Snowflake

Snowflake Network Rules: Implementation Guide for the New Network Control Model

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

Network Rules is a Snowflake feature that manages network identifiers (IP addresses, hostnames, Private Endpoint IDs, etc.) as reusable schema-level objects. Traditional Network Policies embedded the IP list directly in the policy, but with Network Rules you can define identifiers as independent objects, share them across multiple Network Policies, and apply network control on identifiers other than IP addresses.

Network Rule TYPE Comparison

TYPEVALUE_LIST formatDirectionPurposeEdition requirement
IPV4IPv4 address / CIDRIngress (inbound)Control user access to SnowflakeAll Editions
HOST_PORThostname:portEgress (outbound)Allow Snowflake to call external APIsAll Editions
PRIVATE_HOST_PORTPrivate Endpoint IDEgress (outbound)Control outbound traffic via PrivateLinkBusiness Critical or higher

CREATE NETWORK RULE Syntax

-- IPV4 type: allow access from the corporate network
CREATE NETWORK RULE security.office_network_rule
  TYPE = IPV4
  VALUE_LIST = ('203.0.113.0/24', '198.51.100.0/24')
  MODE = INGRESS
  COMMENT = 'Office network IP address ranges';

-- IPV4 type: allow access from VPN gateways
CREATE NETWORK RULE security.vpn_network_rule
  TYPE = IPV4
  VALUE_LIST = ('10.0.1.100', '10.0.1.101')
  MODE = INGRESS
  COMMENT = 'VPN gateway IP addresses';

-- HOST_PORT type: allow access to an external API
CREATE NETWORK RULE security.external_api_rule
  TYPE = HOST_PORT
  VALUE_LIST = ('api.example.com:443', 'webhook.example.com:443')
  MODE = EGRESS
  COMMENT = 'External API endpoints for External Functions';

-- PRIVATE_HOST_PORT type: egress via PrivateLink
CREATE NETWORK RULE security.private_api_rule
  TYPE = PRIVATE_HOST_PORT
  VALUE_LIST = ('com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxx')
  MODE = EGRESS
  COMMENT = 'Internal API access via PrivateLink';

Integration with Network Policy

Network Rules do not work on their own. They become effective access control only when attached to a Network Policy. You reference Network Rules from the ALLOWED_NETWORK_RULE_LIST and BLOCKED_NETWORK_RULE_LIST of a Network Policy.

-- Create a Network Policy that uses Network Rules
CREATE NETWORK POLICY corporate_access_policy
  ALLOWED_NETWORK_RULE_LIST = (
    'security.office_network_rule',
    'security.vpn_network_rule'
  )
  BLOCKED_NETWORK_RULE_LIST = ()
  COMMENT = 'Allow access from the office and VPN only';

-- Apply at the account level
ALTER ACCOUNT SET NETWORK_POLICY = corporate_access_policy;

-- Apply to a specific user (overrides the account-level policy)
ALTER USER admin_user SET NETWORK_POLICY = corporate_access_policy;

-- Apply to a Security Integration (controls OAuth/SAML connections)
ALTER SECURITY INTEGRATION my_oauth_integration
  SET NETWORK_POLICY = corporate_access_policy;

Legacy vs. New Approach

-- Legacy Network Policy (specifies IP addresses directly)
CREATE NETWORK POLICY legacy_policy
  ALLOWED_IP_LIST = ('203.0.113.0/24', '198.51.100.0/24')
  BLOCKED_IP_LIST = ('203.0.113.50');

-- New Network Policy (references Network Rules)
CREATE NETWORK RULE security.corp_ips
  TYPE = IPV4
  VALUE_LIST = ('203.0.113.0/24', '198.51.100.0/24')
  MODE = INGRESS;

CREATE NETWORK RULE security.blocked_ips
  TYPE = IPV4
  VALUE_LIST = ('203.0.113.50')
  MODE = INGRESS;

CREATE NETWORK POLICY new_policy
  ALLOWED_NETWORK_RULE_LIST = ('security.corp_ips')
  BLOCKED_NETWORK_RULE_LIST = ('security.blocked_ips');

-- Legacy ALLOWED_IP_LIST and ALLOWED_NETWORK_RULE_LIST can be
-- used together in the same Network Policy (evaluated with OR)

External Network Access Integration

Combine HOST_PORT-type Network Rules with an External Access Integration to control external API access from UDFs, stored procedures, and Snowpark Container Services.

-- Network Rule for external API access
CREATE NETWORK RULE security.openai_api_rule
  TYPE = HOST_PORT
  VALUE_LIST = ('api.openai.com:443')
  MODE = EGRESS;

-- Create the External Access Integration
CREATE EXTERNAL ACCESS INTEGRATION openai_access
  ALLOWED_NETWORK_RULES = ('security.openai_api_rule')
  ENABLED = TRUE;

-- Use the External Access Integration inside a UDF
CREATE OR REPLACE FUNCTION call_openai(prompt VARCHAR)
  RETURNS VARCHAR
  LANGUAGE PYTHON
  RUNTIME_VERSION = '3.10'
  EXTERNAL_ACCESS_INTEGRATIONS = (openai_access)
  PACKAGES = ('requests')
  HANDLER = 'handler'
AS $
import requests
def handler(prompt):
    # Only api.openai.com:443 is reachable
    response = requests.post(
        'https://api.openai.com/v1/chat/completions',
        headers={'Authorization': 'Bearer <token>'},
        json={'model': 'gpt-4', 'messages': [{'role': 'user', 'content': prompt}]}
    )
    return response.json()['choices'][0]['message']['content']
$;

Managing Network Rules

-- List Network Rules
SHOW NETWORK RULES IN SCHEMA security;

-- Inspect a Network Rule
DESCRIBE NETWORK RULE security.office_network_rule;

-- Update VALUE_LIST
ALTER NETWORK RULE security.office_network_rule
  SET VALUE_LIST = ('203.0.113.0/24', '198.51.100.0/24', '192.0.2.0/24');

-- Update the comment
ALTER NETWORK RULE security.office_network_rule
  SET COMMENT = 'Tokyo, Osaka, and Fukuoka office IP addresses';

-- Drop a Network Rule
DROP NETWORK RULE security.office_network_rule;
-- Note: a Network Rule referenced by a Network Policy cannot be dropped

Evaluation Order and Priority

LevelPriorityDescription
Security IntegrationHighestApplied to OAuth/SAML connections
UserHighApplied to a specific user (overrides the account level)
AccountLowApplied to the entire account (used when no per-user setting exists)

BLOCKED_NETWORK_RULE_LIST (or BLOCKED_IP_LIST) always takes precedence over ALLOWED_NETWORK_RULE_LIST (or ALLOWED_IP_LIST). If an IP address appears in both the allow list and the block list, it is blocked.

Required Privileges

-- Privilege to create Network Rules
GRANT CREATE NETWORK RULE ON SCHEMA security TO ROLE network_admin;

-- Privilege to create Network Policies
GRANT CREATE NETWORK POLICY ON ACCOUNT TO ROLE network_admin;

-- Privilege to apply Network Policy at the account level
GRANT ATTACH POLICY ON ACCOUNT TO ROLE network_admin;

-- User-level application requires OWNERSHIP on the target user
-- or the MANAGE GRANTS privilege

Check with a Sample Question

Security & Governance

問題 1

You need to call an external REST API (api.example.com:443) from inside a Snowflake UDF. Which object should you create first to allow this external access?

  1. A Network Rule with TYPE = IPV4 that lists the IP address of api.example.com
  2. A Network Rule with TYPE = HOST_PORT that lists 'api.example.com:443'
  3. Add the IP address of api.example.com to a Network Policy's ALLOWED_IP_LIST
  4. A Security Integration with TYPE = API_AUTHENTICATION

正解: B

To allow outbound (egress) traffic from Snowflake, create a Network Rule with TYPE = HOST_PORT and list the hostname and port. The IPV4 type is for ingress control (user connections to Snowflake). A Network Policy's ALLOWED_IP_LIST is also for ingress. The HOST_PORT Network Rule is then attached to an External Access Integration, which is referenced from the UDF via the EXTERNAL_ACCESS_INTEGRATIONS parameter.

Frequently Asked Questions

What is the difference between Network Rules and Network Policy?

Network Policy is the traditional IP allow/block list feature that specifies IP addresses directly in ALLOWED_IP_LIST and BLOCKED_IP_LIST. Network Rules manage network identifiers (IPs, hostnames, Private Endpoint IDs, etc.) as reusable schema-level objects, which you then attach to Network Policies. Network Rules let you share the same IP list across multiple Network Policies and control non-IP identifiers (hostnames, Private Link IDs) as well.

When do you use TYPE = HOST_PORT in Network Rules?

The HOST_PORT type controls outbound traffic (External Network Access) from Snowflake. For example, when an External Function or Snowpark Container Services call an external API (such as api.example.com:443), you define the allowed hostnames and ports in a Network Rule. For inbound access control (users connecting to Snowflake), use the IPV4 type instead.

Are Network Rules available in every Snowflake Edition?

Network Rules themselves are available in all Editions. Attaching them to a Network Policy at the account or user level also works in every Edition, but the PRIVATE_HOST_PORT type (egress control for PrivateLink connections) requires Business Critical Edition or higher. IPV4 and HOST_PORT types work in all Editions.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.