具有外部函数的专用连接:Azure 门户

This topic provides configuration details to set up outbound private connectivity to an external service by calling an external function for Snowflake accounts on Microsoft Azure as follows:

  • Use the Azure Portal user interface to configure resources in Microsoft Azure.
  • 在 Snowflake 中创建 API 集成和外部函数。
  • 在 Snowflake 中调用外部函数以验证与外部服务的专用连接。

出站专用连接成本

You pay for each private connectivity endpoint along with total data processed. For pricing of these items, see the Snowflake Service Consumption Table.

You can explore the cost of these items by filtering on the following service types when querying billing views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas:

  • OUTBOUND_PRIVATELINK_ENDPOINT
  • OUTBOUND_PRIVATELINK_DATA_PROCESSED

For example, you can query the USAGE_IN_CURRENCY_DAILY view and filter on these service types.

过程概述

以下是配置过程的总体概述。Snowflake 中的步骤必须由具有 ACCOUNTADMIN 角色的用户完成。除非另有说明,否则 Azure 门户中的步骤由有权使用相应资源的用户完成。

以下步骤与在公共互联网上使用外部函数相同:

  1. 在 Microsoft Azure 上完成外部函数的前提步骤。
  2. 在 Azure 门户中,创建远程服务。
  3. 在 Azure 门户中,创建代理服务。

但是,您可能需要创建新的资源,以充分区分专用连接需求和公共互联网需求。请咨询内部安全管理员,以确定满足您需求的最佳方法。

这些步骤是使用专用连接进行外部服务的外部函数所独有的:

  1. 在 Snowflake 中,创建专用端点。

Snowflake 在内部存储专用端点的专用 IP 地址。

  1. 在 Azure 门户中,批准专用端点。

由 Azure API Management 资源(外部服务)的所有者完成此操作。

  1. 在 Snowflake 中,创建新的 API 集成。

您需要专用的 API 集成来支持与外部服务的专用连接。

  1. 在 Snowflake 中,创建外部函数。专用连接 URL 是外部函数中调用 URL 的值。
  2. 在 Snowflake 中,调用外部函数来使 Snowflake 能够通过专用连接连接到外部服务。
  3. 取消配置任何不必要的专用连接端点。

配置

在 Azure 门户中完成以下步骤:

  1. If you already have the Azure API Management resource set up and you want to reuse the remote service and proxy service, skip to the private connectivity steps. Otherwise, complete these steps:
  2. Complete the prerequisites for external functions on Microsoft Azure.
  3. In the Azure Portal, create the remote service.
  4. In the Azure Portal, create the proxy service.

完成以下步骤以配置专用连接:

  1. In Snowflake, run the CREATE API INTEGRATION command to create a new API integration to support private connectivity to the external service. Update the property values to align with your Microsoft Azure subscription:

    CREATE API INTEGRATION external_api_integration_azure_private
  API_PROVIDER = azure_private_api_management
  AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
  AZURE_AD_APPLICATION_ID = 'dv3421nq-1g4s-4ap4-x89c-xrf28hna7m2o'
  API_ALLOWED_PREFIXES = ('https://aztest1-external-function-api.azure.net')
  ENABLED = TRUE
  COMMENT = 'API integration for private connectivity to an external service with external functions on Azure.';

  2. In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create the private endpoint. Update the argument values to align with your Microsoft Azure subscription:

    USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'aztest1-external-function-api.azure.net',
  'Gateway'
  );

  3. In the Azure Portal and as the owner of the Azure API Management resource, approve the private endpoint. For details, see the approval process (https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections).

  4. Link the API Integration for Azure to the proxy service to enable Snowflake to send API requests to the Azure API Management service.

  5. You can choose to block public access to the Azure API Management resource. For more information, see Secure access to the Azure API Management resource_ (in this topic).

  6. In Snowflake, if you already have a database and schema to store the external function and want to use these objects, be sure these objects are in use or select them in Snowsight. Otherwise, create a database and schema to store the external the external function for use with private connectivity to an external service:

    CREATE DATABASE private_external_service_db;
CREATE SCHEMA private_ext_functions;

  7. In Snowflake, run the CREATE EXTERNAL FUNCTION command to create the external function to use with private connectivity to the external service. Be sure to update the invocation URL with the external service private connectivity URL:

    CREATE OR REPLACE SECURE EXTERNAL FUNCTION private_ext_function_azure_portal(
  a INTEGER , b VARCHAR)
  RETURNS VARIANT
  API_INTEGRATION = external_api_integration_azure_private
  AS 'https://aztest1-external-function-api.azure.net/my-api-url-suffix/http-function-name';

    The URL format depends on whether you are creating an external function using the Azure Portal or the Azure ARM template. For details, see invocation URL format.

  8. In Snowflake, call the external function to test private connectivity to the external service:

    SELECT private_ext_function_azure(66, 'Mario');
    [0, 66, 'Mario']

如果函数的输出返回的结果与过程开始时远程服务的配置相匹配,则表明您已确认与外部服务的专用连接按预期运行。

安全访问 Azure API Management 资源

You can secure the access to the Azure API Management resource that is associated with the private endpoint for use with external functions. From the perspective of the Azure API Management resource, Snowflake is an inbound connection. By securing the access, you reduce the likelihood of attacks that might compromise your use of external functions.

For example, you might want to run this Azure CLI apim command (https://learn.microsoft.com/en-us/cli/azure/apim?view=azure-cli-latest#az-apim-update) to block public access:

az apim update --name <api-name> --resource-group <resource group name> --public-network-access false

Update the placeholder values with the values that correspond to the name of the API Management resource and the name of the resource group.

For details and options, see these topics: