nerdexam
Snowflake

SOL-C01 · Question #79

A Snowflake account has the following network policy configured: { "name": "corporate_network", "allowed_ip_list": ["192.168.1.0/24", "10.0.0.10"], "blocked_ip_list": ["192.168.1.5", "10.0.0.0/16"] }

The correct answer is A. 192.168.1.10 D. 10.0.0.10. Options A (192.168.1.10) and D (10.0.0.10) are allowed because Snowflake applies a specificity rule: an explicitly listed single IP in the allowed list overrides a CIDR range in the blocked list, while a CIDR range in the blocked list overrides a CIDR range in the allowed list. 1

Snowflake Account and Security

Question

A Snowflake account has the following network policy configured: { "name": "corporate_network", "allowed_ip_list": ["192.168.1.0/24", "10.0.0.10"], "blocked_ip_list": ["192.168.1.5", "10.0.0.0/16"] } Assuming this policy is active for the entire Snowflake account, which of the following IP addresses would be allowed to connect to Snowflake?

Options

  • A192.168.1.10
  • B10.0.0.15
  • C192.168.1.5
  • D10.0.0.10
  • E172.16.0.1

How the community answered

(32 responses)
  • A
    69% (22)
  • B
    16% (5)
  • C
    6% (2)
  • E
    9% (3)

Explanation

Options A (192.168.1.10) and D (10.0.0.10) are allowed because Snowflake applies a specificity rule: an explicitly listed single IP in the allowed list overrides a CIDR range in the blocked list, while a CIDR range in the blocked list overrides a CIDR range in the allowed list. 192.168.1.10 falls within the allowed /24 subnet and has no matching block entry, so it passes freely. 10.0.0.10 is explicitly listed in the allowed list as a single IP, which is more specific than the blocking /16 range - so the explicit allowance wins.

Why the distractors fail:

  • B (10.0.0.15): Not in the allowed list at all (only 10.0.0.10 was explicitly allowed), and it falls inside the blocked 10.0.0.0/16 range - double-denied.
  • C (192.168.1.5): Even though it's covered by the allowed /24 range, it is explicitly listed in the blocked list as a single IP. A specific blocked entry overrides a range-based allowance.
  • E (172.16.0.1): Not present in the allowed list whatsoever - Snowflake's default posture is deny-unless-allowed.

Memory tip: Think of it as a specificity contest - explicit single-IP entries beat CIDR ranges, and the blocked list wins ties. The phrase "more specific beats less specific; blocked beats allowed at equal specificity" covers all the cases on this exam.

Topics

#Network Policy#IP Restrictions#CIDR Notation#Access Control

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice