In Snowflake, network policies enable the restriction of Snowflake account access by specifying blocked and allowed IP addresses for users. Let’s dive in.
Creating a Network Policy
Network policies can be created either in Snowsight, under Admin > Security > + Network Policy, or in SQL, using the CREATE NETWORK POLICY command.
The CREATE NETWORK POLICY command allows the definition of an allow list and/or a block list. Snowflake automatically blocks all IP addresses not included in the allow list, and allows all IP addresses not included in the block list. If an IP address is on both lists, then the block list is applied first, blocking that address.
CREATE [ OR REPLACE ] NETWORK POLICY <name>
[ ALLOWED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' , ... ] ) ]
[ BLOCKED_IP_LIST = ( [ '<ip_address>' ] [ , '<ip_address>' , ... ] ) ]
[ COMMENT = '<string_literal>' ]
Currently, Snowflake only supports IPv4 in its network policies, which must be specified using Classless Inter-Domain Routing (CIDR) notation:
<ip_address> <[/prefix_length]>
A SECURITYADMIN or higher can create a network policy, or any role with the global CREATE NETWORK POLICY privilege. An unlimited number of network policies can be created in an account. Ownership of a network policy can be transferred.
Activating a Network Policy
A network policy is not enabled by default. It needs to be activated at the account or individual user level.
A network policy for an account can be activated either by using Snowsight, Admin > Security > Network Policies > Activate Policy, or in SQL using ALTER ACCOUNT SET NETWORK POLICY = <network_policy_name>.
A network policy for an individual user can only be activated using SQL, using the ALTER USER SET NETWORK POLICY command.
Only one network policy can be activated for a single account and for a single user. If a network policy is activated for both an account and for an individual user, the user-level policy takes precedence.
A user with SECURITYADMIN role, or higher, or a role that has been granted the global ATTACH POLICY privilege can activate a network policy.
To determine whether a network policy is set on your account or for a specific user, execute the SHOW PARAMETERS command.
If you get locked out of your account, it is possible to temporarily bypass a network policy by configuring the user object property MINS_TO_BYPASS_NETWORK_POLICY, which can be viewed by executing DESCRIBE USER, but which is only modifiable by Snowflake itself.
Network Policies and Replication
Replication, the Snowflake feature that allows the cloning of objects and entities across regions and cloud providers, supports network policies. Failover and Failback is also supported.
Test your knowledge
Question 1: Which IP versions do network policies support?
A) IPv4
B) IPv6
C) IPv8
D) IPv12
Question 2: Which of these statements about network policies are true? Select all that apply.
A) Replication groups support network policies.
B) Failover and Failback do NOT support network policies.
C) Replication groups do NOT support network policies.
D) Failover and Failback support network policies.
Question 3: An administrator can create <blank> network policies.
A) 10
B) 25
C) 100
D) An unlimited number of
Question 4: IP addresses in network policies are specified in which format?
A) SCIM
B) CIDR
C) CRISP
D) CIRD
Question 5: A network policy can be activated at these levels. Select all that apply.
A) Account level
B) Database level
C) Schema level
D) User level
Question 6: True or false, a network policy can be activated on the account level and on the individual user without using SQL.
A) True
B) False
Question 7: True or false, you need to be careful when creating a network policy because it is automatically activated and might result in you being locked out of your account.
A) True
B) False
Question 8: It is possible to assign multiple network policies to an account or a specific user at the same time.
A) True
B) False
Question 9: Is it possible to temporarily bypass a network policy?
A) Yes
B) No
Question 10: Is it possible to transfer ownership of a network policy to another role?
A) Yes
B) No
Question 11: What is the requirement for creating network policies? Select all that apply.
A) Users with the SECURITYADMIN role can create network policies
B) Users with the SECURITYADMIN or a higher role can create network policies
C) A role with the global CREATE NETWORK POLICY privilege can create network policies
Question 12: How can verify whether a network policy has been set on your account or for a specific user using SQL?
A) SHOW NETWORK POLICIES
B) LIST NETWORK POLICIES
C) SHOW PARAMETER LIKE ‘network_policy’ IN ACCOUNT / USER <username>
Question 13: Which privileges does a role need in order to to activate a network policy? Select all that apply.
A) ALTER POLICY
B) ATTACH POLICY
C) OWNERSHIP
Answer Key
Question 1: A) IPv4
Question 2: A and D, both replication groups and failover and failback support network policies.
Question 3: D) An unlimited number of.
Question 4: B) CIDR
Question 5: A and D, Account and User level
Question 6: B) False
Question 7: B) False
Question 8: B) False
Question 9: A) Yes, but you need to contact snowflake support.
Question 10: A) Yes
Question 11: A, B, and C
Question 12: C
Question 13: A