Azure access: New VNET subnet IDs required for rules that filter based on subnet ID (Pending)

This behavior change applies only to customers who use Azure Virtual Network (VNet) subnet IDs in virtual network, policy, or firewall rules that filter traffic in the Azure regions listed in this topic. If you don’t use the VNET subnet IDs feature offered in Snowflake Azure deployments, you can ignore this change.

Snowflake is expanding its support in these regions to include additional Azure VNet subnet IDs. We are doing this by setting up additional subnets and migrating customers to them after verifying readiness. We are verifying that customers have updated their subnet IDs before migrating them. We are doing this verification and migration through dedicated engagement with customers.

However, if you try to update your subnet IDs in these regions, you might run into an error similar to vnet-******** cannot have more than 200 tagged traffic consumers of service. This is because per Azure limits, a virtual network can be associated with a maximum of 200 different subscriptions and regions per supported service. This means that Snowflake customers can use a subnet ID queried from the SYSTEM$GET_SNOWFLAKE_PLATFORM_INFO function in 200 Azure subscription/region combinations in aggregate. After a total of 200 subscriptions across all customers have used the subnet ID in a network rule, new attempts to use it for another Azure subscription will fail.

To avoid experiencing these errors, consider the following actions:

  1. If you are already a Business Critical customer, consider using Private connectivity for outbound network traffic.

  2. If you have a Blob storage account that has allowlisted Snowflake subnets in the firewall, then you can use the same subscription and region to create a new storage account. You should then be able to allowlist Snowflake subnets on this new storage account.

  3. Consider not Allowing VNET subnet IDs. For more detailed information, see Network security for Azure Key Vault (https://learn.microsoft.com/en-us/azure/key-vault/general/network-security) in Azure documentation.

Ref: 1995, 2078

Language: English