Network Policies: Snowflake’s First layer of Security
Snowflake Data Super Hero, Rajiv Gupta, dives into concepts and implementation of Snowflake Network Policies.
In this blog, we are going to see how we can set up the first line of defense in Snowflake using Network Policy. Network policy is a commonly known term in the security/network world. I agree that it’s not a very interesting topic for most people, but it is one of the pillar aspects from a security point of view. This topic falls under network security and is mostly handled by the DBA or Administration team who deal with security setup.
What is Snowflake Network Policy?
Network policy is a simple mechanism that helps you restrict access based on a user’s IP address. Sounds like an easy cake?
Snowflake's implementation of network policy is very straight forward where you can define a policy with allowed and not allowed IP address. By default, Snowflake allow all users to connect to the service from any computer or device IP address.
To set this up you should have SECURITYADMIN or above role. Currently, Snowflake only supports IPV4 IP address(IPV6 is not supported yet).
You can set up Network policy at two level:
- Account Level
2. User Level
Account level policy implementation is quite understood, but user level use case is quite interesting. Say you have a big team where you have Visualization Team, ETL team, Data Scientist Team etc. All of them are working from certain location and may connect to Snowflake using some sorts of service account, and you want to allow them access to Snowflake either from office network or their private IP address per service account basis. This is the scenario when user level use case can be beneficial.
Does Snowflake Network policy support CIDR notation?
Yes, Snowflake support supports specifying ranges of IP addresses using CIDR notation.
When you define the IP addresses, you can use a network naming standard called CIDR to stipulate a range of IPs to be included. For example, 192.168.1.0/24 represents all IP addresses in the range of 192.168.1.0 to 192.168.1.255.
Can we bypass Snowflake Network policy ?
Yes, it's possible to temporarily bypass the network policy for a set number of minutes by configuring the user object property.
MINS_TO_BYPASS_NETWORK_POLICY
This property can only be set by Snowflake support team on request.
How to create a Snowflake Network policy?
There are two ways you can use .
- Classical Web UI or Snowsight(New Web UI).
- Command Line using SQL.
Below is a snapshot of classic web UI which show where you can navigate to create network policy.
Account » Policies.
CLI using SQL(sample code below):
How to validate if my network policy has been created ?
You can use the below SHOW command to list all network policy.
SHOW NETWORK POLICIES;
To get more details about specific network policy you can use below describe command.
DESCRIBE NETWORK POLICY NETWORK_POLICY_ACC;
How to validate if Network policy has set at account level or user level?
Things to Remember:
- Snowflake doesn’t allow you to set a network policy that blocks your own current IP address. This helps stop blocking yourself.
- When you create a policy it is not activated by default, and you have to activate it explicitly.
- Multiple network policies can be created but at a time only one network can be activated for an account.
- Network policy can be applied at the account level as well as user level. But only one network policy can be activated at a time for one user. Although you can have set up to apply different network policy for different user in an account.
- Only a user having a SECURITYADMIN or ACCOUNTADMIN role or a role with the global CREATE NETWORK POLICY privilege can create network policies.
- Snowflake only supports IPV4 IP address at the moment.
- If a network policy is activated for an individual user, the user-level network policy takes precedence.
- When a network policy is associated with your account, any restricted users who are already logged into Snowflake are prevented from executing further queries.
- Only the role with the OWNERSHIP privilege on both the user and the network policy, or a higher role, can activate a network policy for an individual user.
Hope this blog helps you to get insight into the Snowflake Network Policy. If you are interested in learning more details, you can refer to their SF documentation. Feel free to ask a question in the comment section if you have any doubts regarding this. Give a clap if you like the blog. Stay connected to see many more such cool stuff. Thanks for your support.
You Can Find Me:
Follow me on Medium: https://rajivgupta780184.medium.com/
Subscribe to my YouTube Channel: https://www.youtube.com/c/RajivGuptaEverydayLearning
Follow me on Twitter: https://twitter.com/RAJIVGUPTA780
Connect with me in LinkedIn: https://www.linkedin.com/in/rajiv-gupta-618b0228/
#Keep learning #Keep Sharing #Everyday Learning.
