Azure Private Link creates a secure, private connection between services running in Azure. This document describes the steps to set this up between Snowflake and Atlan.
Prerequisites
- Snowflake must be set up with Business Critical Edition (or higher).
- Open a ticket with Snowflake Support to enable Azure Private Link for your Snowflake account.
- Snowflake support will take 1-2 days to review and enable Azure Private Link.
(For all details, see the Snowflake documentation.)
Fetch Private Link information
Log in to snowCLI using the ACCOUNTADMIN
account, and run the following commands:
use role accountadmin;
select system$get_privatelink_config();
This will produce an output like the following (formatted here for readability):
{
"regionless-snowsight-privatelink-url": "abc123.privatelink.snowflakecomputing.com",
"privatelink-account-name": "abc123.west-europe.privatelink",
"snowsight-privatelink-url": "abc123.west-europe.privatelink.snowflakecomputing.com",
"privatelink-account-url": "abc123.west-europe.privatelink.snowflakecomputing.com",
"privatelink-connection-ocsp-urls": "[]",
"privatelink-pls-id": "abc123.westeurope.azure.privatelinkservice",
"regionless-privatelink-account-url": "abc123.privatelink.snowflakecomputing.com",
"privatelink_ocsp-url": "ocsp.abc123.west-europe.privatelink.snowflakecomputing.com",
"privatelink-connection-urls": "[]"
}
Share details with Atlan support team
Share the following values with the Atlan support team:
regionless-snowsight-privatelink-url
privatelink-account-name
snowsight-privatelink-url
privatelink-account-url
privatelink-connection-ocsp-urls
privatelink-pls-id
regionless-privatelink-account-url
privatelink_ocsp-url
privatelink-connection-urls
Atlan support will finish the configuration on the Atlan side using these values. Support will then provide you with the Snowflake private endpoint resource ID and Azure token for you to approve the request.
Approve the endpoint connection request
Log in to snowCLI using the ACCOUNTADMIN
account, and run the following commands:
use role accountadmin;
SELECT SYSTEM$AUTHORIZE_PRIVATELINK (
'/subscriptions/26d.../resourcegroups/sf-1/providers/microsoft.network/privateendpoints/test-self-service',
'eyJ...'
);
Snowflake will return an Account is authorized for PrivateLink.
message to confirm successful authorization. The status of the private endpoint in Atlan will then change to Approved
.
When you use this endpoint in the configuration for crawling and mining Snowflake, Atlan will connect to Snowflake over the Private Link.
(Optional) Configure private endpoint for internal stages
This is only required if you're using Snowflake internal stages. To enable Atlan to securely access your Snowflake internal stages, Atlan will require a private endpoint to your Azure storage account. Refer to Snowflake documentation to learn more.
To configure an Azure private endpoint to access Snowflake internal stages:
- Open the Azure portal and navigate to your Azure Storage account.
- On the Storage accounts page, select the storage account to connect. From the storage account menu, click Overview. In the Resource JSON form, for Resource ID, click the clipboard icon to copy the value and contact Atlan support to share the value. (Atlan support will finish the configuration on the Atlan side using the Resource ID value and contact you to confirm endpoint creation.)
- From the storage account menu, click Security + networking and then click Networking.
- On the Networking page, change to the Private endpoint connections tab and then approve the endpoint connection request from Atlan.