Skip to main content

Network Policy

You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with network policy:

  • Manage the lifecycle of new and existing network policies

Usage

note

We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. The major difference is in how you define Snowflake objects in the configuration file. Rather than having a grouped collection of objects, SOLE for Data Products goes for modular, self-describing, and explicit object definition.
Learn more about SOLE for Data Products, currently available as a public preview.

We have also introduced Data products as an extra layer on top of the data product platform capabilities making managing data products easier than ever. Learn more about Data Products, currently available as a private preview.

network_policies:
  <network-policy-name>:
    <configuration-key>: <value>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
allowed_ip_listRequiredStringSpecifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account
blocked_ip_listOptionalMap/List of StringSpecifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account. Note that values 0.0.0.0/0 and 0.0.0.0 are not allowed in BLOCKED_IP_LIST.
commentOptionalStringSpecifies a comment for the network policy
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
environmentOptionalStringSpecifies the environment in which the network policy is managed. Regex can be provided as well
manage_modeOptionalString: all (default), noneConfigures what properties to manage for the network policy.
See Changing Manage Mode before changing the value.
namespacingOptionalString: both (default), none, prefix, suffixSpecifies whether prefix or suffix or both are to be added to the network policy name

Examples

This first code snippet demonstrates the network policy configuration for a single IP address:

network_policies:
  NETWORK_POLICY_1:
    comment: "test policy 1"
    allowed_ip_list:
      - "212.102.142.146/32"
    blocked_ip_list:
      - "212.102.136.122/32"

The following example shows the construction of the network policy configuration for multiple IP addresses:

network_policies:
  NETWORK_POLICY_2:
    comment: "test policy 2"
    allowed_ip_list:
      - "10.1.1.1/32"
      - "10.2.1.0/24"
      - "10.3.0.1/24"

Attaching network policy to user

To attach a network policy to a user, edit the users.yml file and add the network_policy parameter:

dataops/snowflake/users.yml
users:
  TEST_USER_1:
    first_name: FOO
    last_name: BAR
    network_policy: EXAMPLE_NETWORK_POLICY_1

This configuration works whether you manage the EXAMPLE_NETWORK_POLICY_1 through SOLE or if you have defined this network policy in Snowflake directly.

Attaching network policy to account

Attaching a network policy to an account is just as straightforward as it is for attaching it to users.

dataops/snowflake/account.yml
account:
  network_policy: EXAMPLE_NETWORK_POLICY_1
  manage_mode: all
  grants:
    ALL PRIVILEGES:
      - ACCOUNTADMIN

Again, this configuration works whether you manage the EXAMPLE_NETWORK_POLICY_1 through SOLE or if you have defined this network policy in Snowflake directly.

warning

To not render your Snowflake instance inaccessible to yourself or DataOps remember that the network policy must contain your IP address range in allowed_ip_list. Otherwise, Snowflake will throw an error message and the pipeline will fail.

Last updated on