设置 Openflow - Snowflake Deployment:为 Openflow 连接器配置允许的域¶
Openflow - Snowflake Deployments access external domain resources. Snowflake controls access to external domains using network rules and external access integrations to either grant or deny access to specific domains.
This topic describes the process of creating a network rule and creating an external access integration to grant access to a specific domain. In addition, the known domains used by Openflow connectors are provided.
管理外部域名访问权限存在两种可行工作流程:
Create a new network rule and external access integration: Create a new network rule that defines a list of allowed domain/port combinations and create a new external access integration using the newly created network rule.
Alter an existing network rule: Alter an existing network rule to add a list of allowed domain/port combinations.
Create a network rule granting access to one or more domains¶
To create a new network rule that grants access to one or more domain/port combinations, execute an SQL statement similar to:
USE ROLE SECURITYADMIN;
CREATE NETWORK RULE MY_OPENFLOW_NETWORK_RULE
TYPE = HOST_PORT
MODE = EGRESS
VALUE_LIST = ('<domain>', '<domain>');
For example, to allow Snowflake to access googleads.googleapis.com, execute the following.
USE ROLE SECURITYADMIN;
CREATE NETWORK RULE GOOGLEADS_OPENFLOW_NETWORK_RULE
TYPE = HOST_PORT
MODE = EGRESS
VALUE_LIST = ('googleads.googleapis.com');
For more information, see CREATE NETWORK RULE.
After the network rule is created, a external access integration has to be created.
To create a new integration, execute an SQL statement similar to:
USE ROLE SECURITYADMIN;
CREATE EXTERNAL ACCESS INTEGRATION MY_OPENFLOW_EAI
ALLOWED_NETWORK_RULES = (MY_OPENFLOW_NETWORK_RULE)
ENABLED = TRUE
COMMENT = 'External Access Integration for Openflow connectivity';
Alter an existing network rule granting access to one or more domains¶
To alter an existing network rule to grant access to one or more domain/port combinations, execute an SQL statement similar to:
USE ROLE SECURITYADMIN;
ALTER NETWORK RULE GOOGLEADS_OPENFLOW_NETWORK_RULE SET
VALUE_LIST = ('<existing domain>', '<existing domain>', 'googleads.googleapis.com');
For more information, see ALTER NETWORK RULE.
备注
Use SHOW NETWORK RULES to list the existing network rules. . Use DESCRIBE NETWORK RULE to describe the properties of a specific network rule.
If the altered network rule is already associated with an external access integration, it will be updated automatically. If you do not have an external access integration for the altered network rule, refer to the section above for instructions on creating a new integration.
Next steps¶
Associate an external access integration with your runtime:
Navigate to the Openflow canvas.
Select the Runtimes tab.
For the runtime which requires the new external access integration, click the
menu.Select External access integrations.
Select all required external access integrations from the dropdown list. . Note you may select multiple external access integrations.
Click Save.
备注
Restarting the runtime is not required and the changes are applied immediately.
Deploy a connector in a runtime, for a list of connectors available in Openflow, see Openflow 连接器.
Openflow 连接器使用的域¶
The following domains are used by Openflow connectors and require network rules to be granted access.
Amazon Ads¶
Amazon Ads 连接器使用以下域。
advertising-api.amazon.comadvertising-api-eu.amazon.comadvertising-api-fe.amazon.comapi.amazon.comapi.amazon.co.ukapi.amazon.co.jp报告位置。例如,
offline-report-storage-eu-west-1-prod.s3.eu-west-1.amazonaws.com用于下载报告。
创建报告前,报告 URL 的确切位置并非总是已知的。Snowflake 建议允许列出所有 s3 区域:
*.s3.eu-west-[1-3].amazonaws.com
*.s3.eu-central-[1-2].amazonaws.com
*.s3.eu-north-1.amazonaws.com
*.s3.eu-south-[1-2].amazonaws.com
*.s3.il-central-1.amazonaws.com
对于 advertising-api-fe.amazon.com(远东/APAC):
*.s3.ap-northeast-[1-3].amazonaws.com*.s3.ap-south-[1-2].amazonaws.com*.s3.ap-southeast-[1-7].amazonaws.com*.s3.ap-east-[1-2].amazonaws.com*.s3.me-south-1.amazonaws.com*.s3.me-central-1.amazonaws.com*.s3.af-south-1.amazonaws.com
最后一个域是在报告准备就绪可获取后,从报告 URL 返回的结果中获得的。这是存储报告的 Amazon S3 桶。客户需要指定自己的 AWS 区域。例如,us-east-1 或 eu-west-1 和特定的桶。由于可能无法知道确切的区域和存储分区,Snowflake 建议使用通配符并列出给定位置的所有可能区域。
AWS Secret Manager¶
AWS Secret Manager 连接器使用以下域。
secretsmanager.us-west-2.amazonaws.comsts.us-west-2.amazonaws.comaws.amazon.comamazonaws.com
Box¶
Box 连接器使用以下域。
api.box.com
box.com
Confluence¶
Confluence 连接器使用以下域。
客户专属域,例如
https://company-name.atlassian.net/。对于 OAuth,为 https://atlassian.company-name.com/ (https://atlassian.company-name.com/)
Microsoft Dataverse¶
Dataverse 连接器使用以下域。
客户专属域,例如
org12345467.crm.dynamics.com对于 OAuth,为
login.microsoftonline.com
Google Ads¶
Google Ads 连接器使用以下域。
googleads.googleapis.com
Google 云端硬盘¶
Google 云端硬盘连接器使用以下域:
drive.google.comwww.googleapis.comoauth2.googleapis.comwww.googleapis.com
Google 表格¶
Google 表格连接器使用以下域。
sheets.googleapis.com
Hubspot¶
HubSpot 连接器使用以下域。
api.hubapi.com
Jira Cloud¶
Jira Cloud 连接器使用以下域。
客户专属域,例如
company-name.atlassian.netapi.atlassian.com
Kafka¶
Kafka 连接器使用以下域。
客户 Kafka 启动服务器和所有 Kafka 代理
Kinesis¶
Kinesis 连接器使用以下域。
取决于 AWS 区域。 例如:
对于 us-west-2 来说:
kinesis.us-west-2.amazonaws.comkinesis-fips.us-west-2.api.awskinesis-fips.us-west-2.amazonaws.comkinesis.us-west-2.api.aws*.control-kinesis.us-west-2.amazonaws.com*.control-kinesis.us-west-2.api.aws*.data-kinesis.us-west-2.amazonaws.com*.data-kinesis.us-west-2.api.awsdynamodb.us-west-2.amazonaws.commonitoring.us-west-2.amazonaws.com:80monitoring.us-west-2.amazonaws.com:443monitoring-fips.us-west-2.amazonaws.com:80monitoring-fips.us-west-2.amazonaws.com:443monitoring.us-west-2.api.aws:80monitoring.us-west-2.api.aws:443
LinkedIn Ads¶
LinkedIn Ads 连接器使用以下域。
www.linkedin.comapi.linkedin.com
Meta Ads¶
Meta Ads 连接器使用以下域。
graph.facebook.com
MySQL¶
MySQL 连接器使用以下域。
客户专属域和端口组合。
PostgreSQL¶
PostgreSQL 连接器使用以下域。
客户专属域和端口组合。
Slack¶
Slack 连接器使用以下域。
slack.com和api.slack.com
SQL Server¶
SQL Server 连接器使用以下域。
客户专属域和端口组合。
Workday¶
Workday 连接器使用以下域。
Customer-specific domain and port combination. For example,
company-domain.tenant.myworkday.com.要获取域,您可以使用报告 URL(基本 URL 始终相同)。