0

We configured Azure Private Link connectivity to Snowflake account. Direct private link URL <accountname>.<region>.privatelink.snowflakecomputing.com works as expected. However our goal to use public URL <accountname>.<region>.azure.snowflakecomputing.com everywhere. It should be resolved via private endpoint in out VPN. We setup A record in Private DNS zone azure.snowflakecomputing.com. This A record point to private endpoint, nslookup <accountname>.<region>.azure.snowflakecomputing.com confirms that:

enter image description here

However it doesn't work. During TLS handshake wrong certificate returned. Checked with openssl:

openssl s_client -showcerts -connect <accountname>.<region>.azure.snowflakecomputing.com:443

returns certificate with CN = *.west-europe.privatelink.snowflakecomputing.com. It looks like snowflake returns certificate based on source IP address but not source site name.

enter image description here

Question: What I did wrong to have desired behaviour ? Does it mean that snowflake doesn't anticipate to use public URL with private endpoint ?

Alezis
  • 2,659
  • 3
  • 27
  • 34

1 Answers1

0

As of today it is not possible. Snowflake doesn't support such usage of Azure Private Link. Our idea was to use the same URL everywhere and route traffic inside our VNET through private endpoint via DNS resolution. It is not possible as of today. Only direct private link URL is using. The same approach works fine for storage accounts: https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#dns-changes-for-private-endpoints

Alezis
  • 2,659
  • 3
  • 27
  • 34