Public Access
How to set up public access to the Variant API.
Snowflake currently does not allow unauthenticated public internet access to any service on its platform. Since any experiments running outside of Snowflake will ultimiately need access to the Variant API running inside of the application, Winning Variant provides a reverse proxy to route traffic securely into your Snowflake account.
In order to keep our promise of data control and privacy, we provide instructions below on how to set up this reverse proxy within your own cloud environment. Alternately, Winning Variant is happy to host this for you as a managed service offering.
1. Create a role
Create a role in your account that will be mapped to the app’s role, which only has access to the Variant API endpoint. You can name this whatever you like, but we use WVPROXY in our examples:
2. Create a dedicated user
Create a user that will be used by the reverse proxy to access the services running in the Winning Variant native app.
3. Enable key pair authentication for this user.
4. Assign your new user to your new role
For example:
Alternately, you can assign this new role to an existing role in your account:
5. Map your account role to the app role
Within the Winning Variant app settings, map your role to the PROXY application role created by the app. This will give it usage of the service that serves the Variant API.
6. Deploy Reverse Proxy
Winning Variant will provide you with access to a Docker image that allows you to run a modified nginx service in your own cloud region. This gives you complete control of the service and the data that passes through the reverse proxy while allowing you to deploy it in the same region as your Snowflake account.
When deploying, you’ll provide environment variables unique to your setup, including the Variant API ingress URL, your new user’s username, and the private key used for authentication.
Other considerations
Snowflake Network Ingress Policy
If your organization enforces network policies, you may need to create an ingress policy to allow traffic from your reverse proxy. Read Controlling network traffic with network policies for details.
For example, if your reverse proxy has an egress IP address of ‘10.0.0.0’:
Firewall
We recommend putting this service behind a web application firewall (WAF) that will help mitigate things such as DDOS attacks. Additionally, to reduce stress on the underlying Snowflake compute in the event of an attempted attack, you can limit access to the /assignments and /healthz endpoints only.
Health Checks
A health check is available at /healthz, which returns a 200 status code if the service is alive and able to communicate with the appropriate Snowflake database. This health check is used by Snowpark Container Services, but may also be used by you to monitor uptime.
Winning Variant would also like to monitor the uptime of your reverse proxy, so please provide the hostname of the service, when live, and add this list of IP addresses to your allowlist.