Skip to main content

Configuring Snowflake and Azure Private Link

Available to certain Enterprise tiers

The private connection feature is available on the following dbt Enterprise tiers:

  • Business Critical
  • Virtual Private

To learn more about these tiers, contact us at sales@getdbt.com.

The following steps walk you through the setup of an Azure-hosted Snowflake Private Link endpoint in a dbt multi-tenant environment.

Private connection endpoints can't connect across cloud providers. For a private connection to work, both dbt and the server (like Snowflake) must be hosted on the same cloud provider. For example, dbt hosted on AWS cannot connect via PrivateLink to services hosted on Azure, and dbt hosted on Azure can’t connect via Private Link to services hosted on AWS.

Snowflake OAuth with PrivateLink

Users connecting to Snowflake using Snowflake OAuth over an AWS PrivateLink connection from dbt will also require access to a PrivateLink endpoint from their local workstation. Where possible, use Snowflake External OAuth instead to bypass this limitation.

Snowflake docs:

Currently, for any given Snowflake account, SSO works with only one account URL at a time: either the public account URL or the URL associated with the private connectivity service

To configure Snowflake instances hosted on Azure for Private Link:

  1. In your Snowflake account, run the following SQL statements and copy the output:

USE ROLE ACCOUNTADMIN;
SYSTEM$GET_PRIVATELINK_CONFIG;

  1. Add the required information to the following template and submit your request to dbt Support:
Subject: New Multi-Tenant Azure PrivateLink Request
- Type: Snowflake
- The output from SYSTEM$GET_PRIVATELINK_CONFIG:
  - Include the privatelink-pls-id
  - Enable Internal Stage Private Link? Y/N (If Y, output must include `privatelink-internal-stage`)
- dbt Azure multi-tenant environment:

  1. dbt Support will provide the private endpoint resource_id of our private_endpoint and the CIDR range for you to complete the PrivateLink configuration by contacting the Snowflake Support team.

  2. (Optional) If enabling an Azure private endpoint for an Internal Stage, it will also provide the resource_id for the Internal Stage endpoint.

As the Snowflake administrator, call the SYSTEM$AUTHORIZE_STAGE_PRIVATELINK_ACCESS function using the resource ID value as the function argument. This authorizes access to the Snowflake internal stage through the private endpoint.


USE ROLE ACCOUNTADMIN;

-- Azure Private Link
SELECT SYSTEMS$AUTHORIZE_STAGE_PRIVATELINK_ACCESS ( `AZURE PRIVATE ENDPOINT RESOURCE ID` );

Configuring Network Policies

If your organization uses Snowflake Network Policies to restrict access to your Snowflake account, you will need to add a network rule for dbt.

Snowflake allows for finding the Azure Link ID of configured endpoints by running the `` command. The following can be used to better isolate the Link ID value and the associated endpoint resource name:


select
  value:linkIdentifier, REGEXP_SUBSTR(value: endpointId, '([^\/]+$)')
from
  table(
    flatten(
      input => parse_json(system$get_privatelink_authorized_endpoints())
    )
  );

Using the UI

Open the Snowflake UI and take the following steps:

  1. Go to the Security tab.
  2. Click on Network Rules.
  3. Click on + Network Rule.
  4. Give the rule a name.
  5. Select a database and schema where the rule will be stored. These selections are for permission settings and organizational purposes; they do not affect the rule itself.
  6. Set the type to Azure Link ID and the mode to Ingress.
  7. In the identifier box, type the Azure Link ID obtained in the previous section and press Enter.
  8. Click Create Network Rule.
Create Network RuleCreate Network Rule

  1. In the Network Policy tab, edit the policy to which you want to add the rule. This could be your account-level policy or one specific to the users connecting from dbt.

  2. Add the new rule to the allowed list and click Update Network Policy.

Update Network PolicyUpdate Network Policy

Using SQL

For quick and automated setup of network rules via SQL in Snowflake, the following commands allow you to create and configure access rules for dbt. These SQL examples demonstrate how to add a network rule and update your network policy accordingly.

  1. Create a new network rule with the following SQL:

CREATE NETWORK RULE allow_dbt_cloud_access
  MODE = INGRESS
  TYPE = AZURELINKID
  VALUE_LIST = ('<Azure Link ID>'); -- Replace '<Azure Link ID>' with the actual ID obtained above

  1. Add the rule to a network policy with the following SQL:

ALTER NETWORK POLICY <network_policy_name>
  ADD ALLOWED_NETWORK_RULE_LIST =('allow_dbt_cloud_access');

0
Edit this page