Network Rules is a Snowflake feature that manages network identifiers (IP addresses, hostnames, Private Endpoint IDs, etc.) as reusable schema-level objects. Traditional Network Policies embedded the IP list directly in the policy, but with Network Rules you can define identifiers as independent objects, share them across multiple Network Policies, and apply network control on identifiers other than IP addresses.
| TYPE | VALUE_LIST format | Direction | Purpose | Edition requirement |
|---|---|---|---|---|
| IPV4 | IPv4 address / CIDR | Ingress (inbound) | Control user access to Snowflake | All Editions |
| HOST_PORT | hostname:port | Egress (outbound) | Allow Snowflake to call external APIs | All Editions |
| PRIVATE_HOST_PORT | Private Endpoint ID | Egress (outbound) | Control outbound traffic via PrivateLink | Business Critical or higher |
-- IPV4 type: allow access from the corporate network
CREATE NETWORK RULE security.office_network_rule
TYPE = IPV4
VALUE_LIST = ('203.0.113.0/24', '198.51.100.0/24')
MODE = INGRESS
COMMENT = 'Office network IP address ranges';
-- IPV4 type: allow access from VPN gateways
CREATE NETWORK RULE security.vpn_network_rule
TYPE = IPV4
VALUE_LIST = ('10.0.1.100', '10.0.1.101')
MODE = INGRESS
COMMENT = 'VPN gateway IP addresses';
-- HOST_PORT type: allow access to an external API
CREATE NETWORK RULE security.external_api_rule
TYPE = HOST_PORT
VALUE_LIST = ('api.example.com:443', 'webhook.example.com:443')
MODE = EGRESS
COMMENT = 'External API endpoints for External Functions';
-- PRIVATE_HOST_PORT type: egress via PrivateLink
CREATE NETWORK RULE security.private_api_rule
TYPE = PRIVATE_HOST_PORT
VALUE_LIST = ('com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxx')
MODE = EGRESS
COMMENT = 'Internal API access via PrivateLink';Network Rules do not work on their own. They become effective access control only when attached to a Network Policy. You reference Network Rules from the ALLOWED_NETWORK_RULE_LIST and BLOCKED_NETWORK_RULE_LIST of a Network Policy.
-- Create a Network Policy that uses Network Rules
CREATE NETWORK POLICY corporate_access_policy
ALLOWED_NETWORK_RULE_LIST = (
'security.office_network_rule',
'security.vpn_network_rule'
)
BLOCKED_NETWORK_RULE_LIST = ()
COMMENT = 'Allow access from the office and VPN only';
-- Apply at the account level
ALTER ACCOUNT SET NETWORK_POLICY = corporate_access_policy;
-- Apply to a specific user (overrides the account-level policy)
ALTER USER admin_user SET NETWORK_POLICY = corporate_access_policy;
-- Apply to a Security Integration (controls OAuth/SAML connections)
ALTER SECURITY INTEGRATION my_oauth_integration
SET NETWORK_POLICY = corporate_access_policy;-- Legacy Network Policy (specifies IP addresses directly)
CREATE NETWORK POLICY legacy_policy
ALLOWED_IP_LIST = ('203.0.113.0/24', '198.51.100.0/24')
BLOCKED_IP_LIST = ('203.0.113.50');
-- New Network Policy (references Network Rules)
CREATE NETWORK RULE security.corp_ips
TYPE = IPV4
VALUE_LIST = ('203.0.113.0/24', '198.51.100.0/24')
MODE = INGRESS;
CREATE NETWORK RULE security.blocked_ips
TYPE = IPV4
VALUE_LIST = ('203.0.113.50')
MODE = INGRESS;
CREATE NETWORK POLICY new_policy
ALLOWED_NETWORK_RULE_LIST = ('security.corp_ips')
BLOCKED_NETWORK_RULE_LIST = ('security.blocked_ips');
-- Legacy ALLOWED_IP_LIST and ALLOWED_NETWORK_RULE_LIST can be
-- used together in the same Network Policy (evaluated with OR)Combine HOST_PORT-type Network Rules with an External Access Integration to control external API access from UDFs, stored procedures, and Snowpark Container Services.
-- Network Rule for external API access
CREATE NETWORK RULE security.openai_api_rule
TYPE = HOST_PORT
VALUE_LIST = ('api.openai.com:443')
MODE = EGRESS;
-- Create the External Access Integration
CREATE EXTERNAL ACCESS INTEGRATION openai_access
ALLOWED_NETWORK_RULES = ('security.openai_api_rule')
ENABLED = TRUE;
-- Use the External Access Integration inside a UDF
CREATE OR REPLACE FUNCTION call_openai(prompt VARCHAR)
RETURNS VARCHAR
LANGUAGE PYTHON
RUNTIME_VERSION = '3.10'
EXTERNAL_ACCESS_INTEGRATIONS = (openai_access)
PACKAGES = ('requests')
HANDLER = 'handler'
AS $
import requests
def handler(prompt):
# Only api.openai.com:443 is reachable
response = requests.post(
'https://api.openai.com/v1/chat/completions',
headers={'Authorization': 'Bearer <token>'},
json={'model': 'gpt-4', 'messages': [{'role': 'user', 'content': prompt}]}
)
return response.json()['choices'][0]['message']['content']
$;-- List Network Rules
SHOW NETWORK RULES IN SCHEMA security;
-- Inspect a Network Rule
DESCRIBE NETWORK RULE security.office_network_rule;
-- Update VALUE_LIST
ALTER NETWORK RULE security.office_network_rule
SET VALUE_LIST = ('203.0.113.0/24', '198.51.100.0/24', '192.0.2.0/24');
-- Update the comment
ALTER NETWORK RULE security.office_network_rule
SET COMMENT = 'Tokyo, Osaka, and Fukuoka office IP addresses';
-- Drop a Network Rule
DROP NETWORK RULE security.office_network_rule;
-- Note: a Network Rule referenced by a Network Policy cannot be dropped| Level | Priority | Description |
|---|---|---|
| Security Integration | Highest | Applied to OAuth/SAML connections |
| User | High | Applied to a specific user (overrides the account level) |
| Account | Low | Applied to the entire account (used when no per-user setting exists) |
BLOCKED_NETWORK_RULE_LIST (or BLOCKED_IP_LIST) always takes precedence over ALLOWED_NETWORK_RULE_LIST (or ALLOWED_IP_LIST). If an IP address appears in both the allow list and the block list, it is blocked.
-- Privilege to create Network Rules
GRANT CREATE NETWORK RULE ON SCHEMA security TO ROLE network_admin;
-- Privilege to create Network Policies
GRANT CREATE NETWORK POLICY ON ACCOUNT TO ROLE network_admin;
-- Privilege to apply Network Policy at the account level
GRANT ATTACH POLICY ON ACCOUNT TO ROLE network_admin;
-- User-level application requires OWNERSHIP on the target user
-- or the MANAGE GRANTS privilegeSecurity & Governance
問題 1
You need to call an external REST API (api.example.com:443) from inside a Snowflake UDF. Which object should you create first to allow this external access?
正解: B
To allow outbound (egress) traffic from Snowflake, create a Network Rule with TYPE = HOST_PORT and list the hostname and port. The IPV4 type is for ingress control (user connections to Snowflake). A Network Policy's ALLOWED_IP_LIST is also for ingress. The HOST_PORT Network Rule is then attached to an External Access Integration, which is referenced from the UDF via the EXTERNAL_ACCESS_INTEGRATIONS parameter.
What is the difference between Network Rules and Network Policy?
Network Policy is the traditional IP allow/block list feature that specifies IP addresses directly in ALLOWED_IP_LIST and BLOCKED_IP_LIST. Network Rules manage network identifiers (IPs, hostnames, Private Endpoint IDs, etc.) as reusable schema-level objects, which you then attach to Network Policies. Network Rules let you share the same IP list across multiple Network Policies and control non-IP identifiers (hostnames, Private Link IDs) as well.
When do you use TYPE = HOST_PORT in Network Rules?
The HOST_PORT type controls outbound traffic (External Network Access) from Snowflake. For example, when an External Function or Snowpark Container Services call an external API (such as api.example.com:443), you define the allowed hostnames and ports in a Network Rule. For inbound access control (users connecting to Snowflake), use the IPV4 type instead.
Are Network Rules available in every Snowflake Edition?
Network Rules themselves are available in all Editions. Attaching them to a Network Policy at the account or user level also works in every Edition, but the PRIVATE_HOST_PORT type (egress control for PrivateLink connections) requires Business Critical Edition or higher. IPV4 and HOST_PORT types work in all Editions.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...