Private connectivity to external volumes for Google Cloud¶

本主题介绍如何在 Google Cloud Storage (GCS) 上配置与外部卷的出站专用连接。出站公共连接和出站专用连接的主要区别在于如何设置外部卷的 USE_PRIVATELINK_ENDPOINT 属性。

当外部卷配置为使用专用连接时，您与 Google Cloud Storage 服务的连接将通过 Google Cloud 内部网络进行。通过将外部卷配置为使用出站专用连接，可以阻止对存储账户的公共访问，从而为数据卸载操作增加额外的安全性。

For more information about using external volumes to connect to your external cloud storage for Iceberg tables, see Configure an external volume.

出站专用连接成本

注意事项

You can configure outbound public connectivity and outbound private connectivity for the same cloud storage service. If you want to do this, create a dedicated external volume for outbound public connectivity and specify USE_PRIVATELINK_ENDPOINT = FALSE.

限制

与 Google Cloud Storage 卷的出站专用连接不支持多区域桶。

Set up outbound private connectivity to an external volume¶

To set up outbound private connectivity to an external volume, you use SQL or use Snowsight.

Use SQL¶

为外部卷指定专用连接

The USE_PRIVATELINK_ENDPOINT property of an external volume determines whether it is accessed through private connectivity or by traversing the public network. To use private connectivity, set USE_PRIVATELINK_ENDPOINT = TRUE when creating or modifying an external volume, as shown in the following examples.

使用以下语法创建外部卷：

CREATE OR REPLACE EXTERNAL VOLUME <ext_volume_name>
  STORAGE_LOCATIONS =
  (
    (
      NAME = 'my-gcs-loc'
      STORAGE_PROVIDER = 'gcs'
      STORAGE_BASE_URL = 'gcs://<bucket>/<prefix>/'
      USE_PRIVATELINK_ENDPOINT = [ TRUE | FALSE ]
    )
  )
  ALLOW_WRITES=true;

使用以下语法更改现有的外部卷：

ALTER EXTERNAL VOLUME <ext_volume_name>
  UPDATE STORAGE_LOCATION = '<storage_location_name>'
  USE_PRIVATELINK_ENDPOINT = [ TRUE | FALSE ]

The DESCRIBE EXTERNAL VOLUME command includes the USE_PRIVATELINK_ENDPOINT property and its value.

配置专用端点

通过以下步骤为 Google Cloud Storage 卷配置专用端点：

1. In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function. Provide as arguments a regional Storage API endpoint and host name. For example:

   Copy codeExpand code block

   USE ROLE ACCOUNTADMIN;
   
   SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
     'storage.us-east4.rep.googleapis.com',
     'storage.us-east4.rep.googleapis.com');

   Show lessSee more

   Scroll to top

   Note

   Snowflake supports only Google Cloud regional Storage API endpoints. Google Cloud multi-region buckets aren’t supported.

使用 SYSTEM$PROVISION_PRIVATELINK_ENDPOINT 在 Snowflake VNet 中配置专用端点，使 Snowflake 能够通过专用连接连接到外部 Google Cloud Storage。只有由启用了 USE_PRIVATELINK_ENDPOINT 属性的外部卷引用的桶才能通过端点访问。

2. In Snowflake, call the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO function.

   When the output of SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO includes “status”: “APPROVED”, your connection from Snowflake to your storage account can use private connectivity.

   You can continue with the next steps while awaiting the “APPROVED” status.

配置外部卷访问

通过以下步骤配置与外部存储卷的专用连接：

1. 创建外部卷，并将 USE_PRIVATELINK_ENDPOINT 属性设置为 TRUE。例如：

   Copy codeExpand code block

   CREATE EXTERNAL VOLUME external_volume
     STORAGE_LOCATIONS =
     (
    (
      NAME = 'my-gcs-loc'
      STORAGE_PROVIDER = 'gcs'
      STORAGE_BASE_URL =  'gcs://<bucket>/<prefix>/'
      USE_PRIVATELINK_ENDPOINT = true
    )
     )
     ALLOW_WRITES=true;

   Show lessSee more

   Scroll to top

2. Use the CREATE ICEBERG TABLE command to create an Iceberg table that references the external volume. For example:

   Copy codeExpand code block

   CREATE ICEBERG TABLE rand_table (data STRING)
     BASE_LOCATION='table'
     EXTERNAL_VOLUME=external_volume
     CATALOG='snowflake';

   Show lessSee more

   Scroll to top

3. 专用端点具有“APPROVED”状态后，测试将数据从 Snowflake 卸载到外部卷。

Use Snowsight¶

To set up external volume access using private connectivity in Snowsight, follow these steps:

1. In Snowflake, call the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function. Provide as arguments a regional Storage API endpoint and host name. For example:

   Copy codeExpand code block

   USE ROLE ACCOUNTADMIN;
   
   SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
     'storage.us-east4.rep.googleapis.com',
     'storage.us-east4.rep.googleapis.com');

   Show lessSee more

   Scroll to top

   Note

   Snowflake supports only Google Cloud regional Storage API endpoints. Google Cloud multi-region buckets aren’t supported.

使用 SYSTEM$PROVISION_PRIVATELINK_ENDPOINT 在 Snowflake VNet 中配置专用端点，使 Snowflake 能够通过专用连接连接到外部 Google Cloud Storage。只有由启用了 USE_PRIVATELINK_ENDPOINT 属性的外部卷引用的桶才能通过端点访问。

2. In Snowflake, call the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO function.

   When the output of SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO includes “status”: “APPROVED”, your connection from Snowflake to your storage account can use private connectivity.

   You can continue with the next steps while awaiting the “APPROVED” status.

3. Follow the steps to configure an external volume for Google Cloud Storage by using Snowsight and enable private connectivity when you configure the external volume.

   Important

   To enable private connectivity, on the Configure external volume page, from the Connectivity field, you must select Private (Private Service Connect).

4. Use the CREATE ICEBERG TABLE command to create an Iceberg table that references the external volume. For example:

   Copy codeExpand code block

   CREATE ICEBERG TABLE rand_table (data STRING)
     BASE_LOCATION='table'
     EXTERNAL_VOLUME=external_volume
     CATALOG='snowflake';

   Show lessSee more

   Scroll to top

5. 专用端点具有“APPROVED”状态后，测试将数据从 Snowflake 卸载到外部卷。

禁用专用连接

If you no longer require private connectivity for the external volume, you can set the USE_PRIVATELINK_ENDPOINT property for the volume to FALSE, and then call the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function tp deprovision the endpoint. For example:

ALTER EXTERNAL VOLUME <ext_volume_name>
  UPDATE STORAGE_LOCATION = '<storage_location_name>'
  USE_PRIVATELINK_ENDPOINT = false;

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT('storage.us-east4.rep.googleapis.com');