Private Link and custom networking setups
Sifflet supports establishing AWS and Azure Private Link connections, and in general can be configured to work with a wide variety of networking requirements.
Connectivity options
By default, Sifflet connects to your sources over the public Internet. Sifflet supports a variety of more specialised networking setups for organisations with stricter requirements.
Feature availability
Depending on your plan, not all of these features may be available. Contact your account executive to know more.
If you have special requirements around connectivity to your sources, please let Sifflet know before your Sifflet instance is created. This will allow Sifflet to provision your instance in a suitable cloud provider and region, minimising both setup and ongoing network costs.
IP allowlisting
From Sifflet to sources
Sifflet instances make connections to your sources using dedicated, stable IP addresses. Many vendors implement a feature allowing you to block all traffic except when coming from a known IP range.
For instance:
- Snowflake users can deploy Snowflake network policies.
- Databricks users can deploy IP access lists.
- Looker users can deploy IP Allowlists.
Using such features, you can block traffic to your source, except when coming from your network, Sifflet, or any service you use.
Contact Sifflet support to know the IP addresses that your instance uses to connect to your sources.
From your network to Sifflet
Sifflet can restrict access to the Sifflet API of your instance from the IP ranges of your corporate networks.
This will prevent any user or service not located on your corporate network from using the Sifflet API. This will also prevent any user not using your corporate network from using the Sifflet web UI.
Contact Sifflet support if you're interested in this feature.
AWS Private Link
Sifflet can enable AWS Private Link between your Sifflet instance and sources located on the AWS network. This means that traffic between Sifflet and the source doesn't leave the AWS network and is not routed over the public Internet.
Snowflake on AWS
Requirements:
- You use the Business Critical edition of Snowflake (or higher).
- Your Snowflake account is deployed on AWS.
- Your Sifflet instance is deployed on AWS (which is the default).
- Your Sifflet instance is located in the same AWS region as your Snowflake account.
Process
- Run the following command in your Snowflake account and note the result:
-
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
- Ask Sifflet support to enable AWS Private Link to your Snowflake account. Provide the output of the command in the previous step. Sifflet will answer with a Sifflet-owned AWS account ID.
- Ask Snowflake support to allow the AWS account ID provided by Sifflet to establish Private Link connections.
- Ask Sifflet support to finalise the setup.
Snowflake account identifiers and Private Link
When using AWS Private Link, the account identifier you configure in Sifflet changes. Use the "privatelink-account-name" returned by
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();, not the public Snowflake account name.
AWS Redshift
Requirements
- Your Sifflet instance is deployed on AWS (which is the default).
- Your Sifflet instance is located in the same AWS region as your Redshift instance.
- Your Redshift instance complies with the requirements outlined in the AWS documentation.
Process
- Ask Sifflet support to enable AWS Private Link to your Redshift cluster. Sifflet support will provide you with an AWS account ID and VPC IDs.
- Allow the VPC IDs provided by Sifflet to access to your Redshift instance, by following the AWS documentation.
- Contact Sifflet support to finalise the setup. Sifflet will provide your with the Private Link endpoint names to use in your Sifflet configuration.
Other
If you run a source in a private subnet (such as a private RDS database), Sifflet can also connect to this source using Private Link. The exact setup will depend on the source and your network architecture. Contact Sifflet support to design a solution.
The overall process could look like:
- you create an AWS Network Load Balancer in front of your source
- you create an endpoint service pointing to this NLB
- you grant the Sifflet AWS account permissions to request access to this endpoint service
- you accept the Sifflet connection request, and use the hostnames provided by Sifflet in your Sifflet configuration
Azure Private Link
Snowflake on Azure
Requirements:
- Your Snowflake account is deployed on Azure.
- You use the Business Critical edition of Snowflake (or higher).
- Your Sifflet instance is deployed on AWS (which is the default). Sifflet establishes VPN connections to Azure VPCs, then create the Private Link between a Sifflet-managed Azure VPC and your Snowflake Azure VPC.
- Your Sifflet instance is in an AWS region where Sifflet enabled connectivity to Azure. Contact Sifflet support to know more, providing details about the Azure region used by your Snowflake account.
Process
- Run the following command in your Snowflake account and note the result:
-
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
- Ask Sifflet support to enable Azure Private Link to your Snowflake account. Provide the output of the command in the previous step. Sifflet will answer with a endpoint ID.
- Ask Snowflake support to allow the endpoint ID provided by Sifflet to establish Private Link connections.
- Ask Sifflet support to finalise the setup.
Snowflake account identifiers and Private Link
When using Azure Private Link, the account identifier you configure in Sifflet changes. Use the "privatelink-account-name" returned by
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();, not the public Snowflake account name.
Azure Synapse
Requirements
- Your Sifflet instance is deployed on AWS (which is the default). Sifflet establishes VPN connections to Azure VPCs, then create the Private Link between a Sifflet-managed Azure VPC and your Synapse workspace.
- Your Sifflet instance is in an AWS region where Sifflet enabled connectivity to Azure. Contact Sifflet support to know more, providing details about the Azure region in which your Synapse workspace is located.
Process
- Ask Sifflet support to enable Azure Private Link, providing
- Your Azure subscription ID
- The resource group name in which your Synapse workspace is located
- Your Synapse workspace name
- Once instructed by Sifflet support, go to "Private endpoint connections" and accept the Sifflet connection request. Sifflet will provide you with the hostname to configure in your Sifflet instance to connect to this workspace.
Others networking requirements
Please contact Sifflet support or your account executive to discuss any networking setup not covered in this page. Thanks to its single-tenant architecture, Sifflet can accommodate many customised networking requirements (also see https://docs.siffletdata.com/docs/security).
Updated about 2 months ago