Skip to content

Satori Connectivity to Snowflake

For Satori to work properly, the data access controller needs to be able to connect to your Snowflake account. By default, Snowflake accepts connections from any IP address or network, but organizations can limit that access based on their security policies. The following sections discuss how to configure Satori and Snowflake in cases where network controls are enforced on the Snowflake account.

Setting a Network Policy for the Satori DAC on Snowflake

To allow Satori to connect to your Snowflake account follow these steps:

  1. Go to the Satori management console.
  2. In the Data Stores view, select the Snowflake data store for your Snowflake account.
  3. Go to the Settings view, and copy the Satori IP address of the data access controller from the Data Store Summary section.
  4. Login to your Snowflake account directly using the *.snowflakecomputing.com hostname.
  5. Make sure you are using the ACCOUNTADMIN role.
  6. Go to Account and select the Policies view.
  7. Create a new policy or update an existing one and allow access to the Satori IP address copied previously.

For more details see the Snowflake documentation.

Satori and Snowflake Private Network Connectivity

By default, Snowflake accounts are only accessible via the public internet. This means that the network path used by clients to connect to Snowflake traverses the public internet, even if the client is hosted on the same region as the Snowflake account. Snowflake provides private connectivity to the Snowflake account by utilizing the cloud provider's private link service. In order to setup the private link service, organizations need to provide Snowflake the VPC IDs that they wish to privately connect to each Snowflake account. For more details see the Snowflake documentation.

It is strongly advised to include your Satori account team when planning infrastructure-related changes.

The following diagram provides a cloud-agnostic description of how Satori connects to Snowflake via private connectivity: Screenshot

To enable Satori to connect to Snowflake using the private link, the following high-level steps need to be followed:

  1. Ensure that the VPC that Satori is deployed in is allowed to connect to the Snowflake account. For customer-hosted DACs, follow the Snowflake documentation to register the VPC ID. For SaaS DACs, contact Satori support to get the VPC ID for the specific Satori DACs.
  2. Ensure that all subdomains of the Snowflake private link DNS zone point to the private link interface within the network the DAC is deployed in. For example, in AWS, add the following record to the private DNS zone: * CNAME xxxxxxxx.vpce.amazonaws.com and in Azure: * A <Private Endpoint IP Address>.
  3. When adding a new data store, ensure that the Satori data store points to the private link DNS zone. For example: abc123.us-west-2.privatelink.snowflakecomputing.com. When changing an existing data store, open a support ticket to request to change the original hostname of the data store.
  4. Data consumers keep using the Satori hostname to connect to Snowflake via Satori regardless of the private link connectivity setup. For example: abc123.us-west-1.a.p0.satoricyber.net.