AWS PrivateLink for Snowflake

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to Snowflake accounts hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Requirements

  • You have an Immuta SaaS tenant.

  • Your Snowflake account is hosted on AWS.

  • Your Snowflake account is on the Business Critical Edition.

  • You have ACCOUNTADMIN role on your Snowflake account to configure the Private Link connection.

Snowflake network policies allow you to limit access to your Snowflake service endpoints. Network rules can be used with those network policies to define the specific IP CIDR blocks or AWS VPC endpoints that are allowed. Immuta supports both, but we highly recommend that you configure your network rules to reference our VPC endpoints and not our CIDR block.

VPC endpoint network rule

With a network rule type of AWSVPCEID, you can use the following table of Immuta's VPC endpoints by AWS region to configure access from Immuta SaaS to your Snowflake service:

AWS region
VPC endpoint ID

ap-northeast-1 Asia Pacific (Tokyo)

vpce-0c738d241aa0bfde7

ap-northeast-2 Asia Pacific (Seoul)

vpce-00daddfa7477666eb

ap-south-1 Asia Pacific (Mumbai)

vpce-08a6d075ddd92df58

ap-southeast-1 Asia Pacific (Singapore)

vpce-030933ffc228d94ac

ap-southeast-2 Asia Pacific (Sydney)

vpce-0803dc2285d0d695f

ca-central-1 Canada (Central)

vpce-0ebff3192617126c9

eu-central-1 Europe (Frankfurt)

vpce-07f633ac50bc430c2

eu-north-1 Europe (Stockholm)

vpce-05c586fedca0a4112

eu-west-1 Europe (Ireland)

vpce-0ac01be5c06a919b0

eu-west-2 Europe (London)

vpce-0dd3c340c3dd64a5b

us-east-1 US East (Virginia)

vpce-03b3bf4334aa34d88

us-east-2 US East (Ohio)

vpce-04fdafe0ed07caace

us-west-2 US West (Oregon)

vpce-06624165eaa569250

IPv4 network rule

With a network rule type of IPV4, you must configure an IP address block of 10.0.0.0/8.

This size of block is required because traffic could come from anywhere in Immuta's network. Immuta has globally distributed compute and does not assign static IP addresses to any workloads. This is why you should use VPC endpoint network rules instead.

  1. In your Snowflake environment, run the following SQL query, which will return a JSON object with the connection information you will need to include in your support ticket:

    select SYSTEM$GET_PRIVATELINK_CONFIG()
  2. Copy the returned JSON object into a support ticket with Immuta Support to request for the feature to be enabled on your Immuta SaaS tenant.

  3. Configure the Snowflake integration using the privatelink-account-url from the JSON object in step one as the the Host.

Last updated

Was this helpful?