Snowflake currently does not allow unauthenticated public internet access to any service on its platform. Since any experiments running outside of Snowflake will ultimiately need access to the Variant API running inside of the application, you’ll need a reverse proxy to route traffic securely into your Snowflake account.

In order to keep our promise of data control and privacy, we provide instructions below on how to set up this reverse proxy within your own cloud environment. Alternately, Winning Variant is happy to discuss a managed service.

Create a dedicated user

Create a user that will be used by the reverse proxy to access your snowflake account:

Within the application settings, map this new user to the proxy application role created by the application. This will give it usage of the service that serves the Variant API.

Reverse Proxy

We provide a few simple examples below of reverse proxies you can deploy within your own cloud. We recommend choosing the same cloud/region as the Snowflake account the application is installed into.

Amazon Web Services

Google Cloud

Cloudflare Workers

While not in the same cloud region, Cloudflare workers provides a reliable and globally scalable alternative to a traditionally web proxy.

Snowflake Network Ingress Policy

If your organization enforces network policies, you may need to create an ingress policy to allow traffic from your reverse proxy. Read Controlling network traffic with network policies for details.

For example, if your reverse proxy has an egress IP address of ‘10.0.0.0’:

CREATE NETWORK RULE winning_variant_variant_api TYPE = IPV4 VALUE_LIST = ('10.0.0.0/32');