Network rules¶
Network rules are schema-level objects that group network identifiers into logical units.
Snowflake features that restrict network traffic can reference network rules rather than defining network identifiers directly in the feature. A network rule does not define whether its identifiers should be allowed or blocked. The Snowflake feature that uses the network rule specifies whether the identifiers in the rule are permitted or prohibited.
The following features use network rules to control network traffic:
Network policies use network rules to control inbound network traffic to the Snowflake service and internal stages.
External network access uses network rules to restrict access to external network locations from a Snowflake UDF or procedure.
Supported network identifiers¶
Administrators need to be able to restrict access based on the network identifier associated with the origin or destination of a request. Network rules allow administrators to allow or block the following network identifiers:
- Incoming requests:
IPv4 addresses. Snowflake supports ranges of IP addresses using Classless Inter-Domain Routing (CIDR) notation (https://tools.ietf.org/html/rfc4632). For example,
192.168.1.0/24
represents all IPv4 addresses in the range of192.168.1.0
to192.168.1.255
.VPCE IDs of AWS VPC endpoints (https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-service-consumers) . VPC IDs are not supported.
LinkIDs of Azure private endpoints (https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview). Execute the SYSTEM$GET_PRIVATELINK_AUTHORIZED_ENDPOINTS function to retrieve the LinkID associated with an account.
- Outgoing requests:
Domains, including a port range.
The valid port range is 1-65535. If you do not specify a port, it defaults to 443. If an external network location supports dynamic ports, you need to specify all possible ports.
To allow access to all ports, define the port as 0. For example,
company.com:0
.
Each network rule contains a list of one or more network identifiers of the same type. The network rule’s TYPE
property indicates
the type of identifiers that are included in the rule. For example, if the TYPE
property is IPV4
, then the network rule’s
value list must contain valid IPv4 addresses or address ranges in CIDR notation.
Incoming vs. outgoing requests¶
The mode of a network rule indicates whether the Snowflake feature that uses the rule restricts incoming or outgoing requests.
Incoming requests¶
Network policies protect the Snowflake service and internal stages from incoming traffic. When a network rule is used with a network policy, the administrator can set the mode to one of the following:
INGRESS
The behavior of the
INGRESS
mode depends on the value of the network rule’sTYPE
property.If
TYPE=IPV4
, by default the network rule controls access to the Snowflake service only.If the account administrator enables the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter, then
MODE=INGRESS
andTYPE=IPV4
also protects an AWS internal stage.If
TYPE=AWSVPCEID
, then the network rule controls access to the Snowflake service only.If you want to restrict access to the AWS internal stage based on the VPCE ID of an interface endpoint, you must create a separate network rule using the
INTERNAL_STAGE
mode.
INTERNAL_STAGE
Controls access to an AWS internal stage without restricting access to the Snowflake service. Using this mode requires the following:
The account administrator must enable the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter.
The
TYPE
property of the network rule must beAWSVPCEID
.
For accounts on Microsoft Azure, you cannot use a network rule to restrict access to the internal stage. However, you can block all public network traffic from accessing the internal stage.
Outgoing requests¶
Administrators can use network rules with features that control where requests can be sent. In these cases, the administrator defines the network rule with the following mode:
EGRESS
Indicates that the network rule is used for traffic sent from Snowflake.
Currently used with external network access, which allows a UDF or procedure to send requests to an external network location.
Creating a network rule¶
You need the CREATE NETWORK RULE privilege on the schema to create a network rule. By default, only the ACCOUNTADMIN and SECURITYADMIN roles, along with the schema owner, have this privilege.
You can create a network rule using Snowsight or by executing a SQL command:
- Snowsight:
Sign in to Snowsight.
Select Admin » Security.
Select the Network Rules tab.
Select + Network Rule.
Enter the name of the network rule.
Select the schema of the network rule. Network rule are schema-level objects.
Optionally, add a descriptive comment for the network rule to help organize and maintain network rules in the schema.
In the Type drop-down, select the type of identifier being defined in the network rule.
In the Mode drop-down, select the mode of the network rule. The
INGRESS
andINTERNAL STAGE
modes indicate the network rule will be used with a network policy to restrict incoming requests and theEGRESS
mode indicates the network rule will be used with an external access integration to restrict outgoing requests.Enter a comma-separated list of the identifiers that will be allowed or blocked when the network rule is added to a network policy. The identifiers in this list must all be of the type specified in the Type drop-down.
Select Create Network Policy.
- SQL:
An administrator can execute the CREATE NETWORK RULE command to create a new network rule, specifying a list of network identifiers along with the type of those identifiers.
For example, to use a custom role to create a network rule that can be used to allow or block traffic from a range of IP addresses:
GRANT USAGE ON DATABASE securitydb TO ROLE network_admin; GRANT USAGE ON SCHEMA securitydb.myrules TO ROLE network_admin; GRANT CREATE NETWORK RULE ON SCHEMA securitydb.myrules TO ROLE network_admin; USE ROLE network_admin; CREATE NETWORK RULE cloud_network TYPE = IPV4 MODE = INGRESS VALUE_LIST = ('47.88.25.32/27');
IPv4 addresses¶
When specifying IP addresses for a network rule, Snowflake supports ranges of IP addresses using Classless Inter-Domain Routing (CIDR) notation (https://tools.ietf.org/html/rfc4632).
For example, 192.168.1.0/24
represents all IPv4 addresses in the range of 192.168.1.0
to 192.168.1.255
.
Identifying network rules in your account¶
You can identify the network rules in your account using Snowsight or SQL.
- Snowsight:
Sign in to Snowsight.
Select Admin » Security.
Select the Network Rules tab.
- SQL:
Call the NETWORK_RULE_REFERENCES Information Schema table function, or query the NETWORK_RULES or NETWORK_RULE_REFERENCES Account Usage view.
Modifying a network rule¶
You can modify the identifiers and comment of an existing network rule, but you cannot modify its type, mode, name, or schema.
To add or remove identifiers and comments from an existing network rule using Snowsight or SQL, do one of the following:
- Snowsight:
Sign in to Snowsight.
Select Admin » Security.
Select the Network Rules tab.
Find the network rule, select the … button, and then select Edit.
Modify the comma-delimited list of identifiers or the comment.
Select Update Network Rule.
- SQL:
Execute an ALTER NETWORK RULE statement.
Replication of network rules¶
Network rules are schema-level objects and are replicated with the database in which they are contained.
For information about replicating the network policies that use network rules, see Replicating network policies.
Snowflake-managed network rules¶
Snowflake provides the following pre-defined, Snowflake-managed network rules:
SNOWFLAKE.EXTERNAL_ACCESS.PYPI_RULE
An EGRESS network rule used with an external access integration to provide a connection from Snowflake to PyPi. You might want to use the network rule to allow Notebook users on Container Runtime to install
pip
packages using thepip install
command.To see an example on how to use this network rule, see Accessing PyPi to install packages in Snowpark Container.
Only the ACCOUNTADMIN role has access to this network rule.
Privileges and commands¶
Command |
Privilege |
Description |
---|---|---|
CREATE NETWORK RULE on SCHEMA |
Creates a new network rule. |
|
OWNERSHIP on NETWORK RULE |
Modifies an existing network rule. |
|
OWNERSHIP on NETWORK RULE |
Removes an existing network rule from the system. |
|
OWNERSHIP on NETWORK RULE |
Describes the properties of an existing network rule. |
|
OWNERSHIP on NETWORK RULE or USAGE on SCHEMA |
Lists all of the network rules in the system. |