Snowflake Egress IPs: The Missing Piece for Predictable Outbound Connectivity

Connecting your Snowflake environment to a partner's SFTP server, a database behind a corporate firewall or a secure third-party API is a critical workflow for modern data teams. To support these requirements, Snowflake is delivering egress IPs: an infrastructure enhancement designed to help enable seamless, secure interoperability with external systems.

Snowflake runs on public cloud infrastructure (AWS, Azure, Google Cloud Platform), utilizing dynamic pools of IP addresses to ensure scalability. While this architecture offers immense flexibility, security teams managing external resources often require IP addresses for allowlisting.

Snowflake egress IPs bridge this gap. This feature provides a specific, infrastructure-level set of IP addresses for your public outbound traffic, streamlining firewall configurations and extending your ability to integrate with secure ecosystems.

Evolving beyond traditional workarounds

Previously, teams navigated connectivity requirements through methods that required balancing access with complexity. Egress IPs offer a streamlined alternative that optimizes existing approaches by doing the following:

• Optimizing allowlists: Rely on a small, predictable list of egress IP address ranges, eliminating the need for broad cloud provider IP pools.

• Reducing infrastructure overhead: This feature can reduce or eliminate the need to build and maintain complex proxy infrastructure solely for the IP allowlisting, depending on your architecture.

• Simplifying compliance: This enables easier adherence to strict security requirements without needing to negotiate security exceptions with partners.

Understanding the outbound connectivity hierarchy

It is helpful to view egress IPs as part of Snowflake’s broader, tiered strategy for secure networking. Traffic is routed through the most secure and optimized path available based on Snowflake’s networking architecture:

• Private connectivity (CSP native): For resources within your own cloud environment, Snowflake utilizes cloud-native connectivity such as AWS PrivateLink, Azure Private Link or GCP Private Service Connect. Traffic remains entirely within the provider's network.

• Cloud provider service endpoints (CSP native for applicable services): Snowflake automatically routes through optimized paths, keeping traffic within the cloud provider's secure infrastructure, for supported resources. 

• Public internet with egress IPs: For external resources reachable over the public internet — such as third-party APIs or vendor SFTPs — Snowflake now utilizes stable, predictable IP addresses. This allows public outbound traffic to be identifiable.

How egress IPs work

By transitioning outbound traffic from dynamic cloud provider pools to a controlled set of IPs, Snowflake delivers enhanced stability. Snowflake egress IPs are:

• Managed by Snowflake: These IPs are owned and controlled directly by Snowflake, providing greater autonomy from broad cloud provider IP pool changes.

• Stable, predictable and concise: You manage a small, specific set of IP address ranges rather than massive CSP IP address ranges.

• Set to expire after 90 days: Addresses come with a 90-day expiration to ensure that users automate firewall rules for any updates.

Getting your Snowflake egress IPs

The specific list of IP ranges can be retrieved efficiently using a single SQL command.

The command returns a JSON array of objects that includes the IP range, its effective date (when the range will start carrying traffic) and its expiration date. For example:

Real-world scenarios

This feature extends Snowflake's capabilities across several common use cases, including SPCS, Openflow on SPCS, Servicenow Connector and Snowpark External Access, and enables:

• Cross-cloud and cross-region connectivity: Enable a Snowflake account on one cloud (such as AWS) to securely access resources on another cloud (such as Azure SQL Database) or in different regions, bridging multi-cloud and multiregion environments.

• On-premises access: Allow ERP systems or other databases behind corporate firewalls to communicate with Snowflake in the cloud without exposing the network to broad public IP ranges.

• Partner and third-party API integration: Securely sync data with major SaaS platforms (such as Salesforce) that enforce strict IP allowlisting for API access.

Best practices for deployment

To maximize the value of egress IPs, consider the following operational best practices:

• Automate retrieval: While these IPs are stable, not static, we recommend automating the retrieval of the latest ranges so that firewall rules remain current. Changes to those IPs are considered infrastructure updates and are not treated as feature behavior changes.

• Select the right connectivity tier: Always align your method with the resource location.

  • Private connectivity: Best for cloud service provider native resources.
  • Service endpoints: For supported cloud service provider native resources.
  • Egress IPs: The standard for public internet resources.

• Implement defense in depth: IP allowlisting is a network perimeter measure. It is important to note that it does not replace or mitigate the need for other essential security controls, such as strong authentication (for example, OAuth or API keys) or end-to-end encryption (TLS).

The bottom line

Snowflake egress IPs represent a significant step forward in operational efficiency by enabling predictable egress IPs for external systems.

Note: The feature is currently generally available for Snowpark External Access, SPCS External Access, Openflow on SPCS and Servicenow Connector for Snowflake AWS accounts. Please refer to the official documentation for specific availability and implementation details.

Resources

1. Private connectivity for outbound network traffic
2. Service (gateway) endpoints
3. Securing ingress of Snowflake requests with egress IP addresses