What URL do we need to use to connect to snowflake using browser client when we have private link setup for snowflake? We have setup AWS privatelink to connect to Snowflake so that we can avoid traffic over the internet. Any input regarding this would be great if someone has setup this. I get 403 Forbidden error when I use privatelink dns from browser.
AWS PrivateLink is a great way for Snowflake customers on AWS to get private connectivity over AWS networking backbone. For example, you can run server tools such as Tableau server in your VPC, and connect to Snowflake without going over the internet.
Here's the high-level process flow to enable it for your account.
Enable PrivateLink in your VPC following AWS documentation.
File support case with Snowflake to enable PrivateLink for your account. Include your AWS account Id in the support case.
After enabling the feature, Snowflake support will provide back with 3 pieces of information a) Snowflake privatelink url, b) DNS record, and c) ip address to restrict public url access to your Snowflake account.
Set up DNS based on the DNS record provided to you above. Setup AWS security group policies to allow access to Snowflake privatelink url ports 443 and 80 (for OCSP).
Create a network policy in Snowflake allowing only the ip address provided above by support.
Verification: From your VPC, spin up an EC2 instance, and login to Snowflake privatelink url through the browser running on EC2. Or, use snowsql commandline tool for verification from inside the VPC.
Additional security best practice:
Setup S3 endpoint in your VPC. This will ensure that S3 access from your VPC goes over AWS backbone instead of internet. Note that Snowflake drivers connect directly to S3 for getting large resultsets or if you are using PUT commands to load data.
Also, refer to official doc for this topic https://docs.snowflake.net/manuals/user-guide/admin-security-privatelink.html
Here's high-level diagram of how it works.
Note: Private connectivity from your corporate network to AWS VPC is a separate topic, and you can configure it using AWS Direct Connect or AWS VPN. That configuration is independent of Snowflake, and you should be able to work directly with AWS to enable it.
Vikas Jain | Security Product Management | Snowflake
Related
I'm working with AWS and need some support please.
My team provisioned Direct Connect and we can now enjoy private connectivity from our corporate network to VPC on AWS.
Management is asking if it's possible that aws cli commands are executed through Direct Connect and not through the public internet. Indeed, we have a lot of scripts with a lot of commands like aws ec2 describe-instances and so on. I guess these calls the public REST API of EC2 service that AWS exposes.
They're asking if it's possible that these calls do not go through the public internet.
I've seen VPC endpoints? Are they the solution?
See How can I access my Amazon S3 bucket over Direct Connect? for how to do this with S3.
Basically:
After BGP is up and established, the Direct Connect router advertises all global public IP prefixes, including Amazon S3 prefixes. Traffic heading to Amazon S3 is routed through the Direct Connect public virtual interface. The public virtual interface is routed through a private network connection between AWS and your data center or corporate network.
You can extend this to other Amazon services, per the AWS Direct Connect FAQs:
All AWS services, including Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), and Amazon DynamoDB can be used with Direct Connect.
Refer to #jarmod's answer below for the answer to the question but read on for why I think this sounds like an XY problem.
There is no reason at all why management should be concerned.
Third-party auditors assess the security and compliance of AWS services as part of multiple AWS compliance programs. Using the AWS CLI to access a service does not alter that service's compliance - AWS has compliance programs which pretty much cover every IT compliance framework out there globally.
Compliance aside, the AWS CLI does not store any customer data (there should be no data protection concerns) & transmits data securely (unless you manually override this).
The user guide highlights this:
The AWS CLI does not itself store any customer data other than the credentials it needs to interact with the AWS services on the user's behalf.
By default, all data transmitted from the client computer running the AWS CLI and AWS service endpoints is encrypted by sending everything through a HTTPS/TLS connection.
You don't need to do anything to enable the use of HTTPS/TLS. It is always enabled unless you explicitly disable it for an individual command by using the --no-verify-ssl command line option.
As if that's not enough, you can also add increased security when communicating with AWS services by enforcing a minimum version of TLS 1.2 to be used by the CLI.
There should be targeting of much much bigger attack vectors, like:
The physical accessibility of the device storing the credentials
Permanent access tokens vs. temporary credentials
IAM policies associated with the credentials
The AWS CLI is secure.
We are moving from AWS to the GCP. I used Client VPN Endpoint in AWS to get into the VPC network in the AWS. What is the alternative in GCP which I can quickly setup and get my laptop into the VPC network? If there is no exact alternative, what's the closest one and please provide instructions to set it up.
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
Currently there is no managed product available on GCP to allow VPN connections from multiple clients to directly access resources within a VPC as Cloud VPN only supports site-to-site connectivity, however there is an existing Feature Request for this.
As an alternative a Compute Engine Instance can be used instead with OpenVPN server manually installed and configured following the OpenVPN documentation, however this would be a self managed solution.
I want to execute AWS CLI commands of RDS not via the internet, but via a VPC network for mainly creating manual snapshots of RDS.
However, VPC endpoints support only RDS Data API according to the following document:
VPC endpoints - Amazon Virtual Private Cloud
Why? I need to execute a command within closed network for security rules.
Just to reiterate you can still connect to your RDS database through the normal private network using whichever library you choose to perform any DDL, DML, DCL and TCL commands. Although in your case you want to create a snapshot which is via the service endpoint.
VPC endpoints are to connect to the service APIs that power AWS (think the interactions you perform in the console, SDK or CLI), at the moment this means for RDS to create, modify or delete resources you need to use the API over the public internet (using HTTPS for encrypted traffic).
VPC endpoints are added over time, just because a specific API is not there now does not mean it will never be there. There is an integration that has to be carried out by the team of that AWS service to allow VPC endpoints to work.
There is a static website on AWS S3 bucket.
This site has to be available only for one team. It could be authentication system, or access via AWS Client VPN Endpoint (only this team uses AWS VPN).
I have read about S3 Access Points, VPC Endpoints, Bucket Policy with VPC and IP-restriction, made some experiments. There was an idea to restrict access only for VPC with VPN. But I can not forward bucket traffic to VPN tunnel, because my bucket IP address changes all the time.
And this way doesn't look straight.
What service or service combination can I use to implement restriction with minimum efforts?
One approach I have done in the past is using an API Gateway as a proxy to static UI content hosted in a private S3 bucket. You can either use a public or private APIGW. With public you will need an APIGW resource policy to restrict access to the VPC-endpoint. You can also use a private APIGW-- the only downside is AWS doesn't support custom DNS for private api gateways (you will be accessing your site using a url similar to https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}-- documentation). AWS also offers good documentation on creating an apigw as an s3 proxy.
In this example the flow of traffic would go: client-> vpn -> vpc endpoint -> apigw -> s3
Hopefully this helps!
I have done a clean sweep of AWS docs but couldn't find answer to my scenario. I'm looking for a solution wherein I will have private connectivity(no data flows through Internet but within AWS network) between my two VPCs and VPC to On-premise connectivity. I'm aware of AWS PrivateLink and Direct Connect but they have some limitations e.g. a RDS Instance cannot be exposed as an Endpoint service to be consumed and things like that.
Is there any way I can achieve the above ?
AWS Transit Gateway allows you to setup direct networking between VPCs and your on premises environment. It supports both VPN and Direct Connect for the on premises leg of the connection.
https://aws.amazon.com/transit-gateway/