Skip to main content

Configuring Snowflake PrivateLink

Limited to certain Enterprise tiers

The PrivateLink feature is available on the following dbt Cloud Enterprise tiers:

  • Business Critical
  • Virtual Private

To learn more about these tiers, contact us at sales@getdbt.com.

The following steps will walk you through the setup of a Snowflake AWS PrivateLink endpoint in the dbt Cloud multi-tenant environment.

Snowflake SSO with PrivateLink

Users connecting to Snowflake using SSO over a PrivateLink connection from dbt Cloud will also require access to a PrivateLink endpoint from their local workstation.

Currently, for any given Snowflake account, SSO works with only one account URL at a time: either the public account URL or the URL associated with the private connectivity service.

  1. Open a Support case with Snowflake to allow access from the dbt Cloud AWS account
  • Snowflake prefers that the account owner opens the Support case directly, rather than dbt Labs acting on their behalf. For more information, refer to Snowflake's knowledge base article
  • Provide them with your dbt Cloud account ID along with any other information requested in the article.
    • AWS account ID: 346425330055 - NOTE: This account ID only applies to dbt Cloud Multi-Tenant environments. For Virtual Private/Single-Tenant account IDs please contact Support.
  • You will need to have ACCOUNTADMIN access to the Snowflake instance to submit a Support request.
Open snowflake caseOpen snowflake case

  1. After Snowflake has granted the requested access, run the Snowflake system function SYSTEM$GET_PRIVATELINK_CONFIG and copy the output.

  2. Add the required information to the template below, and submit your request to dbt Support:

Subject: New Multi-Tenant PrivateLink Request
- Type: Snowflake
- SYSTEM$GET_PRIVATELINK_CONFIG output:
- *Use privatelink-account-url or regionless-privatelink-account-url?: 
- dbt Cloud multi-tenant environment (US, EMEA, AU):

*By default dbt Cloud will be configured to use privatelink-account-url from the provided SYSTEM$GET_PRIVATELINK_CONFIG as the PrivateLink endpoint. Upon request, regionless-privatelink-account-url can be used instead.

dbt Labs will work on your behalf to complete the PrivateLink setup. Please allow 3-5 business days for this process to complete. Support will contact you when the endpoint is available.

Create Connection in dbt Cloud

Once dbt Cloud support completes the configuration, you can start creating new connections using PrivateLink.

  1. Navigate to SettingsCreate new project → select Snowflake.
  2. You will see two radio buttons: Public and Private. Select Private.
  3. Select the private endpoint from the dropdown (this will automatically populate the hostname/account field).
  4. Configure the remaining data platform details.
  5. Test your connection and save it.

Configuring Network Policies

If your organization uses Snowflake Network Policies to restrict access to your Snowflake account, you will need to add a network rule for dbt Cloud.

You can request the VPCE ID from dbt Cloud Support, that you can use to create a network policy.

Using the UI

Open the Snowflake UI and take the following steps:

  1. Go to the Security tab.
  2. Click on Network Rules.
  3. Click on Add Rule.
  4. Give the rule a name.
  5. Select a database and schema where the rule will be stored. These selections are for permission settings and organizational purposes; they do not affect the rule itself.
  6. Set the type to AWS VPCE ID and the mode to Ingress.
  7. Type the VPCE ID provided by dbt Cloud Support into the identifier box and press Enter.
  8. Click Create Network Rule.
Create Network RuleCreate Network Rule
  1. In the Network Policy tab, edit the policy you want to add the rule to. This could be your account-level policy or a policy specific to the users connecting from dbt Cloud.
  1. Add the new rule to the allowed list and click Update Network Policy.
Update Network PolicyUpdate Network Policy

Using SQL

For quick and automated setup of network rules via SQL in Snowflake, the following commands allow you to create and configure access rules for dbt Cloud. These SQL examples demonstrate how to add a network rule and update your network policy accordingly.

  1. Create a new network rule with the following SQL:
CREATE NETWORK RULE allow_dbt_cloud_access
  MODE = INGRESS
  TYPE = AWSVPCEID
  VALUE_LIST = ('<VPCE_ID>'); -- Replace '<VPCE_ID>' with the actual ID provided
  1. Add the rule to a network policy with the following SQL:
ALTER NETWORK POLICY <network_policy_name>
  ADD ALLOWED_NETWORK_RULE_LIST =('allow_dbt_cloud_access');
0
Edit this page