Snowflake Cloud Provider Integration
Snowflake provides deep integration with all major cloud providers, enabling seamless connectivity, security, and performance optimization for cloud-native workloads.
What is Cloud Integration?
- Connects natively to AWS, Azure, and GCP
- Provides PrivateLink for secure, private connectivity
- Enables cross-cloud data sharing without data movement
Architecture Overview
The Snowflake multi-cloud architecture connects to three major cloud providers:
| Provider | Storage | Networking | Security | Compute |
|---|---|---|---|---|
| AWS | S3 | VPC Peering, PrivateLink | IAM Roles, KMS Encryption | Lambda |
| Azure | Blob Storage | VNet Integration, Private Link | Managed Identity, Key Vault | Functions |
| GCP | Cloud Storage | VPC peering, Private Google Access | Service Accounts, Cloud KMS | Functions |
Snowflake Data Cloud provides multi-region capabilities with consistent APIs across all providers.
Integration Features
- Networking β PrivateLink, VPC peering
- Security β IAM, KMS, encryption
- Storage β S3, Blob, GCS
- Compute β Lambda, Functions
AWS Integration
S3 External Stage
-- Create storage integration
CREATE OR REPLACE STORAGE INTEGRATION s3_integration
TYPE = EXTERNAL_STAGE
ENABLED = TRUE
STORAGE_PROVIDER = S3
STORAGE_AWS_ROLE_ARN = 'arn:aws:iam::123456789:role/snowflake-role'
STORAGE_ALLOWED_LOCATIONS = ('s3://my-bucket/data/');
-- Create external stage
CREATE OR REPLACE STAGE s3_stage
URL = 's3://my-bucket/data/'
STORAGE_INTEGRATION = s3_integration
FILE_FORMAT = (TYPE = 'PARQUET');
AWS PrivateLink
-- Configure PrivateLink
CREATE OR REPLACE ACCOUNT LEVEL PARAMETERS
SET PRIVATE_ENDPOINT = 'vpce-1234567890abcdef0.snowflake.us-east-1.vpce.amazonaws.com';
-- Verify connection
SELECT SYSTEM$TYPE_OF_CONNECTION();
Azure Integration
Blob Storage Stage
CREATE OR REPLACE STORAGE INTEGRATION azure_integration
TYPE = EXTERNAL_STAGE
ENABLED = TRUE
STORAGE_PROVIDER = AZURE
AZURE_TENANT_ID = 'your-tenant-id'
AZURE_STORAGE_ALLOWED_LOCATIONS = ('azure://myaccount.blob.core.windows.net/mycontainer/');
CREATE OR REPLACE STAGE azure_stage
URL = 'azure://myaccount.blob.core.windows.net/mycontainer/data/'
STORAGE_INTEGRATION = azure_integration;
Azure Private Link
CREATE OR REPLACE ACCOUNT LEVEL PARAMETERS
SET PRIVATE_ENDPOINT = 'privatelink.snf-abc123.database.windows.net';
GCP Integration
GCS Stage
CREATE OR REPLACE STORAGE INTEGRATION gcs_integration
TYPE = EXTERNAL_STAGE
ENABLED = TRUE
STORAGE_PROVIDER = GCS
GCS_STORAGE_ALLOWED_LOCATIONS = ('gcs://my-bucket/data/');
CREATE OR REPLACE STAGE gcs_stage
URL = 'gcs://my-bucket/data/'
STORAGE_INTEGRATION = gcs_integration;
Cross-Cloud Data Sharing
-- Share data across clouds
CREATE SHARE cross_cloud_share;
GRANT USAGE ON DATABASE my_db TO SHARE cross_cloud_share;
GRANT USAGE ON SCHEMA my_schema TO SHARE cross_cloud_share;
GRANT SELECT ON TABLE my_table TO SHARE cross_cloud_share;
-- Consumer account (different cloud)
CREATE DATABASE shared_data FROM SHARE provider_account.cross_cloud_share;
SELECT * FROM shared_data.my_schema.my_table;
Security Integration
Key Management
-- AWS KMS encryption
CREATE OR REPLACE STORAGE INTEGRATION encrypted_s3
TYPE = EXTERNAL_STAGE
STORAGE_PROVIDER = S3
STORAGE_AWS_ROLE_ARN = 'arn:aws:iam::role/snowflake-role'
STORAGE_AWS_KMS_KEY_ARN = 'arn:aws:kms:us-east-1:123456789:key/12345678-1234-1234-1234-123456789012';
-- Azure Key Vault
CREATE OR REPLACE STORAGE INTEGRATION encrypted_azure
TYPE = EXTERNAL_STAGE
STORAGE_PROVIDER = AZURE
AZURE_TENANT_ID = 'tenant-id'
AZURE_ENCRYPTION_TYPE = 'AZURE_KEY_VAULT'
AZURE_KEY_URL = 'https://mykeyvault.vault.azure.net/keys/mykey';
Network Security
-- IP restrictions
ALTER ACCOUNT SET NETWORK_POLICY = 'restricted_policy';
-- Network policy
CREATE OR REPLACE NETWORK POLICY restricted_policy
ALLOWED_IP_LIST = ('203.0.113.0/24', '198.51.100.0/24')
BLOCKED_IP_LIST = ('192.0.2.0/24');
Always use PrivateLink for production workloads. It provides encrypted, private connectivity that doesn't traverse the public internet. Combine with network policies for defense in depth.
Cloud Provider Comparison
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| Storage | S3 | Blob | GCS |
| Networking | VPC Peering | VNet | VPC Peering |
| Private Access | PrivateLink | Private Link | Private Google Access |
| IAM | IAM Roles | Managed Identity | Service Accounts |
| KMS | KMS | Key Vault | Cloud KMS |
| CDN | CloudFront | Azure CDN | Cloud CDN |
- Snowflake supports multi-cloud with consistent APIs across providers
- PrivateLink provides secure, private connectivity
- Storage integrations enable seamless data sharing
- Cross-cloud data sharing without data movement
- Enterprise security with KMS encryption and IAM integration