Snowflake IP Whitelisting Range when using VPN

Question

I can't log into snowsql via Windows Command Prompt in order to GET files when connected over my companies' VPN. I believe this is a whitelist issue. I've already ran Select SYSTEM$WHITELIST(); then SnowCD and my results are listed below.

What is the IP range for Snowflake?

Thanks!

Performing 33 checks for 13 hosts

Check for 11 hosts failed, display as follow:
==============================================
Host: <redacted>.snowflakecomputing.com
Port: 443
Type: SNOWFLAKE_DEPLOYMENT
Failed Check: Certificate Check
Error: certificate checker timeout
Suggestion: Check your connection to <redacted>.snowflakecomputing.com

==============================================
Host: sfc-ds1-customer-stage.s3.us-west-2.amazonaws.com
Port: 443
Type: STAGE
Failed Check: Certificate Check
Error: certificate checker timeout
Suggestion: Check your connection to sfc-ds1-customer-stage.s3.us-west-2.amazonaws.com

==============================================
Host: sfc-ds1-customer-stage.s3-us-west-2.amazonaws.com
Port: 443
Type: STAGE
Failed Check: Certificate Check
Error: certificate checker timeout
Suggestion: Check your connection to sfc-ds1-customer-stage.s3-us-west-2.amazonaws.com

==============================================
Host: sfc-ds1-customer-stage.s3.amazonaws.com
Port: 443
Type: STAGE
Failed Check: Certificate Check
Error: certificate checker timeout
Suggestion: Check your connection to sfc-ds1-customer-stage.s3.amazonaws.com

==============================================
Host: sfc-snowsql-updates.s3.us-west-2.amazonaws.com
Port: 443
Type: SNOWSQL_REPO
Failed Check: Certificate Check
Error: certificate checker timeout
Suggestion: Check your connection to sfc-snowsql-updates.s3.us-west-2.amazonaws.com

==============================================
Host: ocsp.snowflakecomputing.com
Port: 80
Type: OCSP_CACHE
Failed Check: HTTP checker
Error: http check timeout
Suggestion: Check the connection to your http host or transparentProxy

==============================================
Host: ocsp.sca1b.amazontrust.com
Port: 80
Type: OCSP_RESPONDER
Failed Check: HTTP checker
Error: http check timeout
Suggestion: Check the connection to your http host or transparentProxy

==============================================
Host: ocsp.rootca1.amazontrust.com
Port: 80
Type: OCSP_RESPONDER
Failed Check: HTTP checker
Error: http check timeout
Suggestion: Check the connection to your http host or transparentProxy

==============================================
Host: ocsp.rootg2.amazontrust.com
Port: 80
Type: OCSP_RESPONDER
Failed Check: HTTP checker
Error: http check timeout
Suggestion: Check the connection to your http host or transparentProxy

==============================================
Host: o.ss2.us
Port: 80
Type: OCSP_RESPONDER
Failed Check: HTTP checker
Error: http check timeout
Suggestion: Check the connection to your http host or transparentProxy

==============================================
Host: ocsp.digicert.com
Port: 80
Type: OCSP_RESPONDER
Failed Check: HTTP checker
Error: http check timeout
Suggestion: Check the connection to your http host or transparentProxy

Answer 1

The design of Snowflake’s platform takes full advantage of the radical elasticity offered by AWS. The underlying system which you will communicate to and from are both using services offered by AWS which do not use any stable elements. That includes IP addresses. Since many customers wish to restrict the network communications they have with Snowflake, several methods that do not rely on IP addresses have been offered.

So generally, we do not recommend any IP whitelisting. If possible, we recommend using hostnames instead. https://support.snowflake.net/s/article/faq-what-ip-address-range-does-snowflake-use

When using client applications, you will have to ensure the endpoints (output from the system$whitelist function) are whitelisted on the ports which are specified for seamless communication. You will need to open port both 443 and 80 for specific endpoints. https://docs.snowflake.com/en/user-guide/hostname-whitelist.html#hostname-whitelisting

If IP-only controls are required, I did come across this blog where AWS provides those region-wide IP ranges as a JSON file: https://aws.amazon.com/de/blogs/aws/aws-ip-ranges-json/ . This is really the only thing I can think to offer (the IP range from which all Snowflake's dynamic IPs may come from). This amounts to the IPs for an entire AWS region.

Note that these are subject to change and any method using these will need to account for those potential changes. As I mentioned, Snowflake does not recommend this approach. Whenever possible, it is best to whitelist the hostnames/endpoints.

Answer 2

there is some missing information that I think may help us answer your question a little better/easier. You mentioned that you are using SnowCD from Windows Command prompt. I am assuming you are using this from a computer within your companies network or just from home. Is this correct?

Assuming the above is correct, I would guess that you or someone responsible for your Snowflake account at the "ACCOUNTADMIN" level has defined a Network Policy within Snowflake which has a whitelist and blacklist of IP's. If your IP is not one of those IP's or doesn't fall within the range defined within the whitelist of IP's you are going to get blocked and get the messages you see from SnowCD. I would figure out what your IP is then, using the ACCOUNTADMIN role add the IP and/or range to your Network Policy Whitelist.

If you are running a Windows box via an AWS EC2 instance, that changes a little bit in that you are likely going to need to whitelist your AWS VPC outgoing address(es).

I hope this helps. If my assumptions are incorrect, please give me some more detail and I will hopefully be able to help. Thanks!