernetes cluster. The subnet will be auto-populated for the subnet of the cluster/vnet.
Click on Next until you reach the Review and Create page. Then click on Create.
Since the Private Endpoint is in a โPendingโ state, and to move it to the โApprovedโ state, the following needs to be executed on Azure CLI. Note down the resource ID output from the Azure CLI command:
Obtain accessToken for Private Endpoint from Azure CLI
Run the following Azure CLI command to get the accessToken, and the same will be used as
federated_token
in the next step.
The output looks similar to the following:
Save the JSON output to be used later. Also, note down the accessToken value from the JSON output.
Authorize Private Link in Snowflake
Log in to the Snowflake Console as the admin user.
Open a blank worksheet and run the following command:
Replace
<resourceId>
and<accessToken>
with the values obtained in steps 1 and 3.Once done, โPrivate Link is authorizedโ message will be displayed.
Approve Private Endpoint in Azure
Run the following Azure CLI command to approve the Private Endpoint:
Replace
<private-endpoint-id>
with the value obtained in step 2Now, the Private Endpoint is in "Approved" state in the Azure Portal.
Copy the private endpoint IP as it is needed to route requests via Private DNS. (e.g., 10.240.0.5).
Create Private DNS Zone in Azure
Go to Private DNS Zones in the Azure Portal and click on Create.
Enter the name "privatelink.snowflakecomputing.com" and click on Create.
Add Record Sets to Private DNS Zone
Open the created Private DNS Zone and click on Create record set.
Enter the following details for the first record set:
Record type: A
Name: <privatelink-account-url> (from the saved Snowflake JSON output)
IPv4 address: <private-endpoint-IP> (note down from the Azure Portal)
TTL: 30 seconds
Create another record set for OCSP Cache Server using the same process
Record type: A
Name: <privatelink-ocsp-url> (from the saved Snowflake JSON output)
IPv4 address: <private-endpoint-IP> (note down from the Azure Portal)
TTL: 30 seconds
Test the Private Link Connection
Use the Snowflake console to test the private link connection by running queries.
Verify whether the queries are running successfully.
Add the Virtual Network links to the Private DNS Zone
Go to the Private DNS Zone and click on Virtual network links. Click on Add.
Populate the name and choose the same virtual network as that of the Kubernetes cluster that needs to be linked with. Click on Okay to create.
Finally, navigate to the private endpoint that you had created earlier, in the DNS Configuration section. Click on Add configuration.
Populate the values for the Private DNS Zone that has been created and click on Add.
Users can now test the data source connection to their snowflake account.
Reference
Last updated
Was this helpful?