Network policies in Snowflake are a crucial security feature that allows administrators to control which IP addresses can access their Snowflake account. This functionality helps organizations restrict access to trusted network locations and enhance their overall security posture.
Network policies…Network policies in Snowflake are a crucial security feature that allows administrators to control which IP addresses can access their Snowflake account. This functionality helps organizations restrict access to trusted network locations and enhance their overall security posture.
Network policies work by defining allowed and blocked IP address ranges using CIDR notation. When configured, Snowflake evaluates incoming connection requests against these policies before granting access. If a user attempts to connect from an IP address that falls outside the allowed ranges or within blocked ranges, the connection is denied.
There are two levels at which network policies can be applied: account level and user level. Account-level network policies apply to all users within the Snowflake account, establishing a baseline security boundary. User-level network policies can be assigned to individual users, providing more granular control when specific users require different access restrictions.
To create a network policy, administrators use the CREATE NETWORK POLICY command, specifying ALLOWED_IP_LIST and optionally BLOCKED_IP_LIST parameters. The blocked list takes precedence over the allowed list, enabling administrators to allow a broad range while excluding specific addresses.
Only users with the SECURITYADMIN role or higher, or those with the CREATE NETWORK POLICY privilege, can create and manage network policies. The ACCOUNTADMIN role is required to activate a network policy at the account level using ALTER ACCOUNT SET NETWORK_POLICY.
Important considerations include ensuring that administrators do not accidentally lock themselves out by misconfiguring IP ranges. Snowflake recommends testing policies thoroughly before activation. Additionally, network policies support both IPv4 addresses and can be modified or dropped as organizational requirements change.
Network policies complement other Snowflake security features such as multi-factor authentication, SSO integration, and role-based access control, forming a comprehensive defense strategy for protecting sensitive data within your Snowflake environment.
Network Policies in Snowflake: Complete Guide for SnowPro Core Exam
Why Network Policies Are Important
Network policies are a critical security feature in Snowflake that help organizations control who can access their Snowflake account based on where they are connecting from. In today's security-conscious environment, restricting access by IP address is a fundamental layer of defense against unauthorized access, data breaches, and compliance violations. Network policies ensure that even if credentials are compromised, attackers cannot access your Snowflake account from unauthorized locations.
What Are Network Policies?
A network policy is a Snowflake object that defines a list of allowed and blocked IP addresses that can access your Snowflake account. Network policies use two key components:
• ALLOWED_IP_LIST: Specifies IP addresses that ARE permitted to access Snowflake • BLOCKED_IP_LIST: Specifies IP addresses that are NOT permitted to access Snowflake (used for exceptions within allowed ranges)
Network policies can be applied at two levels: 1. Account Level: Applies to all users in the account 2. User Level: Applies to specific individual users
How Network Policies Work
When a user attempts to connect to Snowflake, the system evaluates their IP address against applicable network policies:
1. First, the ALLOWED_IP_LIST is checked - if the IP is not in this list, access is denied 2. Then, the BLOCKED_IP_LIST is checked - if the IP is in this list, access is denied 3. User-level policies take precedence over account-level policies
Activating at account level: ALTER ACCOUNT SET NETWORK_POLICY = my_policy;
Activating for a specific user: ALTER USER john SET NETWORK_POLICY = my_policy;
Important Considerations
• Only users with SECURITYADMIN role or higher can create and manage network policies • Only ACCOUNTADMIN can set account-level network policies • Be careful when setting account-level policies - you could lock yourself out • CIDR notation is supported for specifying IP ranges • Network policies work with both classic console and Snowsight
Exam Tips: Answering Questions on Network Policies
1. Remember the hierarchy: User-level network policies override account-level policies. If a user has a specific policy assigned, that policy is evaluated, not the account policy.
2. Know the required roles: SECURITYADMIN can create network policies, but only ACCOUNTADMIN can apply them at the account level. This is a common exam topic.
3. Understand the evaluation order: ALLOWED_IP_LIST is evaluated first, then BLOCKED_IP_LIST. The blocked list is used for creating exceptions within allowed ranges.
4. Remember lockout prevention: Questions may ask about best practices - always ensure your current IP is included before activating a policy.
5. CIDR notation: Be familiar with how IP ranges work. For example, 192.168.1.0/24 covers 192.168.1.0 through 192.168.1.255.
6. Scope of application: Network policies affect all connection methods including SnowSQL, connectors, drivers, and the web interface.
7. Watch for tricky scenarios: If asked what happens when both account and user policies exist, the user policy is the one that applies to that specific user.
8. Default behavior: When no network policy exists, all IP addresses are allowed to connect to Snowflake.