Last Updated: 2024-04-16

Background

AWS PrivateLink allows private connectivity between virtual private clouds (VPC), supported AWS services, and on-premises networks. This connection does not expose traffic to the public internet, making it a great choice for data federation across cloud and on-prem networks and other use cases.

Starburst Galaxy extends support for AWS PrivateLink across certain catalogs. This tutorial will guide you through the process needed to configure PrivateLink for Snowflake.

Scope of tutorial

In this tutorial, you will learn how to configure AWS PrivateLink for Snowflake.

Learning objectives

Once you've completed this tutorial, you will be able to:

• Configure AWS PrivateLink for connectivity from Starburst Galaxy to Snowflake.
• Use PrivateLink to securely connect Starburst Galaxy to Snowflake.

Prerequisites

• You need a Starburst Galaxy account to complete this tutorial. Please see Starburst Galaxy: Getting started for instructions on setting up a free account.
• This tutorial comes with a bring your own storage requirement. Before proceeding with this lesson, you must already have an existing Snowflake subscription with a configured database, warehouse, user, and role. Note that PrivateLink configuration in Snowflake requires a Business Critical Edition or higher.

About Starburst tutorials

Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.

As you navigate through the tutorial you should follow along using your own Starburst Galaxy account. This will help consolidate the learning process by mixing theory and practice.

Background

If you are configuring PrivateLink for the first time you are encouraged to work with a Starburst technical resource. This individual will work with you to set up the environment needed to complete the tutorial.

Contacting your technical resource

To be assigned this resource, you should reach out to your regular Starburst account team for assistance.

Working together

Once assigned, your Starburst technical resource will work with you to set up an environment where you can complete the tutorial.

Please review the following overview of this process before beginning the tutorial.

Your responsibilities:

• Confirm that you have the required account type and role.
• If you have an existing Active Network Policy, add the Starburst Galaxy CIDR to the allow list.
• Complete the steps that Snowflake requires to authorize PrivateLink and get the PrivateLink configuration.
• Submit a Starburst Galaxy support ticket to request the Starburst Galaxy AWS Account Number and federation token needed to complete the tutorial.
• Starburst support will create VPC endpoints and PrivateLink associations in your Starburst account and notify you when completed.

Background

Understanding the Snowflake PrivateLink architecture is important when completing the steps in this tutorial. In this section you will learn about this architecture and the way that Starburst Galaxy uses it to securely connect private clouds.

This tutorial also follows a Snowflake user guide on the topic. It is recommended that you consult this documentation before proceeding.

Reference architecture

The following diagram illustrates a PrivateLink connection between the Starburst Galaxy VPC and the Snowflake VPC.

Review the diagram and corresponding notes below for more information.

1. Once the PrivateLink configuration is complete, an endpoint is created in the Starburst Galaxy VPC (Source).
   
   This endpoint connects to a Network Load Balancer located inside an endpoint service situated in the Snowflake VPC (Destination).
   
   This establishes a private connection between Starburst Galaxy and Snowflake, enabling PrivateLink functionality.
2. In this reference architecture, the Starburst Galaxy VPC is the source.
3. In this reference architecture, the Snowflake VPC is the destination.

Background

To enable PrivateLink for Snowflake, a specific Snowflake subscription type is necessary. To proceed with this tutorial, you require Business Critical Edition subscription type or higher. Additionally, you also require access to the ACCOUNTADMIN role to complete the configuration.

This section of the tutorial will walk you through the process needed to verify these requirements. Additionally, you'll check for any existing Active Network Policies. If present, you will add the Galaxy private CIDR to the allow list.

Step 1: Confirm your subscription type

• Sign in to your Snowflake account.
• Using the left-hand navigation menu, select Admin.
• Select Accounts.
• Confirm that your Edition is listed as Business Critical.

Step 2: Switch to the ACCOUNTADMIN role

Now it's time to switch your Snowflake account to the ACCOUNTADMIN role.

• Using the left-hand navigation bar, expand your profile menu.
• Expand the Switch role section by hovering over it.
• Select the ACCOUNTADMIN role.

Step 3: Access Admin security menu

Next, you're going to access the Security section of the admin menu.

This will allow you to check for active and inactive network policies that might block Starburst Galaxy's access to your snowflake environment.

• Using the left-hand navigation menu, select Admin
• Select Security.

Step 4: Check for existing Active Network Policy

Now it's time to investigate the network security policies to check if there are any active policies that might block Starburst Galaxy's access to your Snowflake environment.

There are three different possible scenarios for this step. You are going to confirm which one applies to you and follow the appropriate steps below, depending on your situation.

• Check your policy status.
• Compare your status to each of the three scenarios below.
• Take the appropriate actions for your given scenario.

Scenario 1: Active policy

If you have an Active policy, this will block Starburst Galaxy.

• Proceed to the next section of this tutorial to amend this policy.
• It will show you how to add the Starburst Galaxy private CIDR to this active policy, allowing access.

Scenario 2: No policy

If you have No policies listed, and your account resembles the image below, then you do not have an access policy and do not need to amend anything.

• Skip the next section of this tutorial and continue from there.

Scenario 3: Inactive policy

If you have a policy listed, but its status is marked as inactive, this is also a case where you do not have to amend anything. The inactive policy will not block Starburst Galaxy's access to your Snowflake environment.

• Skip the next section of this tutorial and continue from there.

Background

This section of the tutorial will show you how to add the Starburst Galaxy IP CIDR to an active policy. This will enable Starburst Galaxy to connect to your Snowflake environment. To do this, you will add a new Network Rule to the existing Network Policy.

Step 1: Edit the Network Policy

First, you'll need to edit the existing Network Policy by adding a new Network Rule. You can access the screen to create the new rule via the Network Policy edit screen.

• In the Security menu, locate your policy.
• Expand the options menu for this policy by selecting the ellipses icon.
• Select Edit.
• Select New rule.

Step 2: Create a new Network Rule

Now you're ready to define the new Network Rule that allows Starburst Galaxy to access your Snowflake environment.

To do this, you are going to name the network rule, select a database and schema that will use it, and enable the Starburst Galaxy IP CIDR.

When you have finished, you will return to the Update network policy window.

• In the Network rule name field, enter a name that will help you identify the purpose of the rule.
• Use the drop-down menu to select a database and schema that will use the rule.
  
  For example, we are using the TPCDS_NATIVE database, and SF1000 schema.
• In the Comma-separated identifiers field, add the Starburst Galaxy IP CIDR 172.16.0.0/16.

• Click the Create network rule button.

Step 3: Add the new rule to the policy

You have successfully created the new Network Rule.

Next, you need to add that rule to your active policy.

• In the Update Network policy section, select Select rule.
• Select the rule that you just created.
• Confirm that the new rule has been added to the list.
• Click the Update network policy button.

Background

Time to switch gears. You've completed all of the steps required on your own. Now it's time to contact the Starburst support team to finish the last steps.

Step 1: Request account number and federation token

You are going to use the automated assistant in Starburst Galaxy to open a support ticket and request the Starburst Galaxy AWS account number and federation token.

• Log in to Starburst Galaxy.
• Click the support icon located at the bottom right of the screen.
• Select Chat with technical support.
• Select Submit a Support Ticket.
• The automated assistant will ask you to provide your email address, first name, and last name.
• When you receive the prompt to describe your issue, note that you are configuring AWS PrivateLink for Snowflake and need the Starburst Galaxy AWS account number and federation token. Be sure to also include your preferred Starburst Galaxy PrivateLink connection name.

Step 2: Open a new SQL Worksheet in Snowflake

You're almost finished! Once you've received both the Starburst Galaxy AWS account number and federation token, you can use the information to complete the next few steps.

It's time to authorize PrivateLink within your Snowflake account. You'll begin by opening a new SQL Worksheet.

• Using the left-hand navigation menu, select Projects.
• Select Worksheets.
• Open the new worksheet options menu by clicking the Plus (+) button in the top-right corner of the screen.
• Select SQL Worksheet.

Step 3: Authorize PrivateLink

Now it's time to use the information you gathered from Starburst support. Be sure to have it handy.

• Copy the following SQL command into the Snowflake worksheet.

SELECT SYSTEM$AUTHORIZE_PRIVATELINK (
    'PASTE_ACCOUNT_HERE',
    'PASTE_TOKEN_HERE'
);

• Replace PASTE_ACCOUNT_HERE with the Starburst Galaxy AWS account number.
• Replace PASTE_TOKEN_HERE with the entire federated token that you received from Starburst support. Note: Be careful that you do not overwrite the single quotes.
• Click the Run button.
• If your authorization was successful, you will receive the message: Private link access authorized.

Step 4: Get PrivateLink configuration

This is the final step before you'll be able to use PrivateLink to securely connect Starburst Galaxy to Snowflake. You must retrieve your PrivateLink configuration information and provide it to Starburst support so that they can complete the configuration on their side.

• Run the following command in your Snowflake worksheet:

SELECT SYSTEM$GET_PRIVATELINK_CONFIG();

• Click the results button at the bottom of the worksheet.
• A window will appear in the bottom-right corner. Copy everything in this window.
• Open another support ticket via Starburst Galaxy, and send the PrivateLink configuration that you copied to Starburst support.
• Starburst support will use this information to configure the endpoint in Galaxy.
• Wait for Starburst support to confirm that the PrivateLink configuration is complete.
• You are all set to use PrivateLink!

Tutorial complete

Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.

You're all set! Now you can use PrivateLink to configure access to data in Snowflake.

Continuous learning

At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.

Next steps

Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.

Tutorials available

Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!