This article was written by Vikas Jain and originally appeared on the Snowflake Blog here: https://www.snowflake.com/blog/snowflake-announces-support-for-google-cloud-private-service-connect/
Snowflake was architected with cross-cloud security built into its core, providing multiple layers of robust protection from network access, to authentication and access control, to data protection using encryption (for more details on Snowflake security, check out the on-demand session from Snowflake Summit). For the most-regulated customers around the world, enabling private connectivity is a critical first line of defense. Through native integrations with AWS PrivateLink and Azure Private Link, Snowflake makes this easy to configure regardless of cloud or region. And now, on the heels of Google Cloud announcing general availability of the Google Cloud Private Service Connect , we’re happy to announce general availability of Private Service Connect integration for Snowflake customers who use Google Cloud.
With this integration, Snowflake accounts are accessible over private IP addresses from a customer’s network, similar to other applications running on their network, while keeping the data flow private on Google Cloud’s secure network. Private Service Connect ensures one-way connectivity from a customer’s virtual private cloud (VPC) into Snowflake, and the data never traverses the public internet (as shown in Figure 1), which significantly reduces exposure to common security threats. In addition to enhancing the security posture, the Private Service Connect
integration simplifies the network topology.
“We are excited that companies like Snowflake with strong requirements in security and performance are choosing Private Service Connect to deliver their services natively on Google Cloud. With Snowflake and Private Service Connect, customers can access their data seamlessly, securely and fast.”
—Pierre Ettori, Cloud Networking Product Management, Google Cloud
How Does It Work?
Snowflake on Google Cloud exposes the Private Service Connect service attachment. The customer creates a forwarding rule in the VPC for this service attachment. Then, Snowflake appears as a resource with a private IP address in the customer’s VPC.
Figure 1: Private Service Connect ensures one-way connectivity from a customer’s VPC into Snowflake, and the data never traverses the public internet.
Here are a few best practices for using this feature.
#1: Accessing Snowflake from an on-premises system or another Google Cloud region
Since Private Service Connect is currently available for connections in the same Google Cloud region only (that is, the customer and Snowflake VPCs must be in the same region, such as us-central-1), to access Snowflake from an on-premises system or another Google Cloud region, you can use the proxy-based workaround. One such proxy option, shown in Figure 2, uses source and destination network address translation (NAT) applied by virtual machine–based NAT gateways behind a layer 4 (L4) internal load balancer with global access enabled. Contact your Google Cloud representative for a full list of available workarounds and your environment-specific recommendation.
Figure 2: Proxy option
#2 DNS setup
While you can use any custom Domain Name Service (DNS) to resolve Snowflake URLs, for ease of setup, use the Google Cloud Cloud DNS service where possible. If you want to access Snowflake from an on-premises network, you can set up DNS forwarding rules for *.privatelink.snowflakecomputing.com in your on-premises DNS.
#3 Blocking public access to your Snowflake account
Once you’ve set up Private Service Connect with your Snowflake account, you can block public endpoint access to your Snowflake account by setting up a network policy in Snowflake and adding your private network IP range to the allowed list. The client IP address used by the network policy is propagated by Private Service Connect to Snowflake using the TCP proxy protocol v2 (PPv2).
#4 Allowing third-party tools running outside of the customer network to connect to Snowflake
Once you’ve set up Private Service Connect with Snowflake and have blocked public access, you can’t connect third-party tools running outside of your network to Snowflake. If you’d like to allow such tools to connect to Snowflake, create a user-level network policy in Snowflake for the user(s) who will be connecting from such third-party tools. Or, if the third-party tools use OAuth, then set up a network policy at the OAuth integration level.
You can start using Google Cloud Private Service Connect integration today to evaluate the benefits of private connectivity with your Snowflake account. You can learn more about Google Cloud Private Service Connect in the Snowflake documentation. Please share your feedback or request enhancements through the Snowflake Community portal.