We configured Azure Private Link connectivity to Snowflake account. Direct private link URL <accountname>.<region>.privatelink.snowflakecomputing.com works as expected.
However our goal to use public URL <accountname>.<region>.azure.snowflakecomputing.com everywhere. It should be resolved via private endpoint in out VPN.
We setup A record in Private DNS zone azure.snowflakecomputing.com. This A record point to private endpoint, nslookup <accountname>.<region>.azure.snowflakecomputing.com confirms that:
However it doesn't work. During TLS handshake wrong certificate returned. Checked with openssl:
openssl s_client -showcerts -connect <accountname>.<region>.azure.snowflakecomputing.com:443
returns certificate with CN = *.west-europe.privatelink.snowflakecomputing.com. It looks like snowflake returns certificate based on source IP address but not source site name.
Question: What I did wrong to have desired behaviour ? Does it mean that snowflake doesn't anticipate to use public URL with private endpoint ?
As of today it is not possible. Snowflake doesn't support such usage of Azure Private Link. Our idea was to use the same URL everywhere and route traffic inside our VNET through private endpoint via DNS resolution. It is not possible as of today. Only direct private link URL is using. The same approach works fine for storage accounts: https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#dns-changes-for-private-endpoints