Skip to main content
If your Elementum organization runs on AWS, you can connect to your Snowflake account over AWS PrivateLink instead of the public internet. PrivateLink creates a private connection between Elementum’s AWS Virtual Private Cloud (VPC) and your Snowflake VPC, so CloudLink traffic stays on the AWS network. This is offered as an alternative to IP whitelisting for customers with stricter security or compliance requirements.

How it works

End users still reach Elementum over the public internet, but data traffic between Elementum and your Snowflake account is routed through an Amazon PrivateLink endpoint inside AWS. Elementum supports PrivateLink to customer Snowflake accounts in any AWS region with PrivateLink support. PrivateLink is a good fit when:
  • Your Elementum organization is hosted on AWS.
  • Your Snowflake account is on AWS in a region with PrivateLink support and is on the Business Critical Snowflake edition (or higher).
  • Your security or compliance program requires data traffic to bypass the public internet.
  • You want to block all public access to Snowflake and only allow connections from your corporate network and Elementum.
If any of these don’t apply, the standard IP-whitelisted CloudLink setup is still secure (encrypted in transit with TLS) and is the simpler option.

Prerequisites

1

Elementum on AWS

Confirm with your Elementum representative that your organization is deployed on AWS. PrivateLink is not available for Elementum organizations on other clouds.
2

Snowflake edition and region

Your Snowflake account must be on AWS, in a region with PrivateLink support, and on the Business Critical edition or higher. PrivateLink is not available on Standard or Enterprise editions.
3

Snowflake ACCOUNTADMIN access

You need a user with the ACCOUNTADMIN role to authorize PrivateLink and retrieve the configuration.
4

Snowflake CloudLink in place

PrivateLink replaces the IP whitelist on an existing or planned Snowflake CloudLink connection. The rest of the CloudLink setup — service user, role, warehouse, and key-pair authentication — is still required.

Setup workflow

The customer-side setup happens in your Snowflake account. Elementum handles the consumer-side AWS VPC endpoint, DNS, and CloudLink hostname configuration.
Provisioning the Elementum-side VPC endpoint is handled by Elementum support. The steps below are the Snowflake actions you complete in your own account so Elementum can finish wiring up the connection.
1

Contact Elementum to initiate PrivateLink

Open a request with your Elementum representative or Elementum support. They will provide the AWS account identifier you authorize on your Snowflake account in the next step. Compare your Snowflake account’s AWS region against Elementum’s hosting regions and call out the mismatch in your request if your Snowflake account is in a different region, so the team can configure cross-region endpoint settings.
2

Generate an AWS federation token

SYSTEM$AUTHORIZE_PRIVATELINK requires a federated token from your AWS account. Generate one with the AWS CLI:
aws sts get-federation-token --name elementum-privatelink
Save the JSON output — you’ll pass it to Snowflake in the next step.
The federated token expires 12 hours after it’s generated. If authorization or verification fails because of an expired token, run aws sts get-federation-token again and re-issue the Snowflake command with the fresh token.
3

Authorize Elementum's AWS account on your Snowflake account

Using the ACCOUNTADMIN role, call SYSTEM$AUTHORIZE_PRIVATELINK with the AWS account ID Elementum gave you and the federated token from the previous step:
USE ROLE ACCOUNTADMIN;

SELECT SYSTEM$AUTHORIZE_PRIVATELINK(
  '<ELEMENTUM_AWS_ACCOUNT_ID>',
  '<FEDERATED_TOKEN_JSON>'
);
Replace ELEMENTUM_AWS_ACCOUNT_ID with the 12-digit AWS account ID Elementum provided, and FEDERATED_TOKEN_JSON with the full JSON output from aws sts get-federation-token.
4

Verify the authorization

Confirm the authorization succeeded by calling SYSTEM$GET_PRIVATELINK with the same arguments:
SELECT SYSTEM$GET_PRIVATELINK(
  '<ELEMENTUM_AWS_ACCOUNT_ID>',
  '<FEDERATED_TOKEN_JSON>'
);
A successful response returns Account is authorized for PrivateLink.
5

Retrieve the PrivateLink configuration for Elementum

Get your account’s PrivateLink endpoint details by calling SYSTEM$GET_PRIVATELINK_CONFIG:
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
Share the JSON output with your Elementum contact. Elementum primarily needs:
  • privatelink-account-url — the private hostname for your Snowflake account
  • privatelink-vpce-id — the VPC endpoint service identifier
  • privatelink-ocsp-url — the OCSP cache server hostname
Elementum uses these values to provision the VPC endpoint on the Elementum side and update the CloudLink hostname.
6

Confirm connectivity from Elementum

After Elementum confirms the endpoint is provisioned, open Settings > CloudLinks in Elementum, edit the Snowflake connection (or create a new one following the Connecting Snowflake to Elementum guide), and click Test Connection. A successful test confirms traffic is flowing over PrivateLink.

Block public access to Snowflake

After PrivateLink is verified, you can tighten security further by restricting your Snowflake account to PrivateLink and your corporate network only. Add a Snowflake network policy that allows only your corporate CIDR ranges and activate it for the account.
Once PrivateLink is in place for Elementum, the Elementum public IP allow list (44.210.166.136, 44.209.114.114, etc.) is no longer required for Elementum traffic. You can safely remove those IPs from your Snowflake network policy after confirming the PrivateLink connection is healthy.

Cross-region considerations

Elementum hosts its production AWS environments in two regions:
Elementum environmentAWS regionRegion name
PRODus-east-1US East (N. Virginia)
PROD-EUeu-central-1EU Central (Frankfurt)
If your Snowflake account is in the same AWS region as the Elementum environment hosting your organization, no cross-region configuration is needed. If your Snowflake account is in a different region, AWS PrivateLink still supports the connection, but Elementum needs to enable cross-region endpoint settings during provisioning — flag the region mismatch in your initial request. Cross-region PrivateLink is not supported for some Snowflake platform-as-a-service traffic (for example, Amazon S3 internal stages) — see Snowflake’s AWS PrivateLink documentation for the current matrix.

Troubleshooting

SYSTEM$AUTHORIZE_PRIVATELINK and SYSTEM$GET_PRIVATELINK require a federated token that’s still valid. The token from aws sts get-federation-token expires after 12 hours. Regenerate the token and re-run the Snowflake command. Confirm you used the same AWS account ID Elementum provided, with no extra whitespace or quoting issues in the JSON value.
Verify Elementum has finished provisioning the VPC endpoint on its side and that the CloudLink Account URL has been updated to the privatelink hostname returned by SYSTEM$GET_PRIVATELINK_CONFIG (it should contain .privatelink.snowflakecomputing.com). If the CloudLink still points at the public account URL, traffic continues to use the public route. You can also call SYSTEM$ALLOWLIST_PRIVATELINK in your Snowflake account to list the hostnames that should be reachable over the private endpoint.

Additional resources

Snowflake: AWS PrivateLink

Snowflake’s reference documentation for AWS PrivateLink, including all supported system functions and limitations.

AWS: What is AWS PrivateLink?

AWS overview of PrivateLink concepts, security model, and VPC endpoint architecture.

Connecting Snowflake to Elementum

Complete CloudLink setup for Snowflake — service user, role, warehouse, and key-pair authentication.

CloudLink overview

How CloudLink connections work across Snowflake, BigQuery, Databricks, and REST APIs.