Does Azure snowflake SPN need change when a blob storage is switched from public network to private network?

Question

Hello!

My storage account is currently configured as public endpoint "enabled from all networks":

Snowflake data is unloaded into blob storage in .csv files using COPY INTO command. I have added the AZURE_MULTI_TENANT_APP_NAME as SPN in blob with "Storage Blob Data Contributor" access and it is working as expected.

I'm planning to change it to "enable from selected VN and IP addresses". Will this change impact the connectivity between Snowflake and Azure?

What possible change is required if connectivity is impacted?

Thanks!

Answer 1

Hi Atharva Jadhav - Thanks for reaching out over Q&A Forum.

Changing the access level on the networking, might result into Auth failure if the IP hitting the storage account isn't whitelisted.

SPN is the authorization, which shall come into picture at a later part after it is successful on the networking part.

I would recommend, verifying the I{'s that are hitting the storage. Based on that, add the IP's or the range/subnet from the source to ensure there are no hiccups. Below are the links to review at first:

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal

https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

https://techcommunity.microsoft.com/blog/azurepaasblog/troubleshooting-storage-firewall-issues/1944730

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

Answer 2

Hi Atharva Jadhav,

Adding additional information for the above answer

When you switch your Azure Blob Storage from a public endpoint to a private network configuration, it can impact the connectivity between Snowflake and Azure. Specifically, since Snowflake's service principal name (SPN) is currently configured with "Storage Blob Data Contributor" access, you will need to ensure that the SPN has the necessary permissions to access the blob storage through the private endpoint.

To maintain connectivity after the change,

1. Verify that the private endpoint for your blob storage is correctly configured to allow access from the virtual network (VN) where Snowflake operates.
   https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
2. Ensure that the service principal used by Snowflake is granted the appropriate roles (like "Storage Blob Data Contributor") on the private endpoint.
3. If necessary, add the service principal to the Reader role on the private endpoint to ensure it can access the storage.

If these configurations are not set correctly, connectivity issues may arise when attempting to unload data into blob storage using the COPY INTO command.

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

Hope the above suggestion helps! Please let us know do you have any further queries.Please do consider “Accepting the answer” wherever the information provided helps you, this can be beneficial to other community members.