nerdexam
Snowflake

SOL-C01 · Question #63

A Snowflake administrator is configuring network policies for their organization. They need to restrict access to their Snowflake account to only specific IP addresses associated with their corporate

The correct answer is A. The network policy was not activated at the account level correctly. Check using `SHOW B. There is another network policy active at the user level that overrides the account-level policy. D. The `BLOCKED IP LIST in the network policy is configured incorrectly, inadvertently allowing traffic. Snowflake network policies can fail to block users for several valid reasons. A is correct because an improperly activated account-level policy won't enforce restrictions - you should verify activation with SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN ACCOUNT to confirm the correct p

Snowflake Account and Security

Question

A Snowflake administrator is configuring network policies for their organization. They need to restrict access to their Snowflake account to only specific IP addresses associated with their corporate network. They create a network policy with an 'ALLOWED IP LIST. After activating the policy at the account level, users from outside the allowed IP range are still able to connect. Which of the following reasons could explain why this is happening? (Choose all that apply)

Options

  • AThe network policy was not activated at the account level correctly. Check using `SHOW
  • BThere is another network policy active at the user level that overrides the account-level policy.
  • CSnowflake does not enforce network policies until the virtual warehouse is restarted.
  • DThe `BLOCKED IP LIST in the network policy is configured incorrectly, inadvertently allowing traffic
  • EThe user is connecting through a VPN that uses an IP address within the 'ALLOWED_IP_LIST.

How the community answered

(36 responses)
  • A
    64% (23)
  • C
    14% (5)
  • E
    22% (8)

Explanation

Snowflake network policies can fail to block users for several valid reasons. A is correct because an improperly activated account-level policy won't enforce restrictions - you should verify activation with SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN ACCOUNT to confirm the correct policy name is actually assigned. B is correct because Snowflake's network policy hierarchy means a user-level policy overrides the account-level policy for that specific user, so a user with their own (less restrictive or absent) policy bypasses the account restriction entirely. D is correct because in Snowflake, the BLOCKED_IP_LIST takes precedence over the ALLOWED_IP_LIST - a misconfigured BLOCKED list (e.g., entries that inadvertently exempt certain IPs or logic errors from confusing the two lists) can create unintended access gaps.

C is wrong because network policies are session-level controls enforced at login time; they have nothing to do with virtual warehouse state or restarts. E is wrong because a user connecting via VPN with an IP inside the ALLOWED_IP_LIST is the policy working correctly - that's authorized access, not a misconfiguration causing unauthorized access.

Memory tip: Think "UAB" - User overrides Account, Activation must be verified, Blocked beats Allowed. These are the three failure points worth memorizing for network policy troubleshooting on the exam.

Topics

#Network Policies#IP Access Control#Policy Hierarchy#Account Security

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice