Snowflake supports TLS over the public internet by default, but environments with strict compliance requirements — finance, healthcare, and similar — typically demand connectivity over a cloud provider's private backbone. On AWS you use AWS PrivateLink, on Azure Azure Private Link, and on GCP Private Service Connect (PSC) to keep traffic to Snowflake off the public internet and inside the cloud's internal network. Business Critical Edition or higher is required.
| Item | AWS PrivateLink | Azure Private Link | GCP Private Service Connect |
|---|---|---|---|
| Required Edition | Business Critical or higher | Business Critical or higher | Business Critical or higher |
| Snowflake-side enablement | SYSTEM$AUTHORIZE_PRIVATELINK() | SYSTEM$AUTHORIZE_PRIVATELINK() | SYSTEM$AUTHORIZE_PRIVATELINK() |
| Customer-side resource to create | VPC Endpoint (Interface type) | Private Endpoint | PSC Endpoint + Forwarding Rule |
| DNS configuration | Route 53 Private Hosted Zone | Private DNS Zone | Cloud DNS Private Zone |
| DNS CNAME target | <account>.privatelink.snowflakecomputing.com | <account>.privatelink.snowflakecomputing.com | <account>.privatelink.snowflakecomputing.com |
| Private connectivity to stages | Separate S3 VPC Endpoint (Gateway type) | Separate Storage Private Endpoint | Separate GCS Private Service Connect |
| Snowpipe compatibility | Supported | Supported | Supported |
| Region constraint | Same region only | Same region only | Same region only |
-- Step 1: Authorize PrivateLink for the Snowflake account
-- Run as ACCOUNTADMIN
SELECT SYSTEM$AUTHORIZE_PRIVATELINK(
'<aws_account_id>',
'<vpc_endpoint_id>'
);
-- Step 2: Retrieve PrivateLink configuration
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
-- The return value contains VPC Service Name, OCSP URL, etc.
-- Step 3 (AWS Console / CLI):
-- Create an Interface-type VPC Endpoint
-- Service Name: com.amazonaws.vpce.<region>.vpce-svc-xxxxxxxxx
-- Specify the VPC and subnets
-- Step 4: Create a Route 53 Private Hosted Zone
-- Zone name: privatelink.snowflakecomputing.com
-- CNAME records:
-- <account_locator> → VPC Endpoint DNS name
-- <orgname>-<account_name> → VPC Endpoint DNS name-- Step 1: Authorize PrivateLink in Snowflake
SELECT SYSTEM$AUTHORIZE_PRIVATELINK(
'<azure_subscription_id>',
'<private_endpoint_resource_id>'
);
-- Step 2: Retrieve configuration
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
-- Step 3 (Azure Portal / CLI):
-- Create a Private Endpoint
-- Resource Type: Microsoft.Snowflake/accounts
-- Target Sub-resource: snowflake
-- Step 4: Private DNS Zone configuration
-- Zone name: privatelink.snowflakecomputing.com
-- A record: <account_locator> → Private Endpoint IP-- Step 1: Authorize PSC in Snowflake
SELECT SYSTEM$AUTHORIZE_PRIVATELINK(
'<gcp_project_id>'
);
-- Step 2: Retrieve configuration (Service Attachment URI, etc.)
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
-- Step 3 (GCP Console / gcloud):
-- Create a PSC Endpoint
-- gcloud compute forwarding-rules create snowflake-psc \
-- --region=<region> \
-- --network=<vpc-name> \
-- --address=<reserved-internal-ip> \
-- --target-service-attachment=<service-attachment-uri>
-- Step 4: Cloud DNS Private Zone configuration
-- Zone name: privatelink.snowflakecomputing.com
-- A record: <account_locator> → reserved internal IP addressSnowflake client drivers check certificate revocation via OCSP (Online Certificate Status Protocol) as part of every TLS handshake. The following considerations apply in PrivateLink environments:
| Mode | Behavior | Mitigation |
|---|---|---|
| Fail-Open (default) | Allows the connection if the OCSP responder is unreachable | No extra action needed, but introduces a security risk |
| Fail-Close | Rejects the connection if the OCSP responder is unreachable | Either allow outbound connectivity to the OCSP responder, or deploy an internal OCSP cache server |
-- Enable PrivateLink access to an Internal Stage
SELECT SYSTEM$AUTHORIZE_STAGE_PRIVATELINK_ACCESS(
'<account_locator>',
'<aws_account_id>'
);
-- AWS: a separate S3 VPC Endpoint (Gateway type) is required
-- Azure: a separate Blob Storage Private Endpoint is required
-- GCP: a separate GCS PSC Endpoint is required
-- Verify stage operations over PrivateLink
PUT file:///tmp/data.csv @~;
GET @~/data.csv file:///tmp/;-- Network Policy that allows traffic over PrivateLink only
CREATE NETWORK POLICY private_only_policy
ALLOWED_IP_LIST = ('<private_endpoint_ip_range>')
BLOCKED_IP_LIST = ('0.0.0.0/0');
-- Apply at the account level
ALTER ACCOUNT SET NETWORK_POLICY = private_only_policy;
-- With this setting, access via the public endpoint
-- is fully blocked.Architecture & Design
問題 1
You have configured AWS PrivateLink for a Business Critical Edition Snowflake account on AWS. The VPC Endpoint and Route 53 Private Hosted Zone are correctly created, but connections from the SnowSQL client are still routed through the public endpoint. Which is the most likely cause?
正解: B
Even with both a VPC Endpoint and a Private Hosted Zone in place, DNS resolution will fall back to public DNS (and the public IP) if the Private Hosted Zone is not associated with the VPC where the SnowSQL client runs. A Route 53 Private Hosted Zone requires an explicit VPC association — without it, PrivateLink DNS name resolution does not work.
After enabling PrivateLink, can the public endpoint still be used to access Snowflake?
Simply enabling PrivateLink does not block access via the public endpoint. To fully block public access, you must configure a Network Policy that only allows the PrivateLink IP ranges. The recommended security design combines the endpoint information returned by SYSTEM$GET_PRIVATELINK_AUTHORIZED_ENDPOINTS() with a Network Policy.
How is the OCSP certificate revocation check handled over PrivateLink connections?
Even over PrivateLink, OCSP checks are required as part of TLS certificate validation. Because access to the OCSP responder traverses the public internet, you must allow outbound HTTPS to the OCSP responder (ocsp.snowflakecomputing.com) even in private-only environments. In fully air-gapped environments, consider using OCSP Fail-Open mode (the default) or hosting an internal OCSP response cache server.
Of the three clouds (AWS / Azure / GCP), which private connectivity method is the easiest to set up?
AWS PrivateLink is relatively simple: just two steps — create a VPC Endpoint and configure DNS. Azure Private Link is similar, requiring a Private Endpoint plus DNS configuration. GCP Private Service Connect is a little more involved because you need a Forwarding Rule plus Cloud DNS, and you must understand GCP-specific concepts like Service Attachment. All three clouds, however, share the same Snowflake-side requirement of running SYSTEM$AUTHORIZE_PRIVATELINK() and SYSTEM$AUTHORIZE_STAGE_PRIVATELINK_ACCESS().
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...