Snowflake - Network Policy implementation

Author: Sakshi Agrawal


Overview

This paper provides a brief about how network policies are beneficial in terms of securing application access to your data warehouse (snowflake) , also will be covering how to implement the network policies on snowflake environment


What is Network policy ?

  • Some sets of conditions and constraints which restrict unauthorized persons to access a particular network Or some settings which allow you to designate who is authorized to connect to the network are nothing but Network Policies .


Network Policy in Snowflake ?

  • We can connect different application to snowflake via partner connect (for ex - DBT , tableau etc ) or using connectors , various users in snowflake which are also connected to these applications are accessing your snowflake instance , to provide extra layer of security you can create network policies that can be assigned to particular users .

  • Network policies provide options for managing network configurations to the Snowflake service which allow restricting access to your account based on user IP address. Effectively, a network policy enables you to create an IP allowed list, as well as an IP blocked list, if desired.

  • In snowflake , a security administrator (or higher) can create a network policy which will allow or deny access to a single IP address or a list of addresses. Network policies in snowflake currently support only Internet Protocol version 4 (i.e. IPv4) addresses.

  • An admin with sufficient permissions can create any n number of network policies. A network policy will only be enabled when it is activated at the account or individual user level. For activating a network policy, modify the account/user properties and assign the network policy to the object. A single network policy can be assigned to the account or a specific user at a time.


Implementation of network policy in Expense Management System

  • The RBAC structure of our project is as below , according to our RBAC there are some users who should only have direct access to snowflake account , i.e developers .Developers who are working on third party tools connected with snowflake and the snowflake instance are only supposed to have access of dedicated snowflake account i.e actual code .

  • Users other than developers i.e user in production environment should not have the access to the snowflake instance code and data i.e dbt user can access the dbt schema but user in production should not access dbt schema but can have access on production schema

  • Or the user other than the user working on specific application should not have the access to the snowflake instance , for example in our case we have 4 user

  1. DBT

  2. KAFKA

  3. SNOWBOARD

  4. TABLEAU

  • DBT user should only be able to login the snowflake instance with the credentials given for DBT user even if the tableau user have the same credentials user should not be able to login because in network policy assigned to DBT user we have only allowed IP addresses specific to DBT user in this way we are providing a extra layer of security

In below RBAC we have 5 roles under programmatic access among which user assigned to these 4 roles (KAFKA,DBT,TABLEAU,SNOWBOARD) have network policy applied .




  • Lets see one example of how dbt network policy has been applied to dbt user




  • This policies are then assigned to user through alter user command in snowflake

For ex - alter user TOOL_DBT_USER_1 set NETWORK_POLICY = DBT_NETWORK_POLICY1

  • Similar way we have implemented for KAFKA,TABLEAU,SNOWBOARD user

  • For general example of allowed and blocked ip address you can refer the following

https://docs.snowflake.com/en/user-guide/network-policies.html#examples-of-allowed-blocked-address-lists

  • We can also temporarily bypass a network policy

  • After creating a network policy you have to activate that network policy Network policies can be activated

  1. On Account basis

  2. On Individual users basis

  • One can also modify the existing network policy through UI or alter network policy command

In this way we have implemented the network policies .


References
Conclusion

After Studying the network policy and implementing it in our project we can conclude some points about network policy

  • A network policy is only enabled when it is activated at the account or individual user level. Network policy can be activated at both account level and user level , we have done at user level

  • Network policy that blocks your current IP address is not supported by snowflake currently .

  • Network policy add a extra level of security to your data and only intended IP address can access the information


62 views0 comments

Recent Posts

See All