Manage Network Traffics on Snowflake Using Network Rules
In this article, we will learn about Snowflake’s Network Rules. How we can manage and restrict INGRESS and EGRESS network rules within Snowflake. Currently, Available to all accounts on AWS.
What exactly is a Network Rule on Snowflake?🤔
For a long time, all of us were looking for a way to access external network locations within Snowflake via Stored Procedures or UDFs. But Snowflake has features that restrict the network traffic.
With Network Rules, we can reference them in our stored procedures or UDFs to access external network locations.
A network rule does not define whether its identifiers should be allowed or blocked. The Snowflake feature that uses the network rule specifies whether the identifiers in the rule are permitted or prohibited.
Incoming and Outgoing Requests
Incoming Requests
Network Policies protect the Snowflake service and internal stages from incoming traffic. When a network rule is used with a network policy, the administrator can set the mode to one of the following:
INGRESS
The behavior of the INGRESS mode depends on the value of the network rule’s TYPE property.
- If
TYPE=IPV4, by default, the network rule controls access to the Snowflake service only. If the account administrator enables the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter, thenMODE=INGRESSandTYPE=IPV4also protect an AWS internal stage. - If
TYPE=AWSVPCEID, then the network rule controls access to the Snowflake service only. If you want to restrict access to the AWS internal stage based on the VPCE ID of an interface endpoint, you must create a separate network rule using theINTERNAL_STAGEmode.
INTERNAL_STAGE
Controls access to an AWS internal stage without restricting access to the Snowflake service. Using this mode requires the following:
- The account administrator must enable the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter.
- The
TYPEproperty of the network rule must beAWSVPCEID.
Outgoing Requests
Administrators can use network rules with features that control where requests can be sent. In these cases, the administrator defines the network rule with the following mode:
EGRESS
Indicates that the network rule is used for traffic sent from Snowflake.
Currently used with external network access, which allows a UDF or procedure to send requests to an external network location.
How to create a Network Rule?
You can create a network rule by executing the CREATE NETWORK RULE command, specifying a list of network identifiers along with the type of those identifiers.
Use the MODE parameter to indicate whether the network rule is used to restrict incoming or outgoing requests.
Creating a network rule does not define whether it is allowing or blocking the network identifiers. You specify those restrictions when configuring the Snowflake feature that uses the network rule.
--********************* Syntax
CREATE [ OR REPLACE ] NETWORK RULE <name>
TYPE = { IPV4 | AWSVPCEID | AZURELINKID | HOST_PORT }
VALUE_LIST = ( '<value>' [, '<value>', ... ] )
MODE = { INGRESS | INTERNAL_STAGE | EGRESS }
[ COMMENT = '<string_literal>' ]CREATE NETWORK RULE cloud_network
MODE = INGRESS
TYPE = IPV4
VALUE_LIST = ('47.88.25.32/27');The owner of a network rule can execute the ALTER NETWORK RULE command to replace the rule’s network identifiers and comments.
You cannot add or remove individual network identifiers to the network rule; existing identifiers are lost when adding new values.
ALTER NETWORK RULE cloud_network SET VALUE_LIST = ('47.88.25.32/27');
ALTER NETWORK RULE cloud_network UNSET VALUE_LIST;Only the ACCOUNTADMIN and SECURITYADMIN roles, along with the schema owner, have this privilege by default. It can be granted to additional roles as needed.
Reference Link:
About Me:
Hi there! I am Divyansh Saxena
I am an experienced Data Engineer with a proven track record of success in Snowflake Data Cloud technology. Highly skilled in designing, implementing, and maintaining data pipelines, ETL workflows, and data warehousing solutions. Possessing advanced knowledge of Snowflake’s features and functionality, I am a Snowflake Data superhero & Snowflake Snowpro Core SME. With a major career in Snowflake Data Cloud, I have a deep understanding of cloud-native data architecture and can leverage it to deliver high-performing, scalable, and secure data solutions.
Follow me on Medium for regular updates on Snowflake Best Practices and other trending topics:
Also, I am open to connecting all data enthusiasts across the globe on LinkedIn:
New Ways To Stay Connected
I’ve been getting a lot of DMs for guidance, so decided to take action on it.
I’m excited to help folks out and give back to the community via Topmate. Feel free to reach out if you have any questions or just want to say hi!
