重定向客户端连接
Client Redirect enables redirecting your client connections to Snowflake accounts in different regions without changing the connection settings for your application. You can use Client Redirect in combination with the account replication feature for business continuity and disaster recovery. You can also use Client Redirect to minimize changes needed in your application settings when migrating your account to another region or cloud platform.
Client Redirect 简介¶
Client Redirect 是通过 Snowflake 连接 对象实现的。连接对象可存储安全的 连接 URL,用于 Snowflake 客户端连接到 Snowflake。
连接 URL 中的主机名由组织名称和连接对象名称以及公用域名组成:
organization_name-connection_name.snowflakecomputing.cn请注意,此主机名不指定要连接的账户。账户管理员通过将账户中的连接指定为 主连接 来确定要使用的账户。当您使用连接 URL 连接到 Snowflake 时,您将连接到包含主连接的账户。
如果某个区域或云平台发生中断,并且中断影响了具有主连接的账户,则管理员可以将其他区域或云平台中其他账户中的连接提升为主连接。
在此中断期间,您可以继续使用相同的连接 URL 连接到 Snowflake。Snowflake 将连接 URL 解析为具有新提升连接的账户(受中断影响的区域或云平台之外的账户)。
Note
The Snowflake accounts that store the primary and secondary connections must be hosted in different regions.
Client Redirect 流程¶
- Complete the steps in 配置 Client Redirect (in this topic) to create a connection URL for client connections. This includes creating a primary connection and linked secondary connection(s).
- Update Snowflake clients to connect using the connection URL. 使用连接 URL (in this topic) contains a list of supported clients and connection details.
- In the event of a service outage in the region where the primary connection is located, complete the steps in 重定向客户端连接 (in this topic) to update the connection URL to redirect to a secondary connection.
- When the outage is resolved, complete the steps in 重定向客户端连接 to redirect client connections back to the original primary connection.
The following diagrams illustrate the Client Redirect flow for two accounts in the same organization but different regions (Region A and
Region B) on either the same or different cloud platforms.
The primary connection is in Account 1 in Region A. Snowflake clients using the connection URL connect to Account 1.
A service outage in Region A results in failed client connections:
The connection in Account 2 in Region B is promoted to act as the primary connection. Snowflake clients using the connection URL
now connect to Account 2.
示例
以下 SQL 语句将贯穿整个 Client Redirect 工作流程。本主题后面的章节将详细介绍每个步骤。
客户端连接正常:配置 Client Redirect¶
在源账户中创建主连接
创建新的主连接,并为组织中的其他账户启用故障转移。启用故障转移的每个账户必须与具有主连接的账户位于不同的区域。
Note the account_name column in the output of SHOW REPLICATION ACCOUNTS for each account to be
enabled for failover.
在 源 账户中执行以下语句:
If private connectivity to the Snowflake service is enabled for your Snowflake account, you must create and manage a DNS CNAME record for your connection URL. For more details, see 为 Snowflake 服务的专用连接配置 DNS 设置.
在目标账户上执行
创建链接到主连接的辅助连接。辅助连接的名称必须与主连接的名称相同。
If private connectivity to the Snowflake service is enabled for your Snowflake account, you must create or update a DNS CNAME record for your connection URL. For more details, see 为 Snowflake 服务的专用连接修改 DNS 设置.
源区域发生中断:故障转移
如果主连接所在的区域发生中断,请将其他区域中的辅助连接提升为主连接。
在目标账户上执行
- 登录到要提升为新的源账户的目标账户。
- 将辅助连接提升为主连接:
If private connectivity to the Snowflake service is enabled for your Snowflake account, you must create or update a DNS CNAME record for your connection URL. For more details, see 为 Snowflake 服务的专用连接修改 DNS 设置.
中断已解决:故障恢复
解决中断问题后,将原始主连接再次提升为主连接。
在以前作为源账户的目标账户上执行
- 登录到中断前作为源账户的目标账户。
- 将辅助连接提升回主连接:
If private connectivity to the Snowflake service is enabled for your Snowflake account, you must create or update a DNS CNAME record for your connection URL. For more details, see 为 Snowflake 服务的专用连接修改 DNS 设置.
配置 Client Redirect¶
本节介绍如何在连接组中创建主连接以及一个或多个辅助连接。
先决条件
To enable the Client Redirect feature for your accounts, an organization administrator must enable replication for two or more accounts. To enable replication, see Prerequisite: Enable replication for accounts in the organization for detailed instructions.
创建主连接
Important
Snowflake assigned your organization a unique, generated name when it was created in the system. The organization name is a part of the connection URL defined in a connection object and submitted by Snowflake clients to access an account. Before you create any connection objects, verify that your organization name in Snowflake is satisfactory. To change your organization name in the system, contact Snowflake Support.
You can create a primary connection in the source account using Snowsight or SQL.
使用 Snowsight 创建主连接和辅助连接¶
To create a connection using Snowsight, complete the following steps:
Note
- Only a user with the ACCOUNTADMIN role can create a connection using Snowsight.
- 您必须以具有 ACCOUNTADMIN 角色的用户身份登录到目标账户。如果没有,系统将提示您登录。
- Currently, if your account uses private connectivity, you can’t use Snowsight to create a primary and secondary connection.
-
Sign in to Snowsight.
-
In the navigation menu, select Admin » Accounts.
-
Select Client Redirect.
-
Select + Connection.
-
Select Target Account.
-
In the Connection Name box, enter a connection name that meets the following requirements:
- 必须以字母字符开头,并且只能包含字母、十进制数字 (0-9) 和下划线 (_)。
- 在组织中的连接名称和账户名称中必须是唯一的。
-
Select Create Connection.
使用 SQL 创建主连接¶
Note
只有具有 ACCOUNTADMIN 角色的用户才能执行本节中的 SQL 命令。
- Create a new primary connection using the CREATE CONNECTION command. The name of each primary connection must be unique across all connection and account names in the organization.
连接名称作为用于连接到 Snowflake 账户的连接 URL 的一部分包含在内。
For example, to create a connection named myconnection:
-
Modify this primary connection using an ALTER CONNECTION … ENABLE FAILOVER TO ACCOUNTS statement. Provide a comma-separated list of accounts in your organization that can store a failover option for this connection (i.e. a secondary connection).
Any account that stores a secondary connection must be hosted in a region different from the account that stores the primary connection. Client Redirect only operates successfully across regions. For example, if you try to redirect client connections from
account1toaccount2in the same region, client redirect does not work.To see the complete list of accounts in your organization that are enabled for replication, execute SHOW REPLICATION ACCOUNTS.
For example, allow accounts
myaccount2andmyaccount3in themyorgorganization to each store a secondary connection for themyconnectionconnection: -
Execute the SHOW CONNECTIONS command to view the details for the connection.
在每个目标账户中创建辅助连接
Create a secondary connection in one or more accounts, linked to a primary connection using CREATE CONNECTION … AS REPLICA OF. Note that you can only create a secondary connection in an account specified in the ALTER CONNECTION … ENABLE FAILOVER TO ACCOUNTS statement in Create a Primary Connection.
在每个目标账户中执行 CREATE CONNECTION …AS REPLICA OF 语句,以创建指定主连接的副本。
Important
Each secondary connection must have the same name as its primary connection. The connection name is included in the connection URL.
在要创建辅助连接的 目标 账户中,执行本节中的 SQL 语句。
Note
只有具有 ACCOUNTADMIN 角色的用户才能执行本节中的 SQL 命令。
-
Execute the SHOW CONNECTIONS command to view all connections. Copy the value of the
primarycolumn for the primary connection. You will use this value when creating the secondary connection in the next step. -
执行 CREATE CONNECTION …AS REPLICA OF 命令以创建辅助连接。
For example, create a secondary connection named
myconnectionthat is linked to themyorg.myaccount1.myconnectionprimary connection. AfterAS REPLICA OF, paste in the fully qualified name of the primary connection (the name that you copied from the SHOW CONNECTIONS output in the previous step). -
执行 SHOW CONNECTIONS 命令以验证是否已创建辅助连接。
Grant the FAILOVER Privilege to a Role — Optional¶
账户管理员可以将连接对象的 FAILOVER 权限授予账户角色。这使得账户管理员以外的用户可以将辅助连接提升为主连接。
For example, to grant the role my_failover_role the ability to fail over the connection myconnection, execute
the following statement on the target account:
A user with the role my_failover_role can now promote the secondary connection myconnection to serve as
primary connection in the case of failover:
For more information on redirecting client connections, see 重定向客户端连接.
为 Snowflake 服务的专用连接配置 DNS 设置¶
If private connectivity to the Snowflake service is enabled for your Snowflake account, then your network administrator must create and manage a DNS record for your connection URL. Your network administrator can use a CNAME record, alias record, or an alias based on the configuration of the network architecture. For consistency, the following example uses a CNAME record.
以下步骤以 AWS PrivateLink 为例,如果 Snowflake 账户使用 Azure 专用链接 或 Google Cloud Private Service Connect,则步骤相同:
-
Execute SHOW CONNECTIONS in one of your accounts in which client redirect is enabled. For example, suppose AWS PrivateLink is enabled for
myaccount1andmyaccount2.Note that the output of this command in the CONNECTION_URL column should match the
privatelink-connection-urlslist when calling the SYSTEM$GET_PRIVATELINK_CONFIG function in eithermyaccount1ormyaccount2. This list already contains the connection URL formatted with theprivatelinksegment (as shown in the next step). You can optionally run the command in this step or call the function. If calling the function, use the URLs as is without any further modification. -
Record the CONNECTION_URL column value, and create two URLs to support private connectivity and OCSP.
- Add a
privatelinksegment to the URL just beforesnowflakecomputing.cn(myorg-myconnection.privatelink.snowflakecomputing.cn, in this example). - Add an
ocspsegment to the beginning of the URL (ocsp.myorg-myconnection.privatelink.snowflakecomputing.cn, in this example).
- Add a
-
使用 DNS 提供商提供的工具,为连接 URL 和 OCSP URL 创建 CNAME 记录:
- 使用修改后的 CONNECTION_URL 列值设置域(或别名)。
- Configure the record to have the connection URL resolve to the primary Snowflake account URL. Be sure to include all URL segments for the cloud region and AWS PrivateLink based on the URL format that you choose. This is the primary account URL and it is where client connections to the connection URL will redirect.
- Configure the record to have the OCSP URL resolve to either the private endpoint IP address for an account on Azure or the private endpoint ID value for an account on AWS.
- In the case of failover, you must manually update the DNS setting to have the connection URL point to the secondary account URL as shown in 为 Snowflake 服务的专用连接修改 DNS 设置. Similarly, you must update your OCSP settings to point to the private endpoint IP address or private endpoint ID value.
例如:
或者,使用组织和账户名称 URL。
例如:
请注意必须包含尾随句点。
用户使用以下连接 URL 格式连接到 Snowflake:
organization_name-connection_name.privatelink.snowflakecomputing.cn
其中:
organization_nameSnowflake 组织的名称。您的用户连接到的 Snowflake 账户包含在此组织中。
connection_name连接对象的名称。
有关更多信息,请参阅:
- 使用连接 URL (in this topic).
- 为 Snowflake 服务的专用连接修改 DNS 设置 (in this topic).
配置 Client Redirect 和阅读者账户¶
If you are a data provider with reader accounts, you can use Client Redirect to provide continued access to shared data in the event of a service outage. The configuration steps for creating connections are the same as those described in the 配置 Client Redirect section for source and target reader accounts:
- 创建两个阅读者账户。每个阅读者账户必须位于不同的区域。
- 创建主连接 in the source reader account. Enable failover to the other reader account.
- 在每个目标账户中创建辅助连接 in the reader account that you enabled for failover from the source account.
- 与您的数据使用者共享连接 URL。
If a service outage occurs, redirect client connections. Data consumers using the connection URL to connect to your reader account now connect to the newly promoted source reader account.
使用连接 URL¶
本节说明了如何在各种 Snowflake 客户端的配置中引用连接 URL。
支持的 Snowflake 客户端¶
Client Redirect is supported by Snowsight and Classic Console. In addition, the following Snowflake client versions (and higher) support Client Redirect:
| Snowflake Client | Minimum Supported Version |
|---|---|
| Snowflake CLI | 3.0.0 |
| SnowSQL | 1.1.82 |
| Snowflake Connector for Python | 1.8.3 |
| Snowflake Connector for Spark | All versions |
| Node.js Driver | 1.2.0 |
| Go Snowflake Driver | 1.2.0 |
| .NET Driver | 1.0.0 |
| JDBC Driver | 3.8.4 |
| ODBC Driver | 2.19.4 |
| Snowpark | All versions |
配置 Snowflake 客户端¶
连接到 Snowflake 时,请使用以下连接 URL 的主机名:
Host name:
organization_name-connection_name.snowflakecomputing.cn
其中:
organization_nameSnowflake 组织的名称。您的用户连接到的 Snowflake 账户包含在此组织中。
connection_name连接对象的名称。
Important
Snowflake 服务的专用连接
Customers using private connectivity to the Snowflake service need to add a privatelink segment to the URL just before
snowflakecomputing.cn:
organization_name-connection_name.privatelink.snowflakecomputing.cnSnowsight¶
Enter the following in the account name field on app.snowflake.cn:
例如:
When using organization-connection to log in, Snowsight navigates to the specific region and locator of the current
primary connection. During an outage, once the connection has been redirected, users must log in again via
organization-connection to connect to the new primary.
Classic Console¶
在 Web 浏览器中输入以下 URL:
例如:
Snowflake CLI¶
Specify the host name for the connection URL in the account connection parameter in the Snowflake CLI config.toml file. For information
about the config.toml file, see Configuring Snowflake CLI.
例如:
SnowSQL¶
Specify the host name for the connection URL in the accountname connection parameter in the SnowSQL config file. For information
about the config file, see Configuring SnowSQL.
例如:
Snowflake Connector for Python¶
Specify the host name for the connection URL in the account connection parameter when calling the connect function. For more
information, see Python Connector API and Using the Python Connector.
例如:
Snowflake Connector for Spark¶
Specify the connection URL in the URL property in the properties file or Map that you use
to establish the session.
例如:
For more information about using the Snowflake Connector for Spark, see Snowflake Connector for Spark. For configuration options, see Setting Configuration Options for the Connector. Depending upon which language you use with the connector, also see Using the Connector in Scala or Using the Connector with Python.
JDBC 驱动程序¶
Specify the host name for the connection URL in the connection string. For more information, see Configuring the JDBC Driver.
例如:
ODBC 驱动程序¶
Specify the host name for the connection URL in the Server connection parameter. For more information about the connection parameters, see ODBC configuration and connection parameters.
例如:
Node.js 驱动程序¶
Specify the host name for the connection URL in the account connection option. For more information about the connection parameters,
see Node.js options reference.
例如:
Go Snowflake 驱动程序¶
Specify the host name for the connection URL in the Account parameter. For more information, see Go Snowflake Driver.
例如:
Snowpark¶
Snowpark Python¶
Specify the host name for the connection URL in the account connection parameter in the Python dictionary (dict) used to
establish a session. For more information about creating a session, see Creating a Session for Snowpark Python.
例如:
Snowpark Java¶
Specify the connection URL in the URL property in the properties file or Map that you use to establish the session. For more
information about creating a session, see Creating a Session for Snowpark Java.
例如:
Snowpark Scala¶
Specify the connection URL in the URL property in the properties file or Map that you use to establish the session. For more
information about creating a session, see Creating a Session for Snowpark Scala.
例如:
身份验证和 Client Redirect¶
Users must be provisioned in the source account and on each target account if security integrations are not replicated.
联合身份验证和 SSO¶
Configure federated authentication separately in each target account. Provide the identity provider (IdP) details using the setup options in Configuring Snowflake to use federated authentication:
Note
Snowflake 建议使用连接 URL(而不是账户 URL)配置符合 SAML 2.0 的身份提供商 (IdP),以便在发生故障转移时将用户重定向到正确的账户。
OAuth¶
在每个目标账户中为 OAuth 配置安全集成对象。安全集成对象必须与源账户中的同一对象相同。有关说明,请参阅相应的主题:
To retrieve security integration properties, query the DESCRIBE INTEGRATION command for each security integration in the source account. Then recreate each security integration in a target account by executing the CREATE INTEGRATION command.
OAuth 重定向行为¶
如果您使用 Snowflake OAuth 对客户端连接进行身份验证,并且使用连接 URL 连接到 Snowflake,则在连接 URL 重定向到其他账户时(例如,在故障转移的情况下),系统会提示您重新进行身份验证。Snowflake OAuth 令牌可在特定账户中使用。当连接 URL 更新为指向其他区域中的账户时,现有的 OAuth 令牌失效。
In the case of a failover, when the connection URL is updated to the new account, the client will disconnect with an
invalid OAuth access token error. You must re-authenticate and consent to permissions to re-establish the connection.
Note
You will not be prompted for re-authentication when the connection URL is updated to a new account if the OAuth security integration is replicated to that account. For more information, refer to Replicating OAuth security integrations.
重定向客户端连接
如果主连接所在的区域发生服务中断,请将客户端连接重定向到存储辅助连接的账户。
将辅助连接提升为主连接
Initiating the redirect involves promoting a secondary connection in an available region to serve as the primary connection using ALTER CONNECTION. Concurrently, the former primary connection becomes a secondary connection.
- Sign in to the target account in an available region that contains the secondary connection to be promoted to serve as the primary connection.
- 执行此部分中的 SQL 语句:
-
查看账户中的所有连接:
-
该语句返回以下输出:
-
将辅助连接提升为主连接:
-
验证以前的辅助连接是否提升成功:
该语句返回以下输出:
为 Snowflake 服务的专用连接修改 DNS 设置¶
To redirect client connections to a secondary account, your network administrator must modify the DNS setting created in 为 Snowflake 服务的专用连接配置 DNS 设置.
使用 DNS 提供商提供的工具,修改连接 URL 的 DNS 设置。
将目标主机名设置为存储新主连接的账户的完整 Snowflake 账户 URL,包括用于标识托管账户的区域和云平台的附加段,以及对 AWS PrivateLink、Azure 专用链接或 Google Cloud Private Service Connect 的支持。这是账户名称,其中客户端连接现将重定向到连接 URL。更新 DNS 设置时,请务必包括专用连接 OCSP URL。
例如:
(请注意必须包含尾随句点。)
Note
You can configure private connectivity and client redirect to work with Snowsight. Ensure your DNS updates include the Snowsight values from the output of the SYSTEM$GET_PRIVATELINK_CONFIG function. For details, refer to private connectivity and Snowsight.
验证连接 URL 是否已更新¶
To verify the connection URL has been updated, you can confirm the region of your current connection. Use the connection URL to connect to Snowflake and execute the CURRENT_REGION function.
修改连接
You can edit the target accounts for a connection after creating it using Snowsight or SQL.
使用 Snowsight 修改连接的目标账户¶
您可以在创建连接后修改连接的目标账户,但不能更改连接名称。
Note
-
要编辑连接,您必须以具有 ACCOUNTADMIN 角色的用户身份登录以下账户:
- 具有主连接的源账户。
- 具有辅助连接的当前目标账户。
- 要为主连接添加的新目标账户。
-
You can only add one target account for a primary connection using Snowsight. To add additional target accounts, use the ALTER CONNECTION command.
-
Currently, if your account uses private connectivity, you can’t use Snowsight to modify target accounts for a connection.
- Sign in to Snowsight.
- In the navigation menu, select Admin » Accounts.
- Select Client Redirect.
- Locate the connection you want to edit. Select the More menu (…) in the last column of the row.
使用 SQL 修改连接的目标账户¶
You can add more than one target account for a primary connection using the ALTER CONNECTION command. For an example, see Examples.
删除连接
You can drop a connection using Snowsight or SQL.
使用 Snowsight 删除连接¶
Note
Currently, if your account uses private connectivity, you can’t use Snowsight to drop a connection.
要删除连接,您必须以具有 ACCOUNTADMIN 角色的用户身份登录具有主连接的 源 账户。
- Sign in to Snowsight.
- In the navigation menu, select Admin » Accounts.
- Select Client Redirect.
- Locate the connection you want to delete. Select the More menu (…) in the last column of the row.
- Select Drop, then select Drop Connection
使用 SQL 删除连接¶
You can use the DROP CONNECTION command to delete a connection.
- 删除目标账户中的所有辅助连接。
- 删除源账户中的主连接。
For an example, see Examples.
监控 Client Redirect¶
You can monitor Client Redirect connections and usage for accounts in an organization using Snowsight or SQL.
Monitor Client Redirect using Snowsight¶
Note
- Only a user with the ACCOUNTADMIN role can view connection details using Snowsight.
- You must be signed in to the target account as a user with the ACCOUNTADMIN role. If you are not, you will be prompted to sign in.
- Currently, if your account uses private connectivity, you can’t use Snowsight to monitor Client Redirect.
要查看 Client Redirect 连接详细信息,请完成以下步骤:
- Sign in to Snowsight.
- In the navigation menu, select Admin » Accounts.
- Select Replication and then select Client Redirect.
- 如果会话没有活动仓库,系统将提示您选择一个仓库。
使用搜索和筛选,监控特定连接。
- You can search by connection name. In the
(search) box, enter the connection name to filter results. - Choose Redirecting to filter the results by primary (To) or secondary (From) connection.
- Choose the
(accounts) menu to filter the results by account name.
您可以查看有关每个连接的以下信息:
| Column | Description |
|---|---|
| Name | Connection name. |
| Redirecting | Indicates if the connection is To a target account or From a source account and the account name. 如果此列包含 可用的目标,则不存在辅助连接。可用目标的数量表示主要连接可以复制到的目标账户数量。 如果存在多个辅助连接,则每个连接都会在单独的行中详细说明。 |
| Usage | 显示过去 7 天内使用连接的次数。您必须登录目标账户才能查看该账户的使用情况数据。 |
| Connection URL | The connection URL to use with Snowflake clients. Select the connection URL in the column to copy the URL. |
使用 SQL 监控 Client Redirect¶
您可以使用 SHOW CONNECTIONS 命令和 LOGIN_HISTORY 函数查看连接详细信息并监控使用情况。
查看连接详细信息
您可以使用 SHOW CONNECTIONS 命令检索连接名称和详细信息:
返回:
验证用户使用的连接 URL¶
Query the LOGIN_HISTORY , LOGIN_HISTORY_BY_USER family of table functions to view the login activity for your users within the last 7 days. The output indicates which users and Snowflake clients have been using a connection URL. The REPORTED_CLIENT_TYPE and REPORTED_CLIENT_VERSION columns display the client and version used for each connection to Snowflake, and the CONNECTION column displays the connection URL used, if any.
Note
If a client authenticates through an identity provider (IdP) that is configured with the account URL rather than the connection URL, the IdP directs the client to the account URL after authentication is complete. The CONNECTION column for this login event is NULL. See 身份验证和 Client Redirect (in this topic).
例如,检索过去 72 小时内允许当前角色监控的每个用户的最多 100 个登录事件:
Client Redirect 的当前限制¶
-
Client connections using a connection URL and OAuth integration require re-authentication when the connection URL is updated to point to a different account if the OAuth security integration is not replicated to that account. For more information, refer to OAuth 重定向行为.
-
由于浏览器缓存,Web 浏览器可能需要几分钟才能进行重定向。
If you need to verify that the redirect works, you can connect to Snowflake with a different client.
或者,打开一个新的私密浏览器窗口(例如,Google Chrome 中的隐身模式)以避免浏览器缓存问题。请注意,某些处于私密或隐身模式的 Web 浏览器可能仍会缓存数据。为避免使用浏览器缓存,请关闭所有打开的私密浏览器窗口和选项卡,然后打开新的私密浏览器窗口。
- You can only add one target account using Snowsight. To add more than one target account to the list of allowed failover accounts, use the ALTER CONNECTION … ENABLE FAILOVER TO ACCOUNTS command.