Last Updated: 2024-04-16


AWS PrivateLink allows private connectivity between virtual private clouds (VPC), supported AWS services, and on-premises networks. This connection does not expose traffic to the public internet, making it a great choice for data federation across cloud and on-prem networks and other use cases.

Starburst Galaxy extends support for AWS PrivateLink across certain catalogs. This tutorial will guide you through the process needed to configure PrivateLink for Snowflake.

Scope of tutorial

In this tutorial, you will learn how to configure AWS PrivateLink for Snowflake.

Learning objectives

Once you've completed this tutorial, you will be able to:


About Starburst tutorials

Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.

As you navigate through the tutorial you should follow along using your own Starburst Galaxy account. This will help consolidate the learning process by mixing theory and practice.


If you are configuring PrivateLink for the first time you are encouraged to work with a Starburst technical resource. This individual will work with you to set up the environment needed to complete the tutorial.

Contacting your technical resource

To be assigned this resource, you should reach out to your regular Starburst account team for assistance.

Working together

Once assigned, your Starburst technical resource will work with you to set up an environment where you can complete the tutorial.

Please review the following overview of this process before beginning the tutorial.

Your responsibilities:


Understanding the Snowflake PrivateLink architecture is important when completing the steps in this tutorial. In this section you will learn about this architecture and the way that Starburst Galaxy uses it to securely connect private clouds.

This tutorial also follows a Snowflake user guide on the topic. It is recommended that you consult this documentation before proceeding.

Reference architecture

The following diagram illustrates a PrivateLink connection between the Starburst Galaxy VPC and the Snowflake VPC.

Review the diagram and corresponding notes below for more information.

  1. Once the PrivateLink configuration is complete, an endpoint is created in the Starburst Galaxy VPC (Source).

    This endpoint connects to a Network Load Balancer located inside an endpoint service situated in the Snowflake VPC (Destination).

    This establishes a private connection between Starburst Galaxy and Snowflake, enabling PrivateLink functionality.
  2. In this reference architecture, the Starburst Galaxy VPC is the source.
  3. In this reference architecture, the Snowflake VPC is the destination.


To enable PrivateLink for Snowflake, a specific Snowflake subscription type is necessary. To proceed with this tutorial, you require Business Critical Edition subscription type or higher. Additionally, you also require access to the ACCOUNTADMIN role to complete the configuration.

This section of the tutorial will walk you through the process needed to verify these requirements. Additionally, you'll check for any existing Active Network Policies. If present, you will add the Galaxy private CIDR to the allow list.

Step 1: Confirm your subscription type

Step 2: Switch to the ACCOUNTADMIN role

Now it's time to switch your Snowflake account to the ACCOUNTADMIN role.

Step 3: Access Admin security menu

Next, you're going to access the Security section of the admin menu.

This will allow you to check for active and inactive network policies that might block Starburst Galaxy's access to your snowflake environment.

Step 4: Check for existing Active Network Policy

Now it's time to investigate the network security policies to check if there are any active policies that might block Starburst Galaxy's access to your Snowflake environment.

There are three different possible scenarios for this step. You are going to confirm which one applies to you and follow the appropriate steps below, depending on your situation.

Scenario 1: Active policy

If you have an Active policy, this will block Starburst Galaxy.

Scenario 2: No policy

If you have No policies listed, and your account resembles the image below, then you do not have an access policy and do not need to amend anything.

Scenario 3: Inactive policy

If you have a policy listed, but its status is marked as inactive, this is also a case where you do not have to amend anything. The inactive policy will not block Starburst Galaxy's access to your Snowflake environment.


This section of the tutorial will show you how to add the Starburst Galaxy IP CIDR to an active policy. This will enable Starburst Galaxy to connect to your Snowflake environment. To do this, you will add a new Network Rule to the existing Network Policy.

Step 1: Edit the Network Policy

First, you'll need to edit the existing Network Policy by adding a new Network Rule. You can access the screen to create the new rule via the Network Policy edit screen.

Step 2: Create a new Network Rule

Now you're ready to define the new Network Rule that allows Starburst Galaxy to access your Snowflake environment.

To do this, you are going to name the network rule, select a database and schema that will use it, and enable the Starburst Galaxy IP CIDR.

When you have finished, you will return to the Update network policy window.

Step 3: Add the new rule to the policy

You have successfully created the new Network Rule.

Next, you need to add that rule to your active policy.


Time to switch gears. You've completed all of the steps required on your own. Now it's time to contact the Starburst support team to finish the last steps.

Step 1: Request account number and federation token

You are going to use the automated assistant in Starburst Galaxy to open a support ticket and request the Starburst Galaxy AWS account number and federation token.

Step 2: Open a new SQL Worksheet in Snowflake

You're almost finished! Once you've received both the Starburst Galaxy AWS account number and federation token, you can use the information to complete the next few steps.

It's time to authorize PrivateLink within your Snowflake account. You'll begin by opening a new SQL Worksheet.

Step 3: Authorize PrivateLink

Now it's time to use the information you gathered from Starburst support. Be sure to have it handy.


Step 4: Get PrivateLink configuration

This is the final step before you'll be able to use PrivateLink to securely connect Starburst Galaxy to Snowflake. You must retrieve your PrivateLink configuration information and provide it to Starburst support so that they can complete the configuration on their side.


Tutorial complete

Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.

You're all set! Now you can use PrivateLink to configure access to data in Snowflake.

Continuous learning

At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.

Next steps

Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.

Tutorials available

Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!

Start Free with
Starburst Galaxy

Up to $500 in usage credits included

  • Query your data lake fast with Starburst's best-in-class MPP SQL query engine
  • Get up and running in less than 5 minutes
  • Easily deploy clusters in AWS, Azure and Google Cloud
For more deployment options:
Download Starburst Enterprise

Please fill in all required fields and ensure you are using a valid email address.