Private connectivity to external volumes for Microsoft Azure

This topic provides configuration details to set up outbound private connectivity to an external volume on Microsoft Azure. The primary difference between outbound public connectivity and outbound private connectivity is how you set the USE_PRIVATELINK_ENDPOINT property for the external volume.

When the external volume is configured to use private connectivity, your connection to the Microsoft Azure cloud storage services goes through the Microsoft Azure internal network. By configuring your external volume to use outbound private connectivity, you add additional security to your operations by blocking public access to the storage account.

For more information about using external volumes to connect to your external cloud storage for Iceberg tables, see Configure an external volume.

Outbound private connectivity costs

You pay for each private connectivity endpoint along with total data processed. For pricing of these items, see the Snowflake Service Consumption Table.

You can explore the cost of these items by filtering on the following service types when querying billing views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas:

  • OUTBOUND_PRIVATELINK_ENDPOINT

  • OUTBOUND_PRIVATELINK_DATA_PROCESSED

For example, you can query the USAGE_IN_CURRENCY_DAILY view and filter on these service types.

Considerations and limitations

  • You can use private connectivity to access Snowflake-managed Iceberg tables and Iceberg tables that use a catalog integration for object storage, but cannot use it to access Iceberg tables that use other catalog integrations.

  • You can configure outbound public connectivity and outbound private connectivity for the same cloud storage service. If you want to do this, create a dedicated external volume for outbound public connectivity and specify USE_PRIVATELINK_ENDPOINT = FALSE.

Private connectivity property

The USE_PRIVATELINK_ENDPOINT property of an external volume determines whether it is accessed through private connectivity or by traversing the public network. To use private connectivity, set USE_PRIVATELINK_ENDPOINT = TRUE when creating or modifying an external volume.

Configure external volume access using private connectivity

Use the following steps to use outbound private connectivity to unload data to an external volume on Microsoft Azure:

  1. In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to provision a private connectivity endpoint in your Snowflake VNet to enable Snowflake to connect to your external Microsoft Azure cloud storage services using private connectivity:

    USE ROLE ACCOUNTADMIN;
    
    SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
      '/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo',
      'mystorageaccount.blob.core.windows.net',
      'blob'
    );
    
    Copy

    This function binds the private endpoint to the hostname, which enables the external volume to use the private endpoint to connect to the storage location.

  2. In the Azure Portal and as the owner of the Microsoft Azure storage resource, approve the private endpoint. For details, see the approval process (https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections).

  3. In Snowflake, call the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO function.

    When the output of the function includes "status": "APPROVED, your connection from Snowflake to your storage account will be able to use private connectivity.

    You can continue with the next steps while waiting for the "APPROVED" status.

  4. Create the external volume, being sure to set the USE_PRIVATELINK_ENDPOINT property to TRUE:

    CREATE EXTERNAL VOLUME exvol
      STORAGE_LOCATIONS =
        (
          (
            NAME = 'my-azure-northeurope'
            STORAGE_PROVIDER = 'AZURE'
            STORAGE_BASE_URL = 'azure://exampleacct.blob.core.windows.net/my_container_northeurope/'
            AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
            USE_PRIVATELINK_ENDPOINT = TRUE
          )
        );
    
    Copy
  5. After the private endpoint has an "APPROVED" status, test accessing the external volume with a supported operation.

Deprovision an endpoint

If you no longer need the private connectivity endpoint for the external volume, unset the USE_PRIVATELINK_ENDPOINT property on the external volume, and then call the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function.

Next Topics:

Language: English