ALTER NETWORK RULE¶
Modifies an existing network rule.
Syntax¶
ALTER NETWORK RULE [ IF EXISTS ] <name> SET
VALUE_LIST = ( '<value>' [ , '<value>', ... ] )
[ COMMENT = '<string_literal>' ]
ALTER NETWORK RULE [ IF EXISTS ] <name> UNSET { VALUE_LIST | COMMENT }
Parameters¶
name
Specifies the identifier of the network rule.
If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are case-sensitive.
SET ...
Specifies the properties to set for the network rule:
VALUE_LIST = ( 'value' [, 'value', ...] )
Replaces the current network identifiers with a new list of identifiers. Using this command is not additive; previously specified values are removed when you set a new value list.
Valid values in the list are determined by the type of network rule:
When
TYPE = IPV4
, each value must be a valid IPv4 address or range of addresses.When
TYPE = AWSVPCEID
, each value must be a valid VPCE ID. VPC IDs are not supported.When
TYPE = AZURELINKID
, each value must be a valid LinkID of an Azure private endpoint. Execute the SYSTEM$GET_PRIVATELINK_AUTHORIZED_ENDPOINTS function to retrieve the LinkID associated with an account.When
TYPE = HOST_PORT
, each value must resolve to a valid domain. Optionally, it can also include a port or range of ports.The valid port range is 1-65535. If you do not specify a port, it defaults to 443. If an external network location supports dynamic ports, you need to specify all possible ports.
To allow access to all ports, define the port as 0. For example,
company.com:0
.When the value resolves to a domain, you can use a single asterisk as a wildcard character. The asterisk matches only alphanumeric characters and hyphens (
-
).Wildcards are supported only for a single level of subdomains, as in the following examples:
*.google.com
snowflake-*.google.com
andsnowflake*abc.google.com
When
TYPE = PRIVATE_HOST_PORT
, specify one valid domain. Do not include a port or a range of ports.
COMMENT = 'string_literal'
Adds a comment for the first time or overwrites an existing comment.
UNSET ...
Clears properties of the network rule:
VALUE_LIST
Removes all network identifiers from the network rule.
COMMENT
Removes the comment that was associated with the network rule.
Access control requirements¶
A role used to execute this operation must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
OWNERSHIP |
Network Rule |
OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege). |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
When specifying IP addresses for a network rule, Snowflake supports ranges of IP addresses using Classless Inter-Domain Routing (CIDR) notation.
For example,
192.168.1.0/24
represents all IPv4 addresses in the range of192.168.1.0
to192.168.1.255
.Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
Example¶
Modify a network rule that is used to allow or block traffic from a range of IPv4 addresses. Assumes that TYPE = IPV4
for the
network rule.
ALTER NETWORK RULE cloud_network SET VALUE_LIST = ('47.88.25.32/27');
Modify a network rule that is used to allow or block traffic over AWS PrivateLink. Assumes that TYPE = AWS_VPCEID
for the network
rule.
ALTER NETWORK RULE corporate_network SET VALUE_LIST = ('vpce-123abc3420c1931');
Modify a network rule that is used to allow traffic to an external destination. Assumes that TYPE = HOST_PORT
for the network
rule.
ALTER NETWORK RULE external_access_rule SET VALUE_LIST = ('example.com', 'company.com:443');