AWS PrivateLink 和 Snowflake¶
This topic describes how to configure AWS PrivateLink to directly connect your Snowflake account to one or more AWS Virtual Private Clouds (VPCs).
本主题内容:
AWS PrivateLink: Overview¶
AWS PrivateLink (https://docs.aws.amazon.com/aws-technical-content/latest/aws-vpc-connectivity-options/aws-privatelink.html) is an AWS service for creating private VPC endpoints that allow direct, secure connectivity between your AWS VPCs and the Snowflake VPC without traversing the public internet. AWS PrivateLink connectivity supports VPC endpoint services and AWS VPCs that are located in the same or in different AWS regions. Cross-region connectivity for AWS PrivateLink allows you to use a custom endpoint service to connect a Snowflake account in a region that is different from your AWS VPC region. Cross-region connectivity isn't currently supported for any platform as a service (PaaS) services, such as Amazon Simple Storage Service (Amazon S3) or key management service (KMS).
有关更多信息,请参阅 AWS 博客页面“AWS PrivateLink 的跨区域连接简介 (https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink)”。
When writing external functions, you can also use AWS PrivateLink with private endpoints.
If you have an on-premises environment, such as a non-hosted data center, you can use AWS Direct Connect (https://aws.amazon.com/directconnect/) with AWS PrivateLink to connect all your virtual and physical environments in a single, private network.
备注
AWS Direct Connect 是一项单独的 AWS 服务,必须独立于 AWS PrivateLink 实施,并且不在本主题的讨论范围内。如需咨询如何实施 AWS Direct Connect,请联系 Amazon。
Enable AWS PrivateLink¶
备注
The self-service enablement process in this section doesn't currently support authorizing an AWS account identifier from a managed cloud service or a third-party vendor.
To authorize an AWS account identifier for this use case, please retrieve the AWS account identifier from the vendor, and then contact Snowflake Support.
要为您的 Snowflake 账户启用 AWS PrivateLink,请完成以下步骤:
生成联合令牌,然后保存输出。
To generate a token, run the AWS CLI STS (https://docs.aws.amazon.com/cli/latest/reference/sts/get-federation-token.html) command on the command line.
get-federation-tokenrequires either an identity and access management user in AWS or the AWS account root user. For details, refer to the AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison).重要
The federated token expires after 12 hours. If you call any of the system functions to authorize, verify, or disable your Snowflake account to use AWS PrivateLink and the token has expired, regenerate the token by running the AWS CLI STS command again.
aws sts get-federation-token --name sam
在后续步骤中,提供此命令的输出作为 SYSTEM$AUTHORIZE_PRIVATELINK 函数的
federated_token实参。From your generated token, extract the value of the
"FederatedUserId"field. For example, if your token contains the following values:{ ... "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }
Extract
185.... In the next step, you provide this 12-digit number as theaws_idargument for the SYSTEM$AUTHORIZE_PRIVATELINK function.
Using the ACCOUNTADMIN Snowflake system role, call the SYSTEM$AUTHORIZE_PRIVATELINK function to authorize (enable) AWS PrivateLink for your Snowflake account:
SELECT SYSTEM$AUTHORIZE_PRIVATELINK ( '<aws_id>' , '<federated_token>' );
其中:
'aws_id'用于唯一标识您的 Amazon Web Services (AWS) 账户的 12 位标识符(字符串)。
'federated_token'以字符串形式包含联合用户的访问凭据的联合令牌值。
例如:
USE ROLE ACCOUNTADMIN; SELECT SYSTEM$AUTHORIZE_PRIVATELINK ( '185...', '{ "Credentials": { "AccessKeyId": "ASI...", "SecretAccessKey": "enw...", "SessionToken": "Fwo...", "Expiration": "2021-01-07T19:06:23+00:00" }, "FederatedUser": { "FederatedUserId": "185...:sam", "Arn": "arn:aws:sts::185...:federated-user/sam" }, "PackedPolicySize": 0 }' );
To verify your configuration, call the SYSTEM$GET_PRIVATELINK function in your Snowflake account on AWS. This function uses the same argument values for
'aws_id'and'federated_token'that were used to authorize your Snowflake account.SYSTEM$GET_PRIVATELINK returns
Account is authorized for PrivateLink.for a successful authorization.Optional: If you need to disable AWS PrivateLink in your Snowflake account, call the SYSTEM$REVOKE_PRIVATELINK function by using the same argument values for
'aws_id'and'federated_token'.
To further harden your security posture, Snowflake recommends pinning private endpoints for your Snowflake account. For more information, see 为入站流量固定专用连接端点.
Configure your AWS VPC environment¶
注意
This section covers only the Snowflake-specific details for configuring your VPC environment.
Snowflake isn't responsible for the actual configuration of the required AWS VPC endpoints, security group rules, and Domain Name System (DNS) records. If you encounter issues with any of these configuration tasks, please contact AWS Support.
Create and configure your AWS VPC endpoint¶
To create and configure a VPC endpoint in your AWS VPC environment, complete the following steps:
In your Snowflake account, use the ACCOUNTADMIN system role to call the SYSTEM$GET_PRIVATELINK_CONFIG function, and then record the
privatelink-vpce-idvalue.In your AWS environment, create a VPC endpoint by using the
privatelink-vpce-idvalue from the previous step.备注
如果 VPC 端点的 Snowflake 区域与 AWS VPC 的区域不同,则必须选择两个启用跨区域连接的选项。在 AWS VPC 控制台中,选择 Enable Cross Region endpoint,然后选择 Service Settings » Service Region 中服务的主要区域。
有关完整说明,请参阅 AWS 文档中的 配置跨区域连接 (https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/) 的分步设置过程。
在 AWS 环境中,为将 Snowflake 传出连接连接到 VPCE CIDR (无类域间路由)的端口
443和80的服务安全组授权。
For more information, see the following topics in the AWS documentation:
使用 VPCs 和子网 (https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html)
VPC 端点 (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html)
VPC 端点服务 (AWS PrivateLink) (https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html)
VPC 的安全组 (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html)
配置 VPC 网络¶
To access Snowflake by using an AWS PrivateLink endpoint, you must create Canonical Name (CNAME) records in your DNS to resolve the appropriate endpoint values from the SYSTEM$GET_PRIVATELINK_CONFIG function to the DNS name of your VPC endpoint.
The values to obtain from the output of SYSTEM$GET_PRIVATELINK_CONFIG depend on which Snowflake features you access using private connectivity. For a description of the possible values, see Return values.
请注意,regionless-snowsight-privatelink-url 和 snowsight-privatelink-url 的值允许使用专用连接访问 Snowsight 和 Snowflake Marketplace。但是,如果要启用 URL 重定向,还需要其他配置。有关信息,请参阅 Snowsight 和专用连接。
如需 DNS 配置方面的其他帮助,请与内部 AWS 管理员联系。
重要
The structure of the Online Certificate Status Protocol (OCSP) cache server host name depends on the version of your installed clients, as described in Configure your Snowflake clients:
If you use the listed version or a later version, use the format shown in Configure your Snowflake clients, which enables better DNS resolution when you have multiple Snowflake accounts --- for example, dev, test, and production --- in the same region. When updating client drivers and using OCSP with PrivateLink, update the firewall rules to allow the OCSP host name.
If you use an earlier client version, then the OCSP cache server host name takes the form
ocsp.region_id.privatelink.snowflakecomputing.cnwithout an account identifier.Your DNS record must resolve to private IP addresses within your VPC. If it resolves to public IP addresses, the record isn't configured correctly.
为 Amazon S3 创建 AWS VPC 接口端点¶
This step is required for Amazon S3 traffic from Snowflake clients to stay on the AWS backbone. Snowflake clients, such as SnowSQL and JDBC driver, require access to Amazon S3 to perform various runtime operations.
If your AWS VPC network doesn't allow access to the public internet, you can configure private connectivity to internal stages or more gateway endpoints to the Amazon S3 host names required by the Snowflake clients.
There are three options to configure access to Amazon S3. The first two options avoid the public internet and the third option uses the public internet:
为 内部暂存区 配置 AWS VPC 接口端点。建议使用此选项。
Configure an Amazon S3 gateway endpoint. For more information, see the following Attention section.
Don't configure an interface endpoint or a gateway endpoint. This results in access that uses the public internet.
注意
To prevent communications between an Amazon S3 bucket and an AWS VPC with Snowflake from using the public internet, you can set up an Amazon S3 gateway endpoint in the same AWS region as the Amazon S3 bucket. This prevents communications on the public internet because AWS PrivateLink only allows communications between VPCs, and the Amazon S3 bucket isn't included in the VPC.
You can configure the Amazon S3 gateway endpoint to limit access to specific users, Amazon S3 resources, routes, and subnets; however, Snowflake doesn't require this configuration. For more information, see Gateway endpoints for Amazon S3 (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html).
To limit Amazon S3 gateways to use only Amazon S3 resources for Snowflake, choose one of the following options:
Use the specific Amazon S3 host name addresses that is used by your Snowflake account in your AWS endpoint policies. For the complete list of host names that are used by your account, see SYSTEM$ALLOWLIST.
Use an Amazon S3 host name pattern that matches the Snowflake S3 host names in your AWS endpoint policies. With this option, there are two possible types of connections to Snowflake: VPC-to-VPC or On-Premises-to-VPC.
Based on your connection type, complete the following instructions:
- VPC 到 VPC:
Ensure that the Amazon S3 gateway endpoint exists. Optionally modify the Amazon S3 gateway endpoint policy to match the specific host name patterns that are shown in the following Amazon S3 Hostnames table.
- 本地到 VPC:
Define a setup to include the Amazon S3 host name patterns in the firewall or proxy configuration if Amazon S3 traffic isn't permitted on the public gateway.
如果您不要求网关端点明确匹配账户的 Snowflake 管理的 S3 桶,则可以使用下表中显示的 Amazon S3 主机名模式来创建网关端点:
Amazon S3 主机名
备注
所有区域
sfc-*-stage.s3.amazonaws.com:443None.
除 US 东部以外的所有区域
sfc-*-stage.s3-<region_id>.amazonaws.com:443The pattern uses a hyphen (
-) before the region ID.sfc-*-stage.s3.<region_id>.amazonaws.com:443The pattern uses a period (
.) before the region ID.
For information about creating gateway endpoints, see Gateway VPC endpoints (https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html).
连接到 Snowflake¶
Before you connect to Snowflake, you can optionally use the Snowflake Connectivity Diagnostic tool (SnowCD) to evaluate the network connection with Snowflake and AWS PrivateLink.
有关更多信息,请参阅 SnowCD 和 SYSTEM$ALLOWLIST_PRIVATELINK。
否则,请使用您的专用连接账户 URL 连接到 Snowflake。
If you want to connect to Snowsight through AWS PrivateLink, follow the instructions in the Snowsight documentation.
Block public access --- Recommended¶
After you test private connectivity to Snowflake by using AWS PrivateLink, you can optionally block public access to Snowflake. This means that users can access Snowflake only if their connection request originates from an IP address within a particular CIDR block range specified in a Snowflake network policy.
To block public access by using a network policy:
Create a new network policy or edit an existing network policy.
为您的组织添加 CIDR 阻止范围。
激活账户的网络策略。
For more information, see 使用网络策略控制网络流量.
Configure your Snowflake clients¶
以下部分介绍如何为特定用例配置 Snowflake 客户端。
确保 Snowflake 客户端支持 OCSP 缓存服务器¶
The Snowflake OCSP cache server mitigates connectivity issues between Snowflake clients and the server. To enable your installed Snowflake clients to use the OCSP server cache, ensure that you use the following client versions:
SnowSQL 1.1.57 or later
Python Connector 1.8.2 or later
JDBC Driver 3.8.3 or later
ODBC Driver 2.19.3 or later
备注
The Snowflake OCSP cache server listens on port 80, which is why you were instructed in Create and configure your AWS VPC endpoint
to configure your AWS PrivateLink VPCE security group to accept both port 80 and port 443, which is required for all other
Snowflake traffic.
Specify a host name for Snowflake clients¶
Each Snowflake client requires a host name to connect to your Snowflake account.
The host name is the same as the host name that you specified in the CNAME records in 配置 VPC 网络.
This step isn't applicable to access the Snowflake Marketplace.
例如,对于名为 xy12345 的账户:
If the account is in US West, the host name is
xy12345.us-west-2.privatelink.snowflakecomputing.cn.If the account is in EU (Frankfurt), the host name is
xy12345.eu-central-1.privatelink.snowflakecomputing.cn.
重要
The method for specifying the host name differs depending on the client:
For the Spark connector and the ODBC and JDBC drivers, specify the entire host name.
For all the other clients, don't specify the entire host name. Instead, specify the account identifier with the
privatelinksegment, which is<account_identifier>.privatelink. Snowflake concatenates this name withsnowflakecomputing.cnto dynamically construct the host name.
For more information about specifying the account name or host name for a Snowflake client, see the documentation for each client.
将 SSO 与 AWS PrivateLink 配合使用¶
Snowflake 支持将 SSO 与 AWS PrivateLink 配合使用。有关更多信息,请参阅:
将 Client Redirect 与 AWS PrivateLink 配合使用¶
Snowflake 支持将 Client Redirect 与 AWS PrivateLink 配合使用。
有关更多信息,请参阅 重定向客户端连接。
将复制和 Tri-Secret Secure 与专用连接配合使用¶
无论您是否在目标账户中启用 Tri-Secret Secure 或此功能,Snowflake 都支持将您的数据从源账户复制到目标账户。
故障排除¶
要解决使用 PrivateLink 时可能出现的问题,请参阅以下 Snowflake 社区文章:
如何从 AWS 中为 PrivateLink 自助服务检索联合令牌 (https://community.snowflake.com/s/article/How-to-retrieve-a-Federation-Token-from-AWS-for-PrivateLink-Self-Service)
FAQ:AWS PrivateLink 自助服务 (https://community.snowflake.com/s/article/PrivateLink-Self-Service-with-AWS)
故障排除:适用于 AWS PrivateLink 的 Snowflake 自助函数 (https://community.snowflake.com/s/article/Troubleshooting-Snowflake-self-service-functions-for-AWS-PrivateLink)