By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Sharing Snowflake connectivity to other VPC's

0

Hey everybody,

Looking for architectural guidance or advice from somebody who has done this before:

We have a central networking account, this currently has Snowflake connectivity via the following setup: https://docs.snowflake.com/en/user-guide/admin-security-privatelink In short, it has a privatelink with snowflake, we created a VPCE, and a private hosted zone that has records pointing to the VPCE... A.e. CNAME app.eu-central-1.privatelink.snowflakecomputing.com points to the vpce.

We also have a transit gateway, this lives in the central-networking account and consumer(member account) vpc's are also connected to this TGW.

Now I want to share the connectivity we have with the member accounts, and i'm not sure how to share the VPCE connectivity / private hosted zone. I think I can use RAM to share the private hosted zone, then the consumer accounts can resolve the dns names to the VPCE, but there is still no connectivity right? How would we share the VPCE connectivity with the consumer vpc's?

2 Answers
0

To share Snowflake connectivity from your central networking account to other VPCs in member accounts, you can follow these steps:

  1. Share the private hosted zone: You can use AWS CLI, SDK, or R53 API to share the private hosted zone with the member accounts. This will allow the consumer VPCs to associate the Private Hosted zone and ultimately resolve the DNS names to the VPC endpoint (VPCE).

  2. Enable connectivity to the VPCE: Since you already have a Transit Gateway (TGW) in place connecting the central networking account and the member account VPCs, you likely already have connectivity to the VPCe from the member account. If not it is just a matter of updating the routing.

  3. Configure security groups: Ensure that the security group associated with the VPCE in the central account allows inbound traffic from the CIDR ranges of the member account VPCs or more specific sources based on your requirements

  4. Update DNS settings in member VPCs: In each member account VPC, make sure that DNS hostnames and DNS resolution are enabled to allow proper resolution of the Snowflake endpoints.

By implementing these steps, you'll enable the member account VPCs to resolve the Snowflake endpoints using the shared private hosted zone and route their traffic through the Transit Gateway to reach the VPCE in the central networking account.

This approach allows you to centralize and manage the Snowflake connectivity in one place while securely sharing it with other VPCs across your organization. It leverages your existing Transit Gateway setup for network connectivity, making efficient use of your current architecture.
Sources
Connecting to a private endpoint from a different VPC (including cross-account) - Neptune Analytics
AWS PrivateLink - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
Centralized access to VPC private endpoints - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

profile picture
answered 2 months ago
AWS
EXPERT
revised 2 months ago
  • Okay so what i'm getting is the following:

    1. When creating the VPCE I enable static IP's so I know the IP address of my vpce endpoint and they dont change
    2. In the private hosted zone i point the cnames snowflake related to this IP(s)
    3. I still share the hosted zones to the account, just by associating or via RAM??
    4. In the consumer vpcs, I modify the routes to those IP's to go via the transit gateway on the central account

    Am i missing something then? Or this seems about right?

0

There was a mistake in the original form of the generated response. You aren't able to leverage RAM to share the Private hosted zone across account The correct procedure can be seen here - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html - Route 53 Resolver Profiles can also be useful managing this at scale - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html

AWS
EXPERT
answered 2 months ago
  • Haha I was just about to come back and post this but you were already here.

    To see if im understanding correctly:

    So Route 53 profiles provides an easy way to share my private hosted zone? And the alternative would be associating to the VPC's directly cross account? And they would probably have to accept or something like that? Im sure theres a terraform module for it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions