Private connectivity for Streamlit in Snowflake¶

This topic describes using private connectivity when accessing Streamlit in Snowflake.

Configuring access to Snowflake¶

1. Set up private connectivity for your Snowflake account for a supported service:

   • AWS PrivateLink
   • Azure Private Link
   • Google Cloud Private Service Connect

2. Set up private connectivity for Snowsight.

Configuring access to Streamlit in Snowflake¶

To determine the hostname, call SYSTEM$GET_PRIVATELINK_CONFIG in your Snowflake account. The Streamlit hostname is displayed under the app-service-privatelink-url key, which is the wildcard URL required for routing Streamlit application traffic through a private connectivity service, such as AWS PrivateLink.

You can enable per-account hostname routing by setting the ENABLE_PER_ACCOUNT_APP_SERVICE_PRIVATELINK_URL account parameter to TRUE. When enabled, the app-service-privatelink-url key returned by the SYSTEM$GET_PRIVATELINK_CONFIG function returns a per-account wildcard hostname. Prior to enablement, the app-service-privatelink-url-next key will return this value.

• Record name: *.orgname-account-name.region.cloud.privatelink.snowflake.app
• Type: CNAME
• Route traffic to: same VPC as your Snowflake traffic.

This per-account CNAME replaces the deployment-scoped wildcard and can be used for all app services in your account. Update your private DNS entries and firewall rules to use the new URL format before enabling the parameter.

Security considerations¶

Streamlit in Snowflake apps serve both HTTPS-encrypted traffic and WebSocket-encrypted traffic. The Streamlit browser client application is mounted in a third-party, cross-origin iframe within Snowsight. This enables strict cross-site browser isolation control.

Streamlit in Snowflake uses a separate URL scheme for specific security requirements. Streamlit URLs have their own top-level domain with no shared elements with Snowsight. Each Streamlit app has a unique origin.