SOL-C01 · Question #79
A Snowflake account has the following network policy configured: { "name": "corporate_network", "allowed_ip_list": ["192.168.1.0/24", "10.0.0.10"], "blocked_ip_list": ["192.168.1.5", "10.0.0.0/16"] }
The correct answer is A. 192.168.1.10 D. 10.0.0.10. Options A (192.168.1.10) and D (10.0.0.10) are allowed because Snowflake applies a specificity rule: an explicitly listed single IP in the allowed list overrides a CIDR range in the blocked list, while a CIDR range in the blocked list overrides a CIDR range in the allowed list. 1
Question
A Snowflake account has the following network policy configured: { "name": "corporate_network", "allowed_ip_list": ["192.168.1.0/24", "10.0.0.10"], "blocked_ip_list": ["192.168.1.5", "10.0.0.0/16"] } Assuming this policy is active for the entire Snowflake account, which of the following IP addresses would be allowed to connect to Snowflake?
Options
- A192.168.1.10
- B10.0.0.15
- C192.168.1.5
- D10.0.0.10
- E172.16.0.1
How the community answered
(32 responses)- A69% (22)
- B16% (5)
- C6% (2)
- E9% (3)
Explanation
Options A (192.168.1.10) and D (10.0.0.10) are allowed because Snowflake applies a specificity rule: an explicitly listed single IP in the allowed list overrides a CIDR range in the blocked list, while a CIDR range in the blocked list overrides a CIDR range in the allowed list. 192.168.1.10 falls within the allowed /24 subnet and has no matching block entry, so it passes freely. 10.0.0.10 is explicitly listed in the allowed list as a single IP, which is more specific than the blocking /16 range - so the explicit allowance wins.
Why the distractors fail:
- B (10.0.0.15): Not in the allowed list at all (only
10.0.0.10was explicitly allowed), and it falls inside the blocked10.0.0.0/16range - double-denied. - C (192.168.1.5): Even though it's covered by the allowed
/24range, it is explicitly listed in the blocked list as a single IP. A specific blocked entry overrides a range-based allowance. - E (172.16.0.1): Not present in the allowed list whatsoever - Snowflake's default posture is deny-unless-allowed.
Memory tip: Think of it as a specificity contest - explicit single-IP entries beat CIDR ranges, and the blocked list wins ties. The phrase "more specific beats less specific; blocked beats allowed at equal specificity" covers all the cases on this exam.
Topics
Community Discussion
No community discussion yet for this question.