Network Policy
You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with network policy:
- Manage the lifecycle of new and existing network policies
Usage
We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. The major difference is in how you define Snowflake objects in the configuration file.
Rather than having a grouped collection of objects, SOLE for Data Products goes for modular, self-describing, and explicit object definition.
Learn more about SOLE for Data Products, currently available as a private preview.
We have also introduced Data products as an extra layer on top of the Dataops.live platform capabilities making managing data products easier than ever. Learn more about Data Products, currently available as a private preview.
- Default Configuration
- Data Products Configuration
network_policies:
<network-policy-name>:
<configuration-key>: <value>
- network_policy:
name: <network-policy-name>
<configuration-key>: <value>
Supported parameters
The engine supports the parameters listed below.
Configuration Key | Required/Optional | Data Types and Values | Description |
---|---|---|---|
allowed_ip_list | Required | String | Specifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account |
blocked_ip_list | Optional | Map/List of String | Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account. Note that values 0.0.0.0/0 and 0.0.0.0 are not allowed in BLOCKED_IP_LIST . |
comment | Optional | String | Specifies a comment for the network policy |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
environment | Optional | String | Specifies the environment in which the network policy is managed. Regex can be provided as well |
manage_mode | Optional | String: all (default), none | Configures what properties to manage for the network policy. See Changing Manage Mode before changing the value. |
namespacing | Optional | String: both (default), none , prefix , suffix | Specifies whether prefix or suffix or both are to be added to the network policy name |
Examples
This first code snippet demonstrates the network policy configuration for a single IP address:
- Default Configuration
- Data Products Configuration
network_policies:
NETWORK_POLICY_1:
comment: "test policy 1"
allowed_ip_list:
- "212.102.142.146/32"
blocked_ip_list:
- "212.102.136.122/32"
- network_policy:
name: NETWORK_POLICY_1
comment: "test policy 1"
allowed_ip_list:
- "212.102.142.146/32"
blocked_ip_list:
- "212.102.136.122/32"
The following example shows the construction of the network policy configuration for multiple IP addresses:
- Default Configuration
- Data Products Configuration
network_policies:
NETWORK_POLICY_2:
comment: "test policy 2"
allowed_ip_list:
- "10.1.1.1/32"
- "10.2.1.0/24"
- "10.3.0.1/24"
- network_policy:
name: NETWORK_POLICY_2
comment: "test policy 2"
allowed_ip_list:
- "10.1.1.1/32"
- "10.2.1.0/24"
- "10.3.0.1/24"
Attaching network policy to user
To attach a network policy to a user, edit the users.yml file and add the network_policy
parameter:
- Default Configuration
- Data Products Configuration
users:
TEST_USER_1:
first_name: FOO
last_name: BAR
network_policy: EXAMPLE_NETWORK_POLICY_1
- user:
name: TEST_USER_1
first_name: FOO
last_name: BAR
network_policy: rel(network_policy.EXAMPLE_NETWORK_POLICY_1)
This configuration works whether you manage the EXAMPLE_NETWORK_POLICY_1
through SOLE or if you have defined this network policy in Snowflake directly.
Attaching network policy to account
Attaching a network policy to an account is just as straightforward as it is for attaching it to users.
- Default Configuration
- Data Products Configuration
account:
network_policy: EXAMPLE_NETWORK_POLICY_1
manage_mode: all
grants:
ALL PRIVILEGES:
- ACCOUNTADMIN
- account:
network_policy: rel(network_policy.EXAMPLE_NETWORK_POLICY_1)
manage_mode: all
grants:
ALL PRIVILEGES:
- ACCOUNTADMIN
Again, this configuration works whether you manage the EXAMPLE_NETWORK_POLICY_1
through SOLE or if you have defined this network policy in Snowflake directly.
To not render your Snowflake instance inaccessible to yourself or DataOps remember that the network policy must contain your IP address range in allowed_ip_list
. Otherwise, Snowflake will throw an error message and the pipeline will fail.