Categories:

System functions (System Control)

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT

预置 Snowflake VPC 或 VNet 中的专用连接端点,以支持 Snowflake 通过使用专用连接来连接到外部服务。端点可以是服务端点或资源端点,具体取决于托管 Snowflake 账户的云平台。

Note

If the Snowflake account is in an Azure government region, the provider resource ID must be the ID of a resource in a government subscription. For more information about government regions for Snowflake customers, see U.S. SnowGov Regions.

语法

AWS:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '<provider_service_name>',
  '<host_name>'
)

Azure:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '<provider_resource_id>',
  '<host_name>',
  [, '<subresource>' ]
)

Google Cloud:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '<target_service_id>',
  '<host_name>'
)

实参

AWS:

'provider_service_name'

Specifies the external service or resource to connect to. For example, com.amazonaws.us-west-2.execute-api for the Amazon API Gateway or com.amazonaws.us-west-2.s3 for Amazon S3.

Note

When you connect to a VPC endpoint service in a region that is different from the Snowflake region, ensure that the VPC endpoint service supports the Snowflake region.

For information about retrieving this value from AWS, see Provision private connectivity endpoints.

'host_name'

指定完全限定主机名,以便在您的 VPC 或 VNet 中访问资源。

此值不包含任何端口号,并且必须与您在 Snowflake 对象中指定的内容匹配,以便您能够连接到外部服务。

Examples include bedrock-runtime.us-west-2.amazonaws.com and *.s3.us-west-2.amazonaws.com.

When using private connectivity for external stages and external volumes, the host_name must use a wildcard instead of specifying a specific AWS S3 bucket.

For information about retrieving this value from AWS, see Provision private connectivity endpoints.

Azure:

'provider_resource_id'

指定 VPC 或 VNet 中资源的完全限定标识符。

'host_name'

指定完全限定主机名,以便在您的 VPC 或 VNet 中访问资源。

有关外部函数的出站专用连接的主机名示例,请参阅以下主题:

'subresource'

指定 Azure 资源的子资源的名称。

This argument isn’t required for Azure Private Link Service (https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview) and Azure API Management Service.

For all supported values, see the Sub-resource table (https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource).

Google Cloud:

'target_service_id'

指定服务附件 ID(自定义服务)或要连接到的区域性 Google API 端点。

'host_name'

指定完全限定主机名以访问资源。

Note

When the target service ID is a regional Google API endpoint, the host name value should match the target service ID value.

返回

返回端点已成功配置的状态信息,或返回端点未成功配置的详细信息和说明。

访问控制要求

只有账户管理员(具有 ACCOUNTADMIN 角色的用户)才能调用此函数。

使用说明

  • You can modify only the host name of an existing private connectivity endpoint. To modify any other properties, you must deprovision the endpoint, then provision a new one. For more information about changing a host name, see SYSTEM$SET_PRIVATELINK_ENDPOINT_HOSTNAME.
  • This function can take approximately 5 minutes to execute because it depends on the process to provision the private connectivity endpoint in the cloud platform (outside of Snowflake).
  • For details about private endpoint limits, see Scaling considerations.

示例

AWS:

设置到外部 S3 服务的出站专用连接:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.us-west-2.s3',
  '*.s3.us-west-2.amazonaws.com'
);

有关更多 AWS 示例,请参阅以下指南:

Microsoft Azure:

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to the Microsoft Azure API Management service in your Microsoft Azure VNet:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'aztest1-external-function-api.azure.net',
  'Gateway'
  );
Private endpoint with ID "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/32bd3122-bfbd-417d-8620-1a02fd68fcf8" to resource "/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api" has been provisioned successfully. Please note down the endpoint ID and approve the connection from it on the Azure portal.

Provision a private endpoint to allow Snowflake on Microsoft Azure to connect to an external service using external network access:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver',
  'testdb.database.windows.net',
  'sqlServer'
  );
"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Provision a private endpoint to allow Snowflake to connect to an external stage for Microsoft Azure:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo',
  'storagedemo.blob.core.windows.net',
  'blob'
);
"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Google Cloud:

Connect to a published service:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'projects/my-project/regions/us-west2/serviceAttachments/my-http-server',
  'my-http-server.com'
);

After creating the endpoint, the connection must be accepted on Google Cloud by the resource provider.

Provision a private endpoint to allow Snowflake on Google Cloud to connect to a service attachment in your Google Cloud VPC Network:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'projects/my-project/regions/us-east4/serviceAttachments/my-service-attachment',
  'my-service.com'
  );
Private endpoint with ID "abcd0000000000000001" to resource "projects/my-project/regions/us-east4/serviceAttachments/my-service-attachment"
was provisioned successfully. Please note the Private Endpoint ID and approve the corresponding connection request in the cloud provider console.

Provision a private endpoint to allow Snowflake on Google Cloud to connect to the regional Cloud Key Management Service (Cloud KMS) endpoint:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'cloudkms.us-east4.rep.googleapis.com',
  'cloudkms.us-east4.rep.googleapis.com'
  );
Private endpoint with ID "abcd0000000000000001" to resource "cloudkms.us-east4.rep.googleapis.com" was provisioned successfully.
Please note the Private Endpoint ID and approve the corresponding connection request in the cloud provider console.

Provision a private endpoint to allow Snowflake to connect to an external stage for Google Cloud:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'storage.us-east4.rep.googleapis.com',
  'storage.us-east4.rep.googleapis.com'
);
Private endpoint with ID "abcd0000000000000001" to resource "storage.us-east4.rep.googleapis.com" was provisioned successfully.
Please note the Private Endpoint ID and approve the corresponding connection request in the cloud provider console.