How to set up an Azure private network link to Snowflake

Azure Private Link creates a secure, private connection between services running in Azure. This document describes the steps to set this up between Snowflake and Atlan.

🤓 Who can do this? You will need Snowflake Support, and probably your Snowflake administrator involved — you may not have access or the tools to run these tasks.

Prerequisites

  • Snowflake must be set up with Business Critical Edition (or higher).
  • Open a ticket with Snowflake Support to enable Azure Private Link for your Snowflake account.
  • Snowflake support will take 1-2 days to review and enable Azure Private Link.

(For all details, see the Snowflake documentation.)

Fetch Private Link information

Log in to snowCLI using the ACCOUNTADMIN account, and run the following commands:

use role accountadmin;
select system$get_privatelink_config();

This will produce an output like the following (formatted here for readability):

{
   "regionless-snowsight-privatelink-url": "abc123.privatelink.snowflakecomputing.com",
   "privatelink-account-name": "abc123.west-europe.privatelink",
   "snowsight-privatelink-url": "abc123.west-europe.privatelink.snowflakecomputing.com",
   "privatelink-account-url": "abc123.west-europe.privatelink.snowflakecomputing.com",
   "privatelink-connection-ocsp-urls": "[]",
   "privatelink-pls-id": "abc123.westeurope.azure.privatelinkservice",
   "regionless-privatelink-account-url": "abc123.privatelink.snowflakecomputing.com",
   "privatelink_ocsp-url": "ocsp.abc123.west-europe.privatelink.snowflakecomputing.com",
   "privatelink-connection-urls": "[]"
}

Share details with Atlan support team

Share the following values with the Atlan support team:

  • regionless-snowsight-privatelink-url
  • privatelink-account-name
  • snowsight-privatelink-url
  • privatelink-account-url
  • privatelink-connection-ocsp-urls
  • privatelink-pls-id
  • regionless-privatelink-account-url
  • privatelink_ocsp-url
  • privatelink-connection-urls

Atlan support will finish the configuration on the Atlan side using these values. Support will then provide you with the Snowflake private endpoint resource ID and Azure token for you to approve the request.

Approve the endpoint connection request

Log in to snowCLI using the ACCOUNTADMIN account, and run the following commands:

use role accountadmin;
SELECT SYSTEM$AUTHORIZE_PRIVATELINK (
  '/subscriptions/26d.../resourcegroups/sf-1/providers/microsoft.network/privateendpoints/test-self-service',
  'eyJ...'
  );

Snowflake will return an Account is authorized for PrivateLink. message to confirm successful authorization. The status of the private endpoint in Atlan will then change to Approved.

When you use this endpoint in the configuration for crawling and mining Snowflake, Atlan will connect to Snowflake over the Private Link.

(Optional) Configure private endpoint for internal stages

This is only required if you're using Snowflake internal stages. To enable Atlan to securely access your Snowflake internal stages, Atlan will require a private endpoint to your Azure storage account. Refer to Snowflake documentation to learn more.

To configure an Azure private endpoint to access Snowflake internal stages:

  1. Open the Azure portal and navigate to your Azure Storage account.
  2. On the Storage accounts page, select the storage account to connect. From the storage account menu, click Overview. In the Resource JSON form, for Resource ID, click the clipboard icon to copy the value and contact Atlan support to share the value. (Atlan support will finish the configuration on the Atlan side using the Resource ID value and contact you to confirm endpoint creation.)
  3. From the storage account menu, click Security + networking and then click Networking.
  4. On the Networking page, change to the Private endpoint connections tab and then approve the endpoint connection request from Atlan.

Related articles

Was this article helpful?
0 out of 0 found this helpful