Private connectivity to external volumes for Microsoft Azure¶
This topic provides configuration details to set up outbound private connectivity to an external volume on Microsoft Azure. The primary difference
between outbound public connectivity and outbound private connectivity is how you set the USE_PRIVATELINK_ENDPOINT
property for
the external volume.
When the external volume is configured to use private connectivity, your connection to the Microsoft Azure cloud storage services goes through the Microsoft Azure internal network. By configuring your external volume to use outbound private connectivity, you add additional security to your operations by blocking public access to the storage account.
For more information about using external volumes to connect to your external cloud storage for Iceberg tables, see Configure an external volume.
Outbound private connectivity costs¶
You pay for each private connectivity endpoint along with total data processed. For pricing of these items, see the Snowflake Service Consumption Table.
You can explore the cost of these items by filtering on the following service types when querying billing views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas:
OUTBOUND_PRIVATELINK_ENDPOINT
OUTBOUND_PRIVATELINK_DATA_PROCESSED
For example, you can query the USAGE_IN_CURRENCY_DAILY view and filter on these service types.
Considerations and limitations¶
You can use private connectivity to access Snowflake-managed Iceberg tables and Iceberg tables that use a catalog integration for object storage, but cannot use it to access Iceberg tables that use other catalog integrations.
You can configure outbound public connectivity and outbound private connectivity for the same cloud storage service. If you want to do this, create a dedicated external volume for outbound public connectivity and specify
USE_PRIVATELINK_ENDPOINT = FALSE
.
Private connectivity property¶
The USE_PRIVATELINK_ENDPOINT
property of an external volume determines whether it is accessed through private connectivity or
by traversing the public network. To use private connectivity, set USE_PRIVATELINK_ENDPOINT = TRUE
when creating or modifying an external
volume.
Configure external volume access using private connectivity¶
Use the following steps to use outbound private connectivity to unload data to an external volume on Microsoft Azure:
In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to provision a private connectivity endpoint in your Snowflake VNet to enable Snowflake to connect to your external Microsoft Azure cloud storage services using private connectivity:
USE ROLE ACCOUNTADMIN; SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT( '/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo', 'mystorageaccount.blob.core.windows.net', 'blob' );
This function binds the private endpoint to the hostname, which enables the external volume to use the private endpoint to connect to the storage location.
In the Azure Portal and as the owner of the Microsoft Azure storage resource, approve the private endpoint. For details, see the approval process (https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections).
In Snowflake, call the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO function.
When the output of the function includes
"status": "APPROVED
, your connection from Snowflake to your storage account will be able to use private connectivity.You can continue with the next steps while waiting for the
"APPROVED"
status.Create the external volume, being sure to set the
USE_PRIVATELINK_ENDPOINT
property toTRUE
:CREATE EXTERNAL VOLUME exvol STORAGE_LOCATIONS = ( ( NAME = 'my-azure-northeurope' STORAGE_PROVIDER = 'AZURE' STORAGE_BASE_URL = 'azure://exampleacct.blob.core.windows.net/my_container_northeurope/' AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9' USE_PRIVATELINK_ENDPOINT = TRUE ) );
After the private endpoint has an
"APPROVED"
status, test accessing the external volume with a supported operation.
Deprovision an endpoint¶
If you no longer need the private connectivity endpoint for the external volume, unset the
USE_PRIVATELINK_ENDPOINT
property on the external volume, and then call the
SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function.
Next Topics: