Link Search Menu Expand Document
Virtues

Private Link for Snowflake Connection

urn:js:virtue:aspire:proposal:28.1

TL;DR

All squads MUST use AWS Private Link to connect the AWS Accounts to Snowflake.

Rational

What is AWS PrivateLink? AWS PrivateLink is an AWS service for creating private VPC endpoints that allow direct, secure connectivity between AWS VPCs without traversing the public Internet. Because Snowflake on AWS is implemented as a VPC, PrivateLink enables creating a highly-secure network between Snowflake and your other AWS VPCs (in the same AWS region), fully protected from unauthorized external access.

In addition, if you have an on-premises environment (e.g. a non-hosted data center), you can choose to use AWS Direct Connect, in conjunction with AWS PrivateLink, to connect all your virtual and physical environments in a single, private network.

Privatelink is scoped to VPC to Snowflake connections to separate user access from back end data loading. It mitigates our over reliance on front edge whitelisting and reduces the number of network and system transitions.

Decision Drivers & Background

  • Improve Snowflake integration security
  • Simplify administration and control over connections to Snowflake and whitelisting

Considered Options

Option 1 - Implement AWS PrivateLink as the only approved connection method for AWS accounts to Snowflake

Option 2 - Do nothing, and allow all connections via Public Snowflake Addresses

Implications

[option 1] - Implement AWS PrivateLink as the only approved connection method for AWS accounts to Snowflake

example | description | pointer to more information | …]

  • Good, because …
    • Enables RBAC to be combined with whitelisting to ensure that any write requests on ADW_PROD come from an AWS account.
    • Reduced blast radius:
      • P2P from one account, so we can switch off access from one account rather than having to block all of the accounts in this instance.
    • When we move to a central proxy rather than VPN, we can block access to the front-end from AWS to prevent escalation of privileges via this route
    • Mitigate risk of elastic IP address release
    • Simplify whitelist
    • Enable user-scoped whitelisting for anyone that needs to access Snowflake from a public IP
  • Bad, because..
    • Requires Business Critical Snowflake support
    • Some configuration required to setup PrivateLink, but this has been simplified by pre-defined stacks and clear instructions

[option 2] - Do nothing, and allow all connections via Public Snowflake Addresses

All connections to Snowflake occur via a Whitelisted public IP address.

  • Good, because ..
    • Don’t need to pay for a higher Snowflake account tier for PrivateLink
  • Bad, because…
    • Poorer security model.
    • Possible for IP addresses to be lost or released and allow new owners access to Snowflake (i.e. access from unknown parties)
    • Governance would need more control on each IP connection and thus require us to implement a middle-party (further reducing the security rating).
    • Access to Snowflake via direct connect could saturate the Bluecoat proxies.
      • Mixes user traffic with large data traffic
      • Traffic shaping becomes harder
    • Requires AWS VPCs to have internet gateways when they may not be necessary (volatile IP address to Snowflake), also increases the attack surface on the VPC.-

Appendix

Migrated From Confluence

link Original Author : Graeme Forbes