Private connectivity with external functions: Azure ARM template

This topic provides configuration details to set up private connectivity to an external service by calling an external function for Snowflake accounts on Microsoft Azure. You can use the ARM template to configure resources in Microsoft Azure. Afterward, you can create an API integration and external function in Snowflake. Finally, you can call the external function to validate private connectivity to the external service.

Outbound private connectivity costs

You pay for each private connectivity endpoint along with total data processed. For pricing of these items, see the Snowflake Service Consumption Table.

You can explore the cost of these items by filtering on the following service types when querying billing views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas:

  • OUTBOUND_PRIVATELINK_ENDPOINT

  • OUTBOUND_PRIVATELINK_DATA_PROCESSED

For example, you can query the USAGE_IN_CURRENCY_DAILY view and filter on these service types.

Process overview

The following is a general overview of the configuration process. Steps in Snowflake must be done by a user with the ACCOUNTADMIN role. Steps in Azure are done by a user with rights to use the corresponding resources unless otherwise specified.

The following steps are the same as using external functions with the public Internet:

  1. Complete the prerequisite steps for external functions on Microsoft Azure.

  2. In the Azure Portal, create an application.

  3. In the Azure Portal, create the remote service.

However, you might want to create new resources to fully differentiate your private connectivity needs from your public Internet needs. Consult with your internal security administrators to determine the best approach for your needs.

These steps are unique to external functions that use private connectivity for an external service:

  1. In Snowflake, create a private endpoint.

  2. In the Azure Portal, approve the private endpoint.

    This action is done by the owner of the Azure API Management resource.

  3. In Snowflake, create a new API integration.

    You need a dedicated API integration to support private connectivity to the external service.

  4. In Snowflake, create an external function. Use the private connectivity URL as the invocation URL in the external function.

  5. In Snowflake, call the external function to enable Snowflake to connect to the external service using private connectivity.

Configuration

Complete these steps in the Azure Portal:

  1. If you already have an ARM template set up and you want to reuse the remote service and proxy service, skip to the private connectivity steps. Otherwise, complete these steps:

  2. Complete the prerequisites for external functions on Microsoft Azure.

  3. In the Azure Portal, create an application.

  4. Create the remote service as follows:

    1. In the Azure Portal, search for Deploy a custom template.

    2. In the Select a template tab, select Build your own template.

    3. Select Load file.

    4. Navigate to the directory on the machine where you downloaded the template and select that template.

    5. Select Save. This takes you to the Custom deployment screen.

  5. Continue with these steps:

    1. Create the Azure function and API Management service.

    2. Obtain the required URLs for the API integration and external function.

Complete these steps to configure private connectivity:

  1. In Snowflake, run the CREATE API INTEGRATION command to create a new API integration to support private connectivity to the external service. Update the property values to align with your Microsoft Azure subscription:

    CREATE API INTEGRATION external_api_integration_azure_private
      API_PROVIDER = azure_private_api_management
      AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
      AZURE_AD_APPLICATION_ID = 'dv3421nq-1g4s-4ap4-x89c-xrf28hna7m2o'
      API_ALLOWED_PREFIXES = ('https://aztest1-external-function-api.azure.net')
      ENABLED = TRUE
      COMMENT = 'API integration for private connectivity to an external service with external functions on Azure.';
    
    Copy
  2. In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create the private endpoint. Update the argument values to align with your Microsoft Azure subscription:

    USE ROLE ACCOUNTADMIN;
    SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
      '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
      'aztest1-external-function-api.azure.net',
      'Gateway'
      );
    
    Copy
  3. In the Azure Portal and as the owner of the Azure API Management resource, approve the private endpoint. For details, see the approval process.

  4. Link the API Integration for Azure to the proxy service to enable Snowflake to send API requests to the Azure API Management service.

  5. You can choose to block public access to the Azure API Management resource. For more information, see Secure access to the Azure API Management resource (in this topic).

  6. In Snowflake, if you already have a database and schema to store the external function and want to use these objects, be sure these objects are in use or select them in Snowsight. Otherwise, create a database and schema to store the external the external function for use with private connectivity to an external service:

    CREATE DATABASE private_external_service_db;
    CREATE SCHEMA private_ext_functions;
    
    Copy
  7. In Snowflake, run the CREATE EXTERNAL FUNCTION command to create the external function to use with private connectivity to the external service. Be sure to update the invocation URL with the external service private connectivity URL:

    CREATE OR REPLACE SECURE EXTERNAL FUNCTION private_ext_function_azure_portal(
      a INTEGER , b VARCHAR)
      RETURNS VARIANT
      API_INTEGRATION = external_api_integration_azure_private
      AS 'https://aztest1-external-function-api.azure.net/my-api-url-suffix/http-function-name';
    
    Copy

    The URL format depends on whether you are creating an external function using the Azure Portal or the Azure ARM template. For details, see invocation URL format.

  8. In Snowflake, call the external function to test private connectivity to the external service:

    SELECT private_ext_function_azure(66, 'Mario');
    
    Copy
    [0, 66, 'Mario']
    

If the output of the function returns the result that matches the configuration of the remote service at the beginning of the procedure, then you confirmed that private connectivity to the external service is working as expected.

Secure access to the Azure API Management resource

You can secure the access to the Azure API Management resource that is associated with the private endpoint for use with external functions. From the perspective of the Azure API Management resource, Snowflake is an inbound connection. By securing the access, you reduce the likelihood of attacks that might compromise your use of external functions.

For example, you might want to run this Azure CLI apim command (https://learn.microsoft.com/en-us/cli/azure/apim?view=azure-cli-latest#az-apim-update) to block public access:

az apim update --name <api-name> --resource-group <resource group name> --public-network-access false
Copy

Update the placeholder values with the values that correspond to the name of the API Management resource and the name of the resource group.

For details and options, see these topics:

  • Use a virtual network to secure inbound and outbound traffic for Azure API Management (https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts?tabs=stv2).

  • Connect privately to API Management using an inbound private endpoint (https://learn.microsoft.com/en-us/azure/api-management/private-endpoint).

Language: English