# AWS PrivateLink for Snowflake [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) provides private connectivity from the Immuta SaaS platform to Snowflake accounts hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks. This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

## Requirements * You have an Immuta SaaS tenant. * Your Snowflake account is hosted on AWS. * Your Snowflake account is on the [Business Critical Edition](https://docs.snowflake.com/en/user-guide/intro-editions#feature-edition-matrix). * You have `ACCOUNTADMIN` role on your Snowflake account to configure the Private Link connection. * You have enabled [AWS PrivateLink for Snowflake](https://docs.snowflake.com/en/user-guide/admin-security-privatelink.html). ## Using Snowflake network policies with AWS PrivateLink [Snowflake network policies](https://docs.snowflake.com/en/user-guide/network-policies) allow you to limit access to your Snowflake service endpoints. [Network rules](https://docs.snowflake.com/en/user-guide/network-rules#incoming-requests) can be used with those network policies to define the specific IP CIDR blocks or AWS VPC endpoints that are allowed. Immuta supports both, but we **highly recommend that you configure your network rules to reference our VPC endpoints and not our CIDR block.** ### VPC endpoint network rule With a network rule type of `AWSVPCEID`, you can use the following table of Immuta's VPC endpoints by AWS region to configure access from Immuta SaaS to your Snowflake service: | AWS region | VPC endpoint ID | | ------------------------------------------------------------------------------- | ------------------------ | |

ap-northeast-1
Asia Pacific (Tokyo)

| `vpce-0c738d241aa0bfde7` | |

ap-northeast-2
Asia Pacific (Seoul)

| `vpce-00daddfa7477666eb` | |

ap-south-1
Asia Pacific (Mumbai)

| `vpce-08a6d075ddd92df58` | |

ap-southeast-1
Asia Pacific (Singapore)

| `vpce-030933ffc228d94ac` | |

ap-southeast-2
Asia Pacific (Sydney)

| `vpce-0803dc2285d0d695f` | |

ca-central-1
Canada (Central)

| `vpce-0ebff3192617126c9` | |

eu-central-1
Europe (Frankfurt)

| `vpce-07f633ac50bc430c2` | |

eu-north-1
Europe (Stockholm)

| `vpce-05c586fedca0a4112` | |

eu-west-1
Europe (Ireland)

| `vpce-0ac01be5c06a919b0` | |

eu-west-2
Europe (London)

| `vpce-0dd3c340c3dd64a5b` | |

us-east-1
US East (Virginia)

| `vpce-03b3bf4334aa34d88` | |

us-east-2
US East (Ohio)

| `vpce-04fdafe0ed07caace` | |

us-west-2
US West (Oregon)

| `vpce-06624165eaa569250` | ### IPv4 network rule With a network rule type of `IPV4`, you must configure an IP address block of `10.0.0.0/8`. This size of block is required because traffic could come from anywhere in Immuta's network. Immuta has globally distributed compute and does not assign static IP addresses to any workloads. This is why you should use VPC endpoint network rules instead. ## Configure Snowflake with AWS PrivateLink 1. In your Snowflake environment, run the following SQL query, which will return a JSON object with the connection information you will need to include in your support ticket: ```sql select SYSTEM$GET_PRIVATELINK_CONFIG() ``` 2. Copy the returned JSON object into a support ticket with [Immuta Support](https://support.immuta.com) to request for the feature to be enabled on your Immuta SaaS tenant. 3. [Configure the Snowflake integration](https://documentation.immuta.com/SaaS/configuration/integrations/snowflake/how-to-guides/connect-snowflake) using the `privatelink-account-url` from the JSON object in step one as the **Host.**