管理专用连接端点：AWS¶

本主题提供有关如何管理专用连接端点的信息，以便与 AWS 的出站专用连接配合使用。

提供专用连接端点

Note

AWS doesn’t support cross-region VPC interface endpoints for the Amazon S3 service. Therefore, cross-region PrivateLink isn’t supported for outbound connectivity to external stages and volumes that use the Amazon S3 service.

Cross-region support for AWS PrivateLink isn’t available in government regions or in the People’s Republic of China.

You can use the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create a private connectivity endpoint by specifying the service or resource, and the host name. You must use the ACCOUNTADMIN role when you use this system function.

Note

If you use private connectivity for an external stage or external volume, you must use the wildcard character * when you specify the host name. Using the wildcard doesn’t mean that all Amazon S3 buckets are accessed over a private connection. Only buckets referenced by a Snowflake object that is enabled for private connectivity — that is, the external stage or external volume — can be accessed through the VPC endpoint.

For example, to create a PrivateLink endpoint that connects to Amazon S3, execute the following SQL statement to configure an endpoint for us-west-2:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.us-west-2.s3',
  '*.s3.us-west-2.amazonaws.com'
);

Note

When you configure an endpoint for Amazon S3 or another platform as a service (PaaS), such as KMS, that service must be in the same region as your Snowflake account.

The SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function accepts a provider service name and host name as its arguments. You can obtain these values by using the describe-vpc-endpoint-services subcommand from the AWS command line. As described in the AWS documentation (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-vpc-endpoint-services.html), this AWS subcommand returns a JSON object with a ServiceName field and a PrivateDnsName field. Use the following table to determine which values to use for the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument describe-vpc-endpoint-services output

provider_service_name ServiceName

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument	`describe-vpc-endpoint-services` output
`provider_service_name`	`ServiceName`
`host_name`	`PrivateDnsName` If you use private connectivity for external stages or external volumes, you must use the value with a wildcard.

host_name

PrivateDnsName

If you use private connectivity for external stages or external volumes, you must use the value with a wildcard.

You can create a private connectivity endpoint to a VPC endpoint service in an AWS region that is different from your Snowflake region. If you do, ensure that the VPC endpoint service supports the Snowflake region. For information about finding the region names for your account, see Find the cloud-provider’s name of the region for your account.

Important

Before you specify the provider_service_name as an argument for the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function, refer to the Cross-Region Connectivity Pricing section on the AWS PrivateLink pricing (https://aws.amazon.com/privatelink/pricing) page to determine the appropriate region.

If the target service is a VPC endpoint service (https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html), the endpoint service must allow Snowflake to connect to it. Before you create an endpoint, add the value of privatelink-account-principal from the output of SYSTEM$GET_PRIVATELINK_CONFIG as an allowed principal (https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permissions) of the VPC endpoint service.

The following SQL statement configures an endpoint to a VPC endpoint service:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.vpce.us-west-2.vpce-svc-012345678910f1234',
  'my.onprem.storage.com'
);

Note

In this example, the service might be in different region from your Snowflake account.

After you create an endpoint, there is a delay before you can use the endpoint. For information about checking the status of a created endpoint, see SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO.

设置与无法直接访问的端点的连接

Not every service allows Snowflake to connect directly to specific instances through an interface endpoint. In these cases, you can instead enable access to the service by setting up a proxy and exposing the service as a VPC endpoint service.

For a walkthrough specific to Amazon RDS, see the blog post Connecting To Amazon RDS Using Private Connectivity from Snowflake.

了解是否可以直接访问某项服务

如果满足以下条件之一，Snowflake 通常可以通过专用连接直接访问 AWS 服务：

The DNS name of the service—its PrivateDnsName value from the output of AWS DescribeVpcEndpointServices (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointServices.html)—is prefixed with a wildcard.

If the service’s DNS name starts with a wildcard character *, it’s likely that AWS supports directly accessing individual resources on that service. The DNS name is usually in this form:
```
*.<service>.<region>.amazonaws.com
```
The service is purely data-plane. AWS Bedrock Runtime (https://docs.aws.amazon.com/bedrock/latest/APIReference/API_Operations_Amazon_Bedrock_Runtime.html) is an example.

要了解有关给定服务的此类信息，请参阅 AWS 文档和博客文章。

无法直接访问时访问服务

当无法通过接口端点直接访问某项服务时，您可以通过设置代理并将该服务公开为 VPC 端点服务来启用对该服务的访问。

此类服务的示例包括：

Amazon EC2 instances at ec2.us-west-2.amazonaws.com
Amazon Relational Database Service (RDS) servers at rds.us-west-2.amazonaws.com

将 AWS 设置为通过代理进行访问¶

要通过代理公开服务实例，您需要在 AWS 上设置虚拟私有云 (VPC) 和负载均衡器，然后使用 AWS 端点服务的服务名称和负载均衡器 DNS 器名称创建 Snowflake 专用链接端点。

下面介绍基本步骤：

On AWS, create a virtual private cloud (VPC) (https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) with subnets spanning three different availability zones.

为您的资源选择初始可用区（例如 az1 和 az2）；在某些区域，Snowflake 可能不支持更新的 AZs。确保在相同的可用区中创建端点和其他资源，以避免跨区域流量。

在您要访问的服务实例的网络设置中，确保该实例位于您创建的 VPC 中。
Create a target group (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html) that contains the service instance you want to access.
Create a network load balancer (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html) that forwards traffic to the target group you created.
Create an endpoint service (https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) with the network load balancer you created.

Record the endpoint service name—endpoint_service_name—for use when setting up Snowflake for access to the service.
在 Snowflake 中，执行以下查询以检索 Snowflake 账户主体，并允许创建端点：
```
SELECT key, value FROM TABLE(FLATTEN(INPUT => PARSE_JSON(SYSTEM$GET_PRIVATELINK_CONFIG())));
```
From the results of the query, locate the privatelink-account-principal key and note its value.
On AWS, for the endpoint service you created, update the Allow principals section to add a principal whose ARN is the privatelink-account-principal key value from Snowflake.
In Snowflake, create a private endpoint to the AWS endpoint service you created.

执行 SYSTEM$PROVISION_PRIVATELINK_ENDPOINT 函数时，使用以下值作为实参：

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument	Value from AWS configuration
`provider_service_name`	AWS endpoint Service name—the `endpoint_service_name` value—from the details section of the endpoint service.
`host_name`	DNS Name from the network load balancer you created.

在 AWS 批准 PrivateLink 连接：
导航到您创建的端点服务的端点连接。
选择处于待处理状态的相关端点连接。
Click Accept Endpoint Connection Request.
通过运行以下查询来验证端点状态。

Ensure that the endpoint status changed from pendingAcceptance to available.

SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();

管理专用连接端点：AWS¶

You can change only the host name of a previously provisioned, private connectivity endpoint without changing its network resource. Changing the host name for an endpoint tells Snowflake that this endpoint now connects to the same service by using a different host name. To change the host name, call the SYSTEM$SET_PRIVATELINK_ENDPOINT_HOSTNAME system function.

移除服务的一个专用连接端点

You can use the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function to remove a private connectivity endpoint by specifying the service or resource.

在端点被移除后，端点会被放入队列中，7 天后将被删除。

在使用此系统函数时，您需要使用 ACCOUNTADMIN 角色。

例如，要移除一个可以从外部访问 Amazon S3 的 PrivateLink，请执行以下 SQL 语句：

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');

恢复服务的一个专用连接端点

You can use the SYSTEM$RESTORE_PRIVATELINK_ENDPOINT system function to restore a removed private connectivity endpoint that is still on the deletion queue by specifying the service or resource. If the endpoint is not found on the deletion queue, then you cannot restore the endpoint.

在使用此系统函数时，您需要使用 ACCOUNTADMIN 角色。

例如，要恢复一个可以从外部访问 Amazon S3 的 PrivateLink，请执行以下 SQL 语句：

SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');

列出服务的所有专用连接端点

You can use the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO system function to list all private connectivity endpoints, and information about the endpoints, in your account.

在使用此系统函数时，您需要使用 ACCOUNTADMIN 角色。

例如，要列出所有 AWS PrivateLink 端点和 AWS 服务，请执行以下 SQL 语句：

SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();

[
  {
    "provider_service_name": "com.amazonaws.us-west-2.s3",
    "snowflake_endpoint_name": "vpce-123456789012abcdea",
    "endpoint_state": "CREATED",
    "host": "*.s3.us-west-2.amazonaws.com",
    "status": "Available"
  },
  ...
]

For a description of the fields of the JSON object returned by the function, see Returns.

Note

You can also query the OUTBOUND_PRIVATELINK_ENDPOINTS view in the ACCOUNT_USAGE schema to list the private endpoints in your account.