Private Link and custom networking setups

Sifflet supports establishing AWS and Azure Private Link connections, and in general can be configured to work with a wide variety of networking requirements.

Connectivity options

By default, Sifflet connects to your sources over the public Internet. Sifflet supports a variety of more specialised networking setups for organisations with stricter requirements.

📘

Feature availability

Depending on your plan, not all of these features may be available. Contact your account executive to know more.

If you have special requirements around connectivity to your sources, please let Sifflet know before your Sifflet instance is created. This will allow Sifflet to provision your instance in a suitable cloud provider and region, minimising both setup and ongoing network costs.

IP allowlisting

From Sifflet to sources

Sifflet instances make connections to your sources using dedicated, stable IP addresses. Many vendors implement a feature allowing you to block all traffic except when coming from a known IP range.

For instance:

Using such features, you can block traffic to your source, except when coming from your network, Sifflet, or any service you use.

Contact Sifflet support to know the IP addresses that your instance uses to connect to your sources.

From your network to Sifflet

Sifflet can restrict access to the Sifflet API of your instance from the IP ranges of your corporate networks.

This will prevent any user or service not located on your corporate network from using the Sifflet API. This will also prevent any user not using your corporate network from using the Sifflet web UI.

Contact Sifflet support if you're interested in this feature.

AWS Private Link

Sifflet can enable AWS Private Link between your Sifflet instance and sources located on the AWS network. This means that traffic between Sifflet and the source doesn't leave the AWS network and is not routed over the public Internet.

Snowflake on AWS

Requirements:

  • You use the Business Critical edition of Snowflake (or higher).
  • Your Snowflake account is deployed on AWS.
  • Your Sifflet instance is deployed on AWS (which is the default).
  • Your Sifflet instance is located in the same AWS region as your Snowflake account.

Process

  1. Run the following command in your Snowflake account and note the result:
  2. SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
    
  3. Ask Sifflet support to enable AWS Private Link to your Snowflake account. Provide the output of the command in the previous step. Sifflet will answer with a Sifflet-owned AWS account ID.
  4. Ask Snowflake support to allow the AWS account ID provided by Sifflet to establish Private Link connections.
  5. Ask Sifflet support to finalise the setup.

📘

Snowflake account identifiers and Private Link

When using AWS Private Link, the account identifier you configure in Sifflet changes. Use the "privatelink-account-name" returned by SELECT SYSTEM$GET_PRIVATELINK_CONFIG();, not the public Snowflake account name.

AWS Redshift

Requirements

  • Your Sifflet instance is deployed on AWS (which is the default).
  • Your Sifflet instance is located in the same AWS region as your Redshift instance.
  • Your Redshift instance complies with the requirements outlined in the AWS documentation.

Process

  1. Ask Sifflet support to enable AWS Private Link for your Redshift cluster. Provide Sifflet support with your Redshift cluster name and Redshift endpoint ID. Sifflet support will answer with an AWS account ID and VPC IDs.
  2. Allow the VPC IDs provided by Sifflet to access to your Redshift instance, by following the AWS documentation. Once done, ask Sifflet support to proceed.
  3. Sifflet will provide your with the Private Link endpoint names to use in your Sifflet configuration.

Other

If you run a source in a private subnet (such as a private RDS database), Sifflet can also connect to this source using Private Link. The exact setup will depend on the source and your network architecture. Contact Sifflet support to design a solution.

The overall process could look like:

Azure Private Link

Snowflake on Azure

Requirements:

  • You use the Business Critical edition of Snowflake (or higher).
  • Your Snowflake account is deployed on Azure.
  • Your Sifflet instance is deployed on AWS (which is the default).
  • Your Sifflet instance is deployed in an AWS region that's compatible with the region where your Azure Snowflake account is deployed. Contact Sifflet for more details.
  1. Ask Sifflet support to enable Azure Private Link to your Snowflake account. Provide the output of the command in the previous step. Sifflet will answer with aanendpoint ID.
  2. Ask Snowflake support to allow the endpoint ID provided by Sifflet to establish Private Link connections.
  3. Ask Sifflet support to finalise the setup.

📘

Snowflake account identifiers and Private Link

When using Azure Private Link, the account identifier you configure in Sifflet changes. Use the "privatelink-account-name" returned by SELECT SYSTEM$GET_PRIVATELINK_CONFIG();, not the public Snowflake account name.

Azure Synapse

Requirements

  • Your Sifflet instance is deployed on AWS (which is the default). Sifflet establishes VPN connections to Azure VPCs, then create the Private Link between a Sifflet-managed Azure VPC and your Synapse workspace.
  • Your Sifflet instance is in an AWS region where Sifflet enabled connectivity to Azure. Contact Sifflet support to know more, providing details about the Azure region in which your Synapse workspace is located.

Process

  • Ask Sifflet support to enable Azure Private Link, providing
    • Your Azure subscription ID
    • The resource group name in which your Synapse workspace is located
    • Your Synapse workspace name
  • Once instructed by Sifflet support, go to "Private endpoint connections" and accept the Sifflet connection request. Sifflet will provide you with the hostname to configure in your Sifflet instance to connect to this workspace.

Others networking requirements

Please contact Sifflet support or your account executive to discuss any networking setup not covered in this page. Thanks to its single-tenant architecture, Sifflet can accommodate many customised networking requirements (also see https://docs.siffletdata.com/docs/security).