Set up Openflow - Snowflake Deployment: Core Snowflake¶

Openflow - Snowflake Deployment requires the creation of the following Snowflake specific resources:

Create the OPENFLOW_ADMIN role

Configure required privileges

Create Snowflake Deployments Network Rule

Enable BCR Bundle 2025_06 for Integration-level Network Policy

Create the OPENFLOW_ADMIN role¶

Create the required Openflow administration role.

Note

<OPENFLOW_USER> denotes the user that will be used to access Openflow.

USE ROLE ACCOUNTADMIN;

CREATE ROLE IF NOT EXISTS OPENFLOW_ADMIN;

GRANT ROLE OPENFLOW_ADMIN TO USER <OPENFLOW_USER>;

Copy

Configure required privileges¶

Openflow requires defining specific Snowflake Account level privileges. These privileges are assigned to the ACCOUNTADMIN role as part of the default set of privileges. ACCOUNTADMIN will automatically have the following two privileges and will be able to grant them to a role of their choosing for the Openflow admin role, shown as OPENFLOW_ADMIN role in the following example:

USE ROLE ACCOUNTADMIN;

GRANT CREATE OPENFLOW DATA PLANE INTEGRATION ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
GRANT CREATE OPENFLOW RUNTIME INTEGRATION ON ACCOUNT TO ROLE OPENFLOW_ADMIN;
GRANT CREATE COMPUTE POOL ON ACCOUNT TO ROLE OPENFLOW_ADMIN;

Copy

Create Snowflake Deployments Network Rule¶

Openflow - Snowflake Deployments require a specific network rule to communicate with your Snowflake account.

Note

This network rule is only required if you have an active account level network policy. As an account admin you can check by examining Governance & Security » Network Policies in Snowsight. If there exists a network policy in the list with status Active on account, continue with the following steps:

To create the required network rule, perform the following steps:

If not already created, create the required database and schema.

USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE DATABASE OPENFLOW;
CREATE OR REPLACE SCHEMA OPENFLOW;
USE DATABASE OPENFLOW;

Copy

Create the required network rule.

USE ROLE ACCOUNTADMIN;

CREATE NETWORK RULE ALLOW_OPENFLOW_SPCS
   MODE = INGRESS
   TYPE = IPV4
   VALUE_LIST = ('10.16.0.0/12');

Copy

Add the required network rule to your account level network policy:

USE ROLE ACCOUNTADMIN;

ALTER NETWORK POLICY <YOUR_ACCOUNT_LEVEL_NETWORK_POLICY_NAME> ADD ALLOWED_NETWORK_RULE_LIST= (ALLOW_OPENFLOW_SPCS);

Copy

Enable BCR Bundle 2025_06 for Integration-level Network Policy¶

When using any of the following connector types: Database CDC, SaaS, Streaming, or Slack, you must enable BCR Bundle 2025_06 Bundle (Disabled by default) to ensure connectivity to Snowpipe Streaming.

To check and enable the bundle, perform the following steps:

Determine the status of the specific bundle:
```
call SYSTEM$BEHAVIOR_CHANGE_BUNDLE_STATUS('2025_06');
```
Copy
A result of DISABLED indicates that the bundle is disabled.

if the bundle is disabled, enable it:

call SYSTEM$ENABLE_BEHAVIOR_CHANGE_BUNDLE('2025_06');

Copy

Next steps¶

Create deployment