为入站流量固定专用连接端点

For Snowflake accounts on Amazon Web Services (AWS) and Microsoft Azure (Azure), you can pin (specify, register, and map) private connectivity endpoints to your account. By pinning private endpoints to your account, Snowflake ensures that the inbound traffic originating from the pinned endpoints only goes to the account that pinned them. Snowflake recommends using pinned endpoints, network policies, and network rules to harden your security posture by reducing the network attack surface to your Snowflake account.

Tip

Pinning allows only authorized private endpoint(s) to be used to send traffic from the customer network to a specific Snowflake account. If you want to restrict inbound access to Snowflake accounts from specific lists of IPs and VPCE IDs/LinkIDs, use network policies and network rules.

Snowflake 在通过专用连接接收每个请求时，会在入口处强制执行专用端点固定检查。此检查比较两条关键信息：

请求标头中提供的端点 ID。
在 Snowflake 的元数据中记录的固定端点的账户。

If these match — in other words, if the request originates from the account that registered the endpoint — then Snowflake allows the connection. Otherwise, Snowflake blocks the connection.

例如：

Checking authorized access for inbound traffic through pinned private connectivity endpoints

固定的专用端点	固定专用端点的 Snowflake 账户	请求的目标 Snowflake 账户	Snowflake 固定检查决定
PE1	A1	A1	ALLOW
PE1	A1	A2	DENY
PE2	A2	A1	DENY
PE2	A2	A2	ALLOW

先决条件

在固定专用端点之前，必须执行以下操作：

为您的 Snowflake 账户在 AWS 或 Azure 上配置专用链接。
限制您用于在 Snowflake 账户中注册端点的访问令牌的范围。

For more information about configuring private links, see AWS PrivateLink or Azure Private Link.

Important

Before you pin a private endpoint, when Configuring private connectivity for Snowsight, ensure that the endpoint uses a regionless Snowsight privatelink URL for all your accounts. A regional Snowsight privatelink URL will not connect to a pinned private endpoint.

使用延迟时间实参管理执行

After configuring your private links, you call the SYSTEM$REGISTER_PRIVATELINK_ENDPOINT system function to register a private connectivity endpoint with your Snowflake account. In that function call, you can optionally specify a delay time. The delay time is the number of minutes to wait before enforcing the private endpoint registration. The delay time value helps prevent you from accidentally blocking yourself from accessing Snowflake when you register a new private endpoint. The maximum delay time is 1440 minutes (24 hours) and the default value is 60 minutes.

您为自己的 Snowflake 账户注册的专用端点也可以为其他 Snowflake 账户注册。例如，您可能有三个 Snowflake 账户，并且您希望确保与每个 Snowflake 账户的连接仅通过一个注册的专用端点进行。通过将延迟时间实参设置为 60 分钟，您可以为每个 Snowflake 账户注册专用连接端点留出足够的时间。

However, when you register a private connectivity endpoint and specify a delay time, you must be mindful of the local timestamp of the first account in which you call the system function. The enforcement time is based on the local timestamp of the first account when you call the system function plus any delay time that you specify, relative to a specific private connectivity endpoint.

例如，考虑在同一时区内将单个专用连接端点固定到三个账户：

If you call the system function in account1 at 10:00 AM and specify a delay time of 60 minutes, the enforcement time is 11:00 AM.
If you call the system function in account2 at 10:30 AM, the enforcement time is 11:00 AM.
If you call the system function in account3 at 11:01 AM, the enforcement time is immediate (now).

Tip

在第一个账户中存储您注册专用端点时的时间戳。维护固定到特定专用端点的账户记录。

If you anticipate registering multiple accounts and a delay time of 1440 minutes is not enough time, contact Snowflake Support.

Managing access token scope on Microsoft Azure¶

Before pinning a private endpoint to your Snowflake account on Azure, you must limit the scope of the access token that you pass into the SYSTEM$REGISTER_PRIVATELINK_ENDPOINT system function. Requiring the caller to scope the access token to the private endpoint helps Snowflake authorize the caller’s access to the endpoint. This means that the token is only valid for the private endpoint and the Snowflake account where you call the system function.

Important

Do not use the token used in the SYSTEM$AUTHORIZE_PRIVATELINK system function. The following steps generate a token unique to SYSTEM$REGISTER_PRIVATELINK_ENDPOINT.

To limit the scope of the access token for your private endpoint on Azure, do the following steps in your Microsoft Azure account:

Create (https://learn.microsoft.com/en-us/cli/azure/role/definition?view=azure-cli-latest#az-role-definition-create) a subscription custom role definition for a role called snowflake-pep-role, and replace the subscription_id placeholder with the ID of your subscription.
```
az role definition create --role-definition '{"Name":"snowflake-pep-role","Description":
"To generate advanced proof of access token for Snowflake private endpoint pinning","Actions":
["Microsoft.Network/privateEndpoints/read"],"AssignableScopes":["/subscriptions/<subscription_id>"]}'
```

订阅 ID 必须与专用端点存在的订阅匹配。您只需为您的订阅创建一次角色定义。

Create the role assignment and assign (https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create) the snowflake-pep-role role and private endpoint scope to a user (or a group). Replace the placeholders for the user and the private_endpoint_resource_id.
```
az role assignment create --assignee <user> --role snowflake-pep-role --scope <private_endpoint_resource_id>
```
Generate the access token (https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token) to use with the SYSTEM$REGISTER_PRIVATELINK_ENDPOINT system function. Replace the subscription_id placeholder with the ID of your subscription.
```
az account get-access-token --subscription <subscription_id>
```

Managing access token scope on Amazon Web Services¶

Before pinning a private endpoint to your Snowflake account on AWS, you must limit the scope of the access token that you pass into the SYSTEM$REGISTER_PRIVATELINK_ENDPOINT system function. Requiring the caller to scope the access token to the private endpoint helps Snowflake authorize the caller’s access to the endpoint. This means that the token is only valid for the private endpoint and the Snowflake account where you call the system function.

Important

Do not use the token used in the SYSTEM$AUTHORIZE_PRIVATELINK system function. The following steps generate a token unique to SYSTEM$REGISTER_PRIVATELINK_ENDPOINT.

要限制您在 AWS 上的专用端点的访问令牌的范围，请生成一个联合令牌，如下例所示：

aws sts get-federation-token --name snowflake --policy
'{ "Version": "2012-10-17", "Statement":
  [ {
  "Effect": "Allow", "Action": ["ec2:DescribeVpcEndpoints"],
  "Resource": ["*"] }
  ] }'

示例

作为一个代表性的例子，注册一个端点以将您的连接路由到 Snowflake 服务。

Configure AWS PrivateLink or Azure Private Link for your Snowflake account. If you already have this service configured, skip to the next step.
Log in to Snowflake by using the public internet, and use the URL that doesn’t contain a privatelink segment in the URL.
To confirm the private connectivity endpoint mapping, call the SYSTEM$GET_PRIVATELINK_ENDPOINT_REGISTRATIONS system function.

You can unregister the private connectivity endpoint from your Snowflake account by calling the SYSTEM$UNREGISTER_PRIVATELINK_ENDPOINT system function.

Important

If you register a VPC endpoint or private endpoint in Snowflake and delete the endpoint in your VPC or VNet, you must call the SYSTEM$UNREGISTER_PRIVATELINK_ENDPOINT system function in your Snowflake account to unregister the endpoint. Otherwise, your connection to the Snowflake Service can’t use private connectivity. It uses the public internet.