snowflake azure private link traffic

Mohammed Thahif BK 341

Hello,

We are trying to enable private link service to integrate Snowflake on Azure with blob service in our subscription. https://docs.snowflake.com/en/user-guide/privatelink-azure

However, need to understand whether this traffic flows via our firewall or does it remains in MS backbone?

1 answer

KapilAnanth-MSFT 35,086 Reputation points Microsoft Employee

2024-03-29T12:55:30.8066667+00:00
@Mohammed Thahif BK ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Can you please elaborate more about your requirement and environment?

Azure PLS only supports Azure Standard Load Balancer as of now.

See : What is Azure Private Link service?

It is possible that the 3rd party (Snowflake) is exposing their service via a SLB. (I am assuming that you do not have control over the 3rd party's side)

A consumer of the service can only create a Private EndPoint in a VNET in your subscription.

The above PE can only be used for connecting unidirectionally to the 3rd Party service exposed via the PLS.
i.e., PE only supports inbound communication from the resources that are attached to the PE VNET's network (VNET, Peered VNETs and OnPrem networks connected via VPN or ExpressRoute )

So, when you say, "integrate Snowflake on Azure with blob service" - I am afraid I don't understand what you are trying to achieve.

Azure Blob Storage (Storage Account) is a PaaS Service and does not belong to a particular VNET.

So, if your intention is to connect from the 3rd party to the Blob via the PE - this is not feasible.

P.S :

For a connection from a VM (or any resource connected to a VNET) to a PLS via PE always stays within the Microsoft backbone.

Every traffic here is private

Cheers,

Kapil
Please sign in to rate this answer.
Mohammed Thahif BK 341 Reputation points

2024-03-29T16:31:20.3366667+00:00

Thanks @KapilAnanth-MSFT for the response. Azure private link for Snowflake I misunderstood at the first place.

Let me be lil specific.

Our application layer talks to Snowflake on Azure service. Internally Snowflake is configured with something called as external STAGE . This STAGE configuration uses external storage such as customer's blob storage.

I am just trying to understand, when we initiate a Snowflake request, the STAGE operation will need to access blob storage in our subscription.

will this be over the internet or will it go over our firewall?

Regards

Thahif

KapilAnanth-MSFT 35,086 Reputation points Microsoft Employee

2024-04-01T03:40:46.15+00:00

@Mohammed Thahif BK ,

Thanks for the info.

I am sorry, I have limited expertise on Snowflake side and your configuration wrt "external STAGE"

However, a simple Bing search landed me on Snowflake document - Allowing the VNet subnet IDs.

I can only see documents relating to "Service EndPoint"

I could not find any documents with "Private EndPoint"

From my observation, I believe your Snowflake third party is deployed in a Virtual Network that is not managed by you - Let me know if my observation is incorrect.

In this case, where you do not have access to the VNET of the Snowflake, I don't think so you will be able to use a Private EndPoint.

The reason being, a Private EndPoint requires you to

Link the VNET to a Private DNS Zone.

Create a Private EndPoint in the VNET
And since the VNET is a third party managed, I don't think you will be able to perform the above operations.

From the above Snowflake document, I see your third party allows you to extract the VNET/Subnet ID, which you can further use to enable Service EndPoint.

See : How to Grant access from a virtual network.
To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or REST APIs.

NOTE:

The above is for initiating a connection from a VNET(managed by the third party) to a Storage Account.

Not the other way around. i.e., Connections can only be initiated towards Storage Account and not from Storage Account

Naturally, all traffic directly goes from the VNET to the Storage Account using Azure backbone and does not pass through a Firewall/NVA.

In case my observation is incorrect, and you are trying to achieve a different scenario:

Please share the document you are referencing (which talks about using a Private EndPoint)

And share the architecture diagram of your environment/requirement.

Hope this helps.

Cheers,

Kapil
Sign in to comment