# Azure Private Link and Snowflake Open Catalog

This feature requires Business Critical (or higher).

To ask about upgrading, contact [Snowflake Support](https://docs.snowflake.cn/user-guide/contacting-support).

This topic describes how to configure Azure Private Link to directly connect your Snowflake Open Catalog account to your query engine by
using inbound private connectivity.

## Prerequisites

- Your Snowflake Open Catalog account is hosted on Azure.
- You have the necessary permissions to configure your DNS service with the private connectivity URL for your Open Catalog account.

## Step 1: Retrieve your Open Catalog account settings

Retrieve the following settings for configuring access to Open Catalog with Azure Private Link.

1. Sign in to Snowflake Open Catalog.
1. In the navigation menu, select **Settings**.
1. On the Settings page, copy the values for the following settings into a text editor:

   - PrivateLink Account URL
   - Regionless PrivateLink Account URL
   - PrivateLink OCSP URL
   - Regionless PrivateLink OCSP URL
   - Private Link Service ID

You paste these values when you [Configure access to Open Catalog with Azure Private Link](#step-2-configure-access-to-open-catalog-with-azure-private-link) and
[Connect to Open Catalog through Azure Private Link](#step-3-connect-to-open-catalog-through-azure-private-link).

For descriptions of each setting, see
[Return values for the SYSTEM$GET_PRIVATELINK_CONFIG system function](https://docs.snowflake.cn/en/sql-reference/functions/system_get_privatelink_config#returns) in the Snowflake documentation. In this topic, the names of the account settings are in JSON format.

Remember that, where applicable, the description refers to a Snowflake account but your value is actually for your Snowflake Open
Catalog account. For example, the `privatelink-account-url` is the URL for your Snowflake Open Catalog account.

- Optional: To retrieve these values in JSON format, [Create a Snowflake CLI connection for Open Catalog](private-connectivity-outbound-manage-endpoints-aws#step-1-create-a-snowflake-cli-connection-for-open-catalog),
  and then call the SYSTEM$GET_PRIVATELINK_CONFIG system function.

## Step 2: Configure access to Open Catalog with Azure Private Link

This section only covers the Open Catalog--specific details for configuring your VNet environment. Also, note that Snowflake is not
responsible for the actual configuration of the required firewall updates and DNS records. If you have issues with any of these
configuration tasks, contact Microsoft Support directly.

This section describes how to connect your VNet to the Open Catalog VNet using Azure Private Link.

To complete the instructions, you need to use the Azure CLI or Azure PowerShell. For installation help, see the Microsoft documentation
for the Azure CLI (https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
or Azure PowerShell (https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell?view=azps-13.4.0&viewFallbackFrom=azps-2.6.0).

After initiating the connection to Snowflake Open Catalog using Azure Private Link, you can determine the approval state of the connection
in the Azure portal.

### Create a private endpoint

If you already created a private endpoint for your Snowflake account, and the account is in the same deployment as your Open Catalog account,
creating a new private endpoint for your Open Catalog account isn't required. You can optionally skip this step.

1. Retrieve your Azure account details. The following example uses the Azure CLI's `az account list` command.

   ```text
   Name     CloudName   SubscriptionId                        State    IsDefault
   -------  ----------  ------------------------------------  -------  ----------
   MyCloud  AzureCloud  13c...                                Enabled  True
   ```
1. In the Azure portal, search for **Private Link**, and then select **Private Link** in the results.

   ![Conceptual diagram of Open Catalog.](/static/images/user-guide/opencatalog/img/private-connectivity-inbound-azure-privatelink-preview.png)

1. Click **Private endpoints**, and then click **Add**.

   ![Conceptual diagram of Open Catalog.](/static/images/user-guide/opencatalog/img/private-connectivity-inbound-azure-privatelink-endpoint.png)

1. On the **Basics** tab, complete the **Subscription**, **Resource group**, **Name**, and **Region** fields for your
   environment and then click **Next: Resource**.

1. On the **Resource** tab, for **Connection Method**, select **Connect to an Azure resource by resource ID or alias**.
1. For **Resource ID or alias**, enter the value for `Private Link Service ID` that you obtained when you\
   [retrieved your Open Catalog account settings for private connectivity](#step-1-retrieve-your-open-catalog-account-settings).

   If you receive an error message regarding the alias value, contact [Snowflake Support](https://docs.snowflake.cn/user-guide/contacting-support)
   for the resource ID value, and then repeat this step using that value.

When the private endpoint is approved, the **CONNECTION STATE** in the Private endpoints section on the Private Link Center page displays
the value *Pending*. This value changes to *Approved* when you complete the authorization in the next procedure.

### Enable inbound private connectivity

In this procedure, you enable Azure Private Link for your Open Catalog account. This configuration allows the query engine to connect to
Open Catalog through private connectivity. You will need your private endpoint resource ID, a subscription ID, and the federated token value
that contains access credentials for a federated user.

1. To obtain these values, execute the following commands in the Azure CLI:
   1. To obtain your private endpoint resource ID, execute the following command, and copy the value into a text editor:

      ```bash
      az network private-endpoint show
      ```

   1. To obtain the subscription ID, execute the following command, and note the value in the SubscriptionID column in the output:

      ```bash
      az account list --output table
      ```

   1. To obtain the federated token value, execute the following command, and copy the accessToken value into a text editor:

      ```bash
      az account get-access-token --subscription 
      ```
      - Where: `SubscriptionID` is the unique identifier you obtained in the previous step.

      The user generating the Azure access Token must have Read permissions on the Subscription. The least privilege permission is
      Microsoft.Subscription/subscriptions/acceptOwnershipStatus/read (https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftsubscription).
      Alternatively, the default role `Reader` grants more coarse-grained permissions.

      The `accessToken` value is sensitive information and should be treated like a password value — do *not* share this value.

      If it is necessary to contact Snowflake Support, redact the access token from any commands and URLs before creating a support ticket.

1. Sign in to Snowflake Open Catalog.
1. In the navigation menu, select **Settings**.
1. Select **Authorize**.
1. In the Authorize Private Link dialog, enable private connectivity for your account:
   1. For **ID**, enter the private endpoint resource ID that you copied to a text editor.
   1. For **Federated token**, enter the federated token value that you copied to a text editor.
   1. Select **Save**.

### Verify that your account is authorized

Follow these steps to verify whether your Open Catalog account is authorized for private connectivity to the Snowflake Open Catalog service.

1. Sign in to Snowflake Open Catalog.
1. In the navigation menu, select **Settings**.
1. Select **Get**.
1. In the Get Private Link authorization dialog, verify your account:
   1. In the **ID** field, enter your private endpoint resource ID. You retrieved this value when you
      [enabled inbound private connectivity](#enable-inbound-private-connectivity).
   1. In the **Federated token** field, enter the federated token value.
      You retrieved this value when you
      [enabled inbound private connectivity](#enable-inbound-private-connectivity).
   1. Select **Save**. A message appears, which states whether your account is authorized.

### Set up DNS

All requests to Open Catalog must be routed through the private endpoint. To resolve the Open Catalog account and OCSP URLs to the private IP address of your private endpoint, update your DNS.

1. To get the endpoint IP address, in the Azure portal search bar, enter the name of the private endpoint you created.
1. Select the Network Interface result.

   ![Conceptual diagram of Open Catalog.](/static/images/user-guide/opencatalog/img/private-connectivity-inbound-azure-privatelink-dns-endpoint.png)

1. Copy the value for the **Private IP address**.

   ![Conceptual diagram of Open Catalog.](/static/images/user-guide/opencatalog/img/private-connectivity-inbound-azure-privatelink-dns-private-ip.png)

1. Configure your DNS to have the appropriate endpoint values from your [Open Catalog account settings for private connectivity](#step-1-retrieve-your-open-catalog-account-settings)
   resolve to the private IP address.

## Step 3: Connect to Open Catalog through Azure Private Link

- To register a service connection and connect your query engine to Open Catalog through Azure Private Link, use the following code:

  

### Parameters

Ensure that you set up your DNS service to match the value you specify for `<open_catalog_account_identifier>`.

## Step 4 (Optional): Create a catalog integration for Snowflake