具有外部函数的专用连接:Azure ARM 模板

This topic provides configuration details to set up private connectivity to an external service by calling an external function for Snowflake accounts on Microsoft Azure. You can use the ARM template to configure resources in Microsoft Azure. Afterward, you can create an API integration and external function in Snowflake. Finally, you can call the external function to validate private connectivity to the external service.

出站专用连接成本

You pay for each private connectivity endpoint along with total data processed. For pricing of these items, see the Snowflake Service Consumption Table.

You can explore the cost of these items by filtering on the following service types when querying billing views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas:

  • OUTBOUND_PRIVATELINK_ENDPOINT
  • OUTBOUND_PRIVATELINK_DATA_PROCESSED

For example, you can query the USAGE_IN_CURRENCY_DAILY view and filter on these service types.

过程概述

以下是配置过程的总体概述。Snowflake 中的步骤必须由具有 ACCOUNTADMIN 角色的用户完成。除非另有说明,否则 Azure 中的步骤由有权使用相应资源的用户完成。

以下步骤与在公共互联网上使用外部函数相同:

  1. 在 Microsoft Azure 上完成外部函数的前提步骤。
  2. 在 Azure 门户中,创建应用程序。
  3. 在 Azure 门户中,创建远程服务。

但是,您可能需要创建新的资源,以充分区分专用连接需求和公共互联网需求。请咨询内部安全管理员,以确定满足您需求的最佳方法。

这些步骤是使用专用连接进行外部服务的外部函数所独有的:

  1. 在 Snowflake 中,创建专用端点。
  2. 在 Azure 门户中,批准专用端点。

由 Azure API Management 资源的所有者完成此操作。

  1. 在 Snowflake 中,创建新的 API 集成。

您需要专用的 API 集成来支持与外部服务的专用连接。

  1. 在 Snowflake 中,创建外部函数。使用专用连接 URL 作为外部函数中的调用 URL。
  2. 在 Snowflake 中,调用外部函数来使 Snowflake 能够通过专用连接连接到外部服务。

配置

在 Azure 门户中完成以下步骤:

  1. If you already have an ARM template set up and you want to reuse the remote service and proxy service, skip to the private connectivity steps. Otherwise, complete these steps:

  2. Complete the prerequisites for external functions on Microsoft Azure.

  3. In the Azure Portal, create an application.

  4. 创建远程服务,如下所示:

    1. In the Azure Portal, search for Deploy a custom template.
    2. In the Select a template tab, select Build your own template.
    3. Select Load file.
    4. 导航到下载的模板所在的计算机目录,并选择该模板。
    5. Select Save. This takes you to the Custom deployment screen.

  5. 继续进行以下步骤:

    1. Create the Azure function and API Management service.
    2. Obtain the required URLs for the API integration and external function.

完成以下步骤以配置专用连接:

  1. In Snowflake, run the CREATE API INTEGRATION command to create a new API integration to support private connectivity to the external service. Update the property values to align with your Microsoft Azure subscription:

    CREATE API INTEGRATION external_api_integration_azure_private
  API_PROVIDER = azure_private_api_management
  AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
  AZURE_AD_APPLICATION_ID = 'dv3421nq-1g4s-4ap4-x89c-xrf28hna7m2o'
  API_ALLOWED_PREFIXES = ('https://aztest1-external-function-api.azure.net')
  ENABLED = TRUE
  COMMENT = 'API integration for private connectivity to an external service with external functions on Azure.';

  2. In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create the private endpoint. Update the argument values to align with your Microsoft Azure subscription:

    USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'aztest1-external-function-api.azure.net',
  'Gateway'
  );

  3. In the Azure Portal and as the owner of the Azure API Management resource, approve the private endpoint. For details, see the approval process (https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections).

  4. Link the API Integration for Azure to the proxy service to enable Snowflake to send API requests to the Azure API Management service.

  5. You can choose to block public access to the Azure API Management resource. For more information, see Secure access to the Azure API Management resource_ (in this topic).

  6. In Snowflake, if you already have a database and schema to store the external function and want to use these objects, be sure these objects are in use or select them in Snowsight. Otherwise, create a database and schema to store the external the external function for use with private connectivity to an external service:

    CREATE DATABASE private_external_service_db;
CREATE SCHEMA private_ext_functions;

  7. In Snowflake, run the CREATE EXTERNAL FUNCTION command to create the external function to use with private connectivity to the external service. Be sure to update the invocation URL with the external service private connectivity URL:

    CREATE OR REPLACE SECURE EXTERNAL FUNCTION private_ext_function_azure_portal(
  a INTEGER , b VARCHAR)
  RETURNS VARIANT
  API_INTEGRATION = external_api_integration_azure_private
  AS 'https://aztest1-external-function-api.azure.net/my-api-url-suffix/http-function-name';

    The URL format depends on whether you are creating an external function using the Azure Portal or the Azure ARM template. For details, see invocation URL format.

  8. In Snowflake, call the external function to test private connectivity to the external service:

    SELECT private_ext_function_azure(66, 'Mario');
    [0, 66, 'Mario']

如果函数的输出返回的结果与过程开始时远程服务的配置相匹配,则表明您已确认与外部服务的专用连接按预期运行。

安全访问 Azure API Management 资源

You can secure the access to the Azure API Management resource that is associated with the private endpoint for use with external functions. From the perspective of the Azure API Management resource, Snowflake is an inbound connection. By securing the access, you reduce the likelihood of attacks that might compromise your use of external functions.

For example, you might want to run this Azure CLI apim command (https://learn.microsoft.com/en-us/cli/azure/apim?view=azure-cli-latest#az-apim-update) to block public access:

az apim update --name <api-name> --resource-group <resource group name> --public-network-access false

Update the placeholder values with the values that correspond to the name of the API Management resource and the name of the resource group.

For details and options, see these topics: