Snowflake's network security stack rests on four pillars: Network Policy (IP restrictions), Private Link (private connectivity), MFA (multi-factor authentication), and encryption. These topics show up frequently in the Account Access & Security domain (20%) of the SnowPro Core exam.
This article walks through Network Policy SQL examples, a cloud-by-cloud Private Link comparison, how MFA works and how to configure it, and how Snowflake's encryption is structured — all at a practical, production-ready level.
A Network Policy controls access to your Snowflake account based on IP address. It is built from two lists: ALLOWED_IP_LIST (IP addresses that are permitted to connect) and BLOCKED_IP_LIST (IP addresses that are denied).
-- Network Policy の作成
CREATE OR REPLACE NETWORK POLICY corp_network_policy
ALLOWED_IP_LIST = ('203.0.113.0/24', '198.51.100.10')
BLOCKED_IP_LIST = ('203.0.113.99')
COMMENT = '本社ネットワークからの接続のみ許可';
-- アカウントレベルで適用(全ユーザーに影響)
ALTER ACCOUNT SET NETWORK_POLICY = corp_network_policy;
-- 特定ユーザーに適用(アカウントレベルより優先)
ALTER USER analyst_user SET NETWORK_POLICY = analyst_policy;
-- Network Policy の確認
DESCRIBE NETWORK POLICY corp_network_policy;
-- Network Policy の解除
ALTER ACCOUNT UNSET NETWORK_POLICY;| Configuration | Behavior |
|---|---|
| ALLOWED_IP_LIST only | Only IPs in the list can connect; everything else is blocked |
| BLOCKED_IP_LIST only | IPs in the list are blocked; everything else is allowed |
| Both specified | Only IPs that appear in ALLOWED_IP_LIST and not in BLOCKED_IP_LIST are allowed |
Network Policies can be set at both the account level and the user level, and user-level settings take precedence over account-level settings. This precedence rule comes up often on the SnowPro exam.
In addition to traditional Network Policies, Snowflake now supports Network Rules. Network Rules go beyond IP addresses and can also control access by VPC endpoint ID, Private Link ID, or hostname. You attach a Network Rule to a Network Policy to use it.
-- Network Rule の作成(VPCエンドポイントベース)
CREATE NETWORK RULE vpc_rule
TYPE = PRIVATE_HOST_PORT
VALUE_LIST = ('vpce-0123456789abcdef0')
MODE = INGRESS;
-- Network Policy に Network Rule をアタッチ
CREATE NETWORK POLICY advanced_policy
ALLOWED_NETWORK_RULE_LIST = ('vpc_rule');Private Link lets you connect to Snowflake over the cloud provider's private network instead of the public internet. It requires Business Critical Edition or higher.
| Cloud | Service Name | Setup Steps | Endpoint |
|---|---|---|---|
| AWS | AWS PrivateLink | SYSTEM$GET_PRIVATELINK_CONFIG() → Create VPC Endpoint → Configure DNS | VPC Interface Endpoint |
| Azure | Azure Private Link | SYSTEM$GET_PRIVATELINK_CONFIG() → Create Private Endpoint → Private DNS Zone | Private Endpoint |
| GCP | Private Service Connect | SYSTEM$GET_PRIVATELINK_CONFIG() → Create PSC Endpoint → Configure DNS | PSC Endpoint |
-- Private Link設定情報の取得(ACCOUNTADMINが実行)
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
-- 結果例(AWS)
-- {
-- "privatelink-account-name": "abc12345.us-east-1.privatelink",
-- "privatelink-vpce-id": "com.amazonaws.vpce.us-east-1.vpce-svc-...",
-- "privatelink-account-url": "abc12345.us-east-1.privatelink.snowflakecomputing.com"
-- }Snowflake's MFA uses TOTP authentication backed by Duo Security (Cisco). Users can enable MFA from the Snowsight settings screen or with an ALTER USER statement.
-- 特定ユーザーのMFA強制有効化
ALTER USER admin_user SET MINS_TO_BYPASS_MFA = 0;
-- アカウント全体でMFAを必須化
ALTER ACCOUNT SET REQUIRE_MFA = TRUE;
-- MFAの一時バイパス(緊急時)
ALTER USER admin_user SET MINS_TO_BYPASS_MFA = 60;Once MFA is enabled, you'll be prompted for a verification code on Snowsight, SnowSQL, and JDBC/ODBC drivers alike. For programmatic connections (ETL jobs and similar), key pair authentication is the recommended approach instead.
| Encryption Layer | Method | Edition |
|---|---|---|
| In-transit encryption | TLS 1.2 or higher | All editions |
| At-rest encryption | AES-256 (Snowflake-managed keys) | All editions |
| Automatic key rotation | Keys rotated automatically every 30 days | Enterprise or higher |
| Tri-Secret Secure | Customer-managed key combined with Snowflake-managed key | Business Critical or higher |
Tri-Secret Secure combines Snowflake's managed encryption key with a customer-managed key held in the cloud provider's KMS (AWS KMS, Azure Key Vault, or Google Cloud KMS). If the customer disables their key, Snowflake's access to the data is also cut off — which is how the model satisfies data sovereignty requirements.
Network Policy
問題 1
Which statement about Snowflake Network Policy is correct?
正解: C
Snowflake Network Policies can be set at both the account level and the user level, and user-level settings take precedence over account-level settings. A common pattern is to allow only office IPs at the account level, then grant specific remote workers additional IPs at the user level. When ALLOWED_IP_LIST is specified, only IPs on that list can connect, and you can further exclude specific IPs via BLOCKED_IP_LIST. Network Policy applies uniformly to Snowsight (Web UI), SnowSQL, and JDBC/ODBC connections.
Practice network security questions
Gauge your SnowPro readiness with our practice question bank
Try free questions →Is there a risk of locking myself out when configuring a Network Policy?
Yes. If you set an ALLOWED_IP_LIST on an account-level Network Policy and forget to include your own IP address, every connection — Snowsight (Web UI), SnowSQL, JDBC, and so on — will be blocked, locking you out. The only way back is to contact Snowflake Support and ask them to remove the Network Policy. To prevent this, always include your own IP in the ALLOWED_IP_LIST before applying the policy, and test at the user level on a small scope first before rolling it out account-wide. Policies that use only BLOCKED_IP_LIST carry a much lower lockout risk.
Which Snowflake edition is required to use Private Link?
Private Link (AWS PrivateLink / Azure Private Link / Google Cloud Private Service Connect) requires Business Critical Edition or higher. It is not available on Standard or Enterprise editions. The initial setup requires running the SYSTEM$GET_PRIVATELINK_CONFIG() system function as ACCOUNTADMIN, and you need to configure both the Snowflake side (Private Link settings) and the cloud provider side (VPC endpoint). Note that enabling Private Link does not automatically block the public endpoint, so you should add a Network Policy to restrict public access as well.
Is MFA (multi-factor authentication) mandatory in Snowflake?
As of 2026, Snowflake strongly recommends MFA for every user but does not enable it by default. MFA is particularly recommended for ACCOUNTADMIN users. Account administrators can enforce MFA across the entire account by running ALTER ACCOUNT SET REQUIRE_MFA = TRUE. Snowflake's MFA uses TOTP authentication powered by Duo Security (Cisco), and verification codes are delivered through the Duo Mobile app or SMS. Once MFA is enabled, you'll be prompted for a code on Snowsight, SnowSQL, and JDBC/ODBC drivers alike.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...