Connectivity via AWS PrivateLink using Full SaaS

• Enable a secure integration with Snowflake.
• Create a secure connection to your AWS-hosted data sources, for example Amazon Redshift or other data sources such as an RDS database.
• Create a secure connection to Amazon Redshift as your target cloud data warehouse. This follows the same process as that given in connectivity to AWS-hosted data sources.

​

Enabling PrivateLink

• Whether you require Full SaaS or Hybrid SaaS PrivateLink.
• The service name (VPCe). For example, com.amazonaws.vpce.<region_id>.vpce-svc-xxxxxxxxxxxxxxxxx.
• The host name of the service/destination.
• The output of SELECT SYSTEM$GET_PRIVATELINK_CONFIG(); from the Snowflake account you wish to use with PrivateLink. (See below for further details.)
• Your Matillion account number. To find this, log in to and click the Profile & Account icon in the bottom-left of the screen. Your account number is the 8-digit number listed next to ID.

​

Integration with Snowflake via PrivateLink

​

Prerequisites

• Before configuring PrivateLink to integrate with Snowflake, ensure that you are using a Business Critical Snowflake edition.

​

Configure the connection to Snowflake

1. Snowflake must enable AWS PrivateLink connectivity on your account before you can use it with . For this, you must contact Snowflake support and open a support request. In your message, include the following details:
   • Matillion’s AWS Account ID: arn:aws:iam::926494931119:root.
   • Your Snowflake account.
2. Run the following SQL query within your Snowflake environment to retrieve your PrivateLink account configuration:
   SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
   
3. Share the full JSON output from the above query with your Matillion account representative. This will have a format similar to the following:
   {
       "privatelink-account-principal": "arn:aws:iam::xxxxxxxx:root",
       "regionless-snowsight-privatelink-url": "app-xxxxxxxx.privatelink.snowflakecomputing.com",
       "privatelink-account-name": "xxxxxxxx.eu-west-1.privatelink",
       "privatelink-vpce-id": "com.amazonaws.vpce.eu-west-1.vpce-svc-xxxxxxxxxx",
       "snowsight-privatelink-url": "app.eu-west-1.privatelink.snowflakecomputing.com",
       "regionless-privatelink-ocsp-url": "ocsp.xxxxxxxx.privatelink.snowflakecomputing.com",
       "privatelink-account-url": "xxxxxxxx.eu-west-1.privatelink.snowflakecomputing.com",
       "spcs-registry-privatelink-url": "xxxxxxxx.registry.privatelink.snowflakecomputing.com",
       "app-service-privatelink-url": "*.dubavn.privatelink.snowflake.app",
       "regionless-privatelink-account-url": "xxxxxxxx.privatelink.snowflakecomputing.com",
       "spcs-auth-privatelink-url": "sfc-endpoint-login.dubavn.privatelink.snowflakecomputing.com",
       "privatelink_ocsp-url": "ocsp.xxxxxxxx.eu-west-1.privatelink.snowflakecomputing.com"
   }
   
4. Matillion will use this information to configure a PrivateLink interface endpoint in the environment, and establish a secure connection to your Snowflake instance.
5. Matillion will confirm when the PrivateLink connection is available for you to use, and provide you with a PrivateLink host address.
6. Once the setup is complete, you will be able to connect to your Snowflake account from by creating an environment configured to use the PrivateLink. When configuring the environment, you will need to use the PrivateLink host address provided to you by Matillion. This ensures that your Snowflake traffic is routed through the PrivateLink endpoint rather than the public Internet.

​

Connectivity to AWS-hosted data sources

• Amazon Redshift
• RDS
• Databases hosted on EC2
• AWS MSK

​

Prerequisites

• An AWS VPC endpoint service must be configured in either eu-west-1 (Ireland), or us-east-1 (North Virginia) and your service (for example, Redshift, API, or other resource) must be exposed via that VPC endpoint service. If you require cross-regional access then you will need to set up an AWS Transit Gateway between the two regions required. This will also require all routing to be bi-directional.
• If the destination is hosted on an AWS-managed service, you must provision a Network Load Balancer (NLB) in your VPC. The NLB receives requests from and routes them to the destination. To create an NLB, follow the instructions in the AWS documentation.
• Security groups and routing tables must be correctly configured to permit traffic from the PrivateLink endpoint to reach your backend target. Health checks on the NLB should reflect the readiness of your destination service, to avoid dropped connections.

​

Configuring the connection to your AWS services

1. In AWS, create a Network Load Balancer (NLB) in each Availability Zone where your service is deployed. Ensure it’s configured to route traffic to your target service (for example, EC2 instances or ECS tasks).
2. In AWS, create a VPC endpoint service and associate it with the NLBs you’ve provisioned. This endpoint service will expose your AWS application over PrivateLink.
3. Grant access to by allowing the following AWS account to connect to your endpoint service:
   arn:aws:iam::926494931119:root
   
4. Note the service name generated by AWS for your endpoint service. It will follow this format:
   com.amazonaws.vpce.<region>.vpce-svc-xxxxxxxxxxxxxxxxx
   
5. Contact your Matillion account representative to request that PrivateLink be enabled on your account. You will need to provide:
   • The VPC endpoint service name.
   • The Private DNS hostname (if enabled).
6. When initiates the connection, you will receive a confirmation request on the Endpoint Connections page of the AWS console, under the VPC service. When you receive the confirmation, you must accept the connection request. If you’ve enabled automatic acceptance in the endpoint service settings, this step is not required.

​

Useful links

• Authenticating users by Single Sign-On (SSO).
• Using SSH tunnelling to connect to network-secured databases.
• Connecting Hybrid-SaaS agents via AWS PrivateLink