Snowflake Postgres 网络¶

默认情况下，Snowflake Postgres 将在您选择的云区域中，于一个新的私有网络内部署每个新实例。每个网络相互独立，且与同一云区域中的其他网络保持隔离。

默认情况下，Snowflake Postgres 实例不允许外部连接接入。可通过以下两种方式之一，启用与您的 Snowflake Postgres 实例之间的往来流量：

• 附加包含 Postgres 入口和/或出口网络规则的网络策略。此选项适用于所有账户。
• Configure Private Link connections to/from cloud vendor private networks. This option is available for Business Critical edition or above accounts.

Snowflake Postgres 网络策略和规则¶

Network policies and network rules for Snowflake Postgres instances function much the same as they do for other Snowflake resources with a few key differences:

• Network policies do not need to be activated to be used with Snowflake Postgres instances in the same way they are for Snowflake accounts, users, and other security integrations. Network policies for Snowflake Postgres instances are instead attached to the instances directly at instance creation time. Existing instances can also have their network policies changed.
• Snowflake Postgres instances only use the ALLOWED_NETWORK_RULE_LIST and BLOCKED_NETWORK_RULE_LIST properties of network policies. The BLOCKED_IP_LIST and ALLOWED_IP_LIST properties are ignored.
• Network rules for Snowflake Postgres instances should use either the Postgres Ingress or Postgres Egress modes. Rules using these modes are currently limited to type IPv4.
• Network rules using other modes other than Postgres Ingress or Postgres Egress in a network policy are ignored by Snowflake Postgres instances that use them.

权限

• 要创建新的网络策略，Snowflake 用户必须具有账户的 CREATE NETWORK POLICY 权限。
• To create new network rules, Snowflake users must have the CREATE NETWORK RULE privilege on the schema in which they want to create the rules.
• To attach an existing network policy to a Snowflake instance, Snowflake users must own the network policy or the policy’s owner must GRANT usage on it.

Snowflake Postgres 网络策略和规则示例¶

假设：

• You want to allow incoming traffic to a new Postgres instance from your office, and your office network router’s public IP address is 23.206.171.35.
• You also want to allow outgoing traffic from the new Postgres instance to your office Postgres server via a Postgres Foreign Data Wrapper connection.

为此，我们将创建一个新策略，其中包含 Postgres 入口网络规则和 Postgres 出口网络规则。

SnowsightSQL

1. Create two new network rules. Use 23.206.171.35/32 as the sole network identifier for both, and use “Postgres Ingress” as the Mode for one and “Postgres Egress” for Mode of the other.
2. Create a new network policy with both new rules included in its Allowed list.
3. In the navigation menu, select Postgres.
4. Select + Create.
5. When selecting your desired instance configuration details make sure to select your new policy under Network policy select box. In the image below we have selected the policy that we named OFFICE POLICY EXAMPLE.

在创建实例时创建入口规则

您无需在创建 Snowflake Postgres 实例之前创建网络策略和规则，而可以在通过 Snowsight 创建 Snowflake Postgres 实例时，一并创建带有 Postgres 入口规则的策略。

1. In the navigation menu, select Postgres.
2. In the Postgres Instances page, select the Create button at the top right.
3. Choose your instance configuration but leave the Network policy choice blank.
4. After you select the Create, a new dialog displays the snowflake_admin Postgres user’s connection credentials. After saving those credentials in a secure location, select Continue to network settings.
5. In the Network Settings dialog (shown below) enter the IP address and/or CIDR values you wish to create Postgres ingress rules for, pressing enter to add each one to the list.
6. Expand the Details section to edit your new network rule and/or policy names if needed.
7. Select Save to create your new Postgres ingress network policy and have it automatically attached to your instance once it is active.

Snowflake Postgres Private Link¶

Snowflake Postgres 实例的 Private Link 功能仅适用于 Business Critical Edition 及以上版本的账户。

要为 Snowflake Postgres 实例启用 Private Link，请先按照说明在您的云服务商账户与 Snowflake 账户之间启用 Private Link：

• AWS PrivateLink and Snowflake
• Azure Private Link and Snowflake
• Google Cloud Private Service Connect and Snowflake

权限

To enable Private Link for Snowflake Postgres instances, Snowflake users must have the following privileges.

• MANAGE POSTGRES PRIVATE CONNECTIVITY ON ACCOUNT
• 针对每个指定的 Snowflake Postgres 实例，需具备 OWNERSHIP 或 MANAGE 权限

为 Snowflake Postgres 实例设置 Private Link¶

在您的云服务商与 Snowflake 账户之间启用 Private Link 并具备所需权限后，您即可按以下步骤为每个 Snowflake Postgres 实例单独启用 Private Link 功能。

SnowsightSQL

If you do not intend to set up any network policy rules for your instance in addition to your Private Link connection, select Private Link for the Network Security option in the New instance dialog. If you do want to set up or use a network policy select Network policy instead and follow the previous instructions on network policies.

实例激活后，您可以为其启用 Private Link：

1. In the navigation menu, select Postgres and select your instance.
2. In the instance’s Instance details pane, select the edit icon in the Private Link section.
3. A confirmation dialog is shown asking you to confirm setting up Private Link for your cloud service provider. Select Enable. Note that this step can take up to 10 minutes to complete.

当您的 Snowflake Postgres 实例启用 Private Link 后，您即可为其建立新的 Private Link 连接：

1. In the navigation menu, select Postgres and select your instance to see its details page.
2. Select the edit icon in the Private Link section to the right to expand the Private Link pane (shown below).
3. Use the displayed Service address to make a Private Link connection request from the private network on your cloud vendor account.
4. Refresh your Snowflake Postgres instance’s details page. The Private Link pane will now have a new connection entry for your request with neither the check mark (accept) nor x mark (reject) selected. Select the check mark to accept.
5. 您目前可以从云服务提供商的私有网络内的主机连接到您的 Snowflake Postgres 实例。

通过 Azure 专用链接连接到 Snowflake Postgres 实例¶

Instead of using the Snowflake Postgres instance’s hostname, connections to Snowflake Postgres instances via Private Link setups should be made using the DNS hostname configured on your cloud service provider’s private network for the Private Link.