Setting Network Policies

This guide details the process of creating and implementing network policies in Snowflake to enhance security by restricting access based on IP addresses. It covers assessing network requirements, crafting a network policy, applying the policy to the account or specific users, and the importance of monitoring and adjusting policies as needed. Emphasizing best practices such as regular reviews and cautious IP range specification, this guide equips organizations with the knowledge to secure their Snowflake instances against unauthorized access effectively.
Loved by leading security teams around the world.

Network policies in Snowflake are critical for enhancing security by restricting access to Snowflake instances based on IP address filtering. This guide provides a comprehensive overview of creating and applying network policies to prevent unauthorized network access to Snowflake, ensuring that only trusted IP addresses can connect to your Snowflake environment.

Understanding Network Policies in Snowflake

Network policies in Snowflake allow administrators to specify allowed and blocked IP address ranges, controlling access to the Snowflake instance. This capability is essential for protecting your data warehouse from unauthorized access attempts and potential breaches.

Step 1: Assess Your Network Requirements

  • Identify Trusted IP Ranges: Compile a list of trusted IP addresses or ranges that require access to Snowflake. This list may include corporate office IPs, VPN IPs, and any cloud service provider IPs used by your organization.

Step 2: Creating a Network Policy in Snowflake

  1. Log into Snowflake: Use an account with ACCOUNTADMIN privileges.
  2. Navigate to the Policies Area: Access the Network Policies section in the Snowflake UI or use the SQL interface.
  3. Create a New Network Policy: Use the CREATE NETWORK POLICY SQL command to define your policy.

For example:

CREATE NETWORK POLICY secure_access_policy
ALLOWED_IP_LIST = ('', '')

This command creates a policy named secure_access_policy that allows access only from IPs within the specified ranges, blocking all others.

Step 3: Applying the Network Policy to Your Account or Users

  • Apply to Account: To enforce the network policy account-wide, use the ALTER ACCOUNT command:

ALTER ACCOUNT SET NETWORK_POLICY = 'secure_access_policy';

  • Apply to Specific Users or Roles: If you prefer to apply the policy to specific users or roles, use the ALTER USER or ALTER ROLE command, respectively:

ALTER USER john_doe SET NETWORK_POLICY = 'secure_access_policy';

Step 4: Monitoring and Adjusting Policies

  • Review Access Logs: Regularly review Snowflake access logs to monitor attempts to access Snowflake from blocked IP addresses.
  • Adjust Policies as Needed: Based on log reviews and changing business needs, adjust your network policies by adding or removing IP addresses or ranges.

Best Practices for Network Policies in Snowflake

  • Regular Reviews: Conduct periodic reviews of your network policies and trusted IP lists to ensure they remain up-to-date with organizational changes.
  • Minimize Broad Ranges: Avoid using overly broad IP ranges that could inadvertently allow access from untrusted sources.
  • Educate Users: Inform users affected by network policies about the restrictions and whom to contact if legitimate access issues arise.
  • Use in Conjunction with Other Security Features: Combine network policies with other Snowflake security features, such as MFA and role-based access control, for layered security.

Setting network policies in Snowflake is a straightforward yet powerful mechanism for enhancing the security of your Snowflake instance. By carefully creating, applying, and managing network policies, you can ensure that only authorized IP addresses have access to your data, significantly reducing the risk of unauthorized access and potential data breaches.

Connect, Protect, Defend

Streamline your approach to security posture management throughout your entire company.
Get a Free Security Assessment
By installing or using the software, you acknowledge and agree to be bound by the Terms of Service.