Cursor Follower
snowflake:SnowSQL Logo

Snowflake Azure PrivateLink Implementation

Celestinfo Software Solutions Pvt. Ltd. Feb 03, 2026

Business Critical Edition | Azure (East US 2) | End-to-end: Azure + Snowflake + DNS + Validation

1. Purpose and Scope

This document provides a complete, step-by-step procedure to enable Snowflake PrivateLink on Microsoft Azure for a Snowflake Business Critical account. It includes all required creation steps (Resource Group, VNet, Subnets, Private Endpoint, Private DNS), Snowflake authorization steps, validation tests, common pitfalls, and secure methods to access Snowflake over PrivateLink from a laptop (via Bastion or VPN).

1.1 Target account details

Authoritative Snowflake PrivateLink configuration (output of SYSTEM$GET_PRIVATELINK_CONFIG()):


{
  "privatelink-account-name": "dla03063.east-us-2.privatelink",
  "privatelink-pls-id": "sf-pvlinksvc-azeastus2prodshard2.ffc74fdb-c717-4c57-a041-8a8c52243329.eastus2.azure.privatelinkservice",
  "snowpark-connect-privatelink-url": "*.snowpark.iadzpr.privatelink.snowflakecomputing.com",
  "openflow-privatelink-url": "tvypihz-yca28219.openflow.iadzpr.privatelink.snowflakecomputing.com",
  "app-service-privatelink-url": "*.iadzpr.privatelink.snowflake.app",
  "regionless-snowsight-privatelink-url": "app-tvypihz-yca28219.privatelink.snowflakecomputing.com",
  "external-telemetry-privatelink-url": "tvypihz-yca28219.telemetry.iadzpr.privatelink.snowflakecomputing.com",
  "snowsight-privatelink-url": "app.east-us-2.privatelink.snowflakecomputing.com",
  "regionless-privatelink-ocsp-url": "ocsp.tvypihz-yca28219.privatelink.snowflakecomputing.com",
  "privatelink-account-url": "dla03063.east-us-2.privatelink.snowflakecomputing.com",
  "spcs-registry-privatelink-url": "tvypihz-yca28219.registry.privatelink.snowflakecomputing.com",
  "regionless-privatelink-account-url": "tvypihz-yca28219.privatelink.snowflakecomputing.com",
  "spcs-auth-privatelink-url": "sfc-endpoint-login.iadzpr.privatelink.snowflakecomputing.com",
  "privatelink_ocsp-url": "ocsp.dla03063.east-us-2.privatelink.snowflakecomputing.com"
}

1.2 High-level architecture

PrivateLink traffic flow:

  • Client workload (VMs, apps) runs inside an Azure Virtual Network (VNet).
  • Azure Private Endpoint provides a private IP in the VNet that connects to Snowflake’s Azure Private Link Service (PLS).
  • Azure Private DNS resolves Snowflake PrivateLink hostnames (SQL, Snowsight, OCSP, etc.) to the Private Endpoint IP.
  • After validation, Snowflake can optionally be locked down to PrivateLink-only inbound access.
    Client / VM / App
    |
    | (Private DNS)
    v
    .privatelink.snowflakecomputing.com
    |
    v
    Azure Private Endpoint (NIC: 10.x.x.x)
    |
    v
    Snowflake Service (Azure)

2. Prerequisites

2.1 Access and roles

  • Snowflake: ACCOUNTADMIN role (required for SYSTEM$* PrivateLink functions).
  • Azure: permissions to create Resource Groups, VNets, Subnets, Private Endpoints, Private DNS Zones, and to link DNS zones to VNets.

    • 3. Azure Implementation Steps (Create if needed)

    3.1 Create a Resource Group (if you do not already have one)

    • 1. Azure Portal -> Resource groups -> Create.
    • 2. Select the subscription and region (use East US 2 for consistency).
    • 3. Name suggestion: rg-snowflake-privatelink-prod.
    • 4. Review + Create -> Create.

    3.2 Create a Virtual Network (VNet) (if needed)

    • 5. Azure Portal -> Virtual networks -> Create.
    • 6. Basics: select the resource group and region (East US 2).
    • 7. IP Addresses: define an address space (example: 10.0.0.0/16).

  • 8. Create subnets as described below or proceed to create and add subnets after VNet creation.
  • 9. Review + Create -> Create.

    • 3.3 Create required subnets


    3.3.1 Private Endpoint subnet (mandatory)

  • 10. Open the VNet -> Subnets -> Add subnet.
  • 11. Name: snet-privatelink-snowflake (example).
  • 12. Subnet range (example): 10.0.0.0/24.
  • 13. Disable private endpoint network policies (required for Private Endpoint).
  • 14. Save.

    • 3.4 Create the Azure Private Endpoint to Snowflake (mandatory)

    Before creating the Private Endpoint, run SYSTEM$GET_PRIVATELINK_CONFIG() in Snowflake and copy the privatelink-pls-id value.

  • 15. Azure Portal -> Private Link -> Private endpoints -> Create.


  • 17. Basics: Resource group, name (example: pe-snowflake-dla03063), Region: East US 2.
  • 18. Resource: choose 'Connect to an Azure resource by resource ID or alias'.


  • 20. Paste privatelink-pls-id into 'Resource ID or alias'.
  • 21. Networking: select VNet and the Private Endpoint subnet (snet-privatelink-snowflake).
  • 22. Review + Create -> Create.

    • After creation, capture the Private Endpoint private IP from the associated network interface. In this implementation, the Private Endpoint IP is 10.0.0.4 (example).


    3.5 Create Private DNS zone and link to VNet (mandatory)



  • 23. Azure Portal -> Private DNS zones -> Create.
  • 24. Name: privatelink.snowflakecomputing.com
  • 25. Place in the same resource group (recommended).


  • 27. Open the DNS zone -> Virtual network links -> Add.
  • 28. Link to your VNet (where clients run).
  • 29. Auto-registration: Off.
  • 30. Create

    • 3.6 Create DNS records for Snowflake PrivateLink hostnames (mandatory)


    All hostnames returned by SYSTEM$GET_PRIVATELINK_CONFIG() that end with snowflakecomputing.com must resolve to the Private Endpoint IP in your VNet. Create A records in the Private DNS zone privatelink.snowflakecomputing.com pointing to 10.0.0.4 (your Private Endpoint IP).




    Important DNS rules:

  • Do not add 0.0.0.0 as an additional IP in any record set.
  • The Azure record set Name must match the left side exactly (it commonly includes '.privatelink').
  • Testing from a laptop or Azure Cloud Shell will not resolve this zone unless your device is connected to the VNet (VPN) or you test from a VM inside the VNet.

    • 4. Snowflake Implementation Steps


    4.1 Retrieve the PrivateLink configuration (source of truth)

    
    USE ROLE ACCOUNTADMIN;
    SELECT SYSTEM$GET_PRIVATELINK_CONFIG();

    4.2 Authorize the Azure Private Endpoint in Snowflake

    You need the Azure Private Endpoint resource ID and an Azure access token. From Azure CLI:


    
    az network private-endpoint show \
    --name pe-snowflake-dla03063 \
    --resource-group  \
    --query id -o tsv

    az account get-access-token --subscription

    Then authorize in Snowflake (ACCOUNTADMIN):


    
 USE ROLE ACCOUNTADMIN;
 SELECT SYSTEM$GET_PRIVATELINK();

    4.3 Verify authorization

    
USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$GET_PRIVATELINK();

    4.4 Optional: Enforce PrivateLink-only inbound access

    Run this only after you have validated DNS + connectivity from within the VNet, otherwise you can lock yourself out.


    
USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$ENFORCE_PRIVATELINK_ACCESS_ONLY();

    Rollback if needed:


    
USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$DISABLE_PRIVATELINK_ACCESS_ONLY();

    5. Validation and Testing


    5.1 Validate DNS resolution (must be done from inside the VNet)


    Use a VM inside vnet-data-prod (or an equivalent workload VNet). Do not test from Azure Cloud Shell or from a laptop on the public internet.


    
nslookup dla03063.east-us-2.privatelink.snowflakecomputing.com
nslookup app.east-us-2.privatelink.snowflakecomputing.com
nslookup ocsp.dla03063.east-us-2.privatelink.snowflakecomputing.com

    Expected result: all names resolve to the Private Endpoint private IP (example: 10.0.0.4).


    5.2 Validate HTTPS and SQL connectivity


    From the VNet VM:


    
curl -v https://dla03063.east-us-2.privatelink.snowflakecomputing.com

    Snowsight (from browser inside the VNet VM):


    
https://app.east-us-2.privatelink.snowflakecomputing.com

    5.3 Client connection strings (when connected via VNet/VPN)


    Use these hostnames from SYSTEM$GET_PRIVATELINK_CONFIG():


  • SQL: dla03063.east-us-2.privatelink.snowflakecomputing.com
  • Snowsight: app.east-us-2.privatelink.snowflakecomputing.com
  • Regionless SQL (optional): tvypihz-yca28219.privatelink.snowflakecomputing.com

    • 6. Rollback steps


    If you enforced PrivateLink-only access too early:


    
USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$DISABLE_PRIVATELINK_ACCESS_ONLY();

    If you need to revoke an authorized endpoint:


    
USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$REVOKE_PRIVATELINK('');

    Burning Questions
    About CelestInfo

    Simple answers to make things clear.

    How accurate are the AI insights?+

    Our AI insights are continuously trained on large datasets and validated by experts to ensure high accuracy.

    Can I integrate with my existing tools?+

    Absolutely. CelestInfo supports integration with a wide range of industry-standard software and tools.

    What security measures do you have?+

    We implement enterprise-grade encryption, access controls, and regular audits to ensure your data is safe.

    How often are insights updated?+

    Insights are updated in real-time as new data becomes available.

    What kind of support do you offer?+

    We offer 24/7 support via chat, email, and dedicated account managers.

    Still have questions?

    Ready? Let's Talk!

    Get expert insights and answers tailored to your business requirements and transformation.