Area: Ingestion Issues
Sub-Area: Snowflake Connector Connectivity
Issue
When running Snowflake ingestion from a DataHub Cloud (managed SaaS) environment, the connection attempt may be rejected by a Snowflake network policy before any metadata is collected. This occurs because DataHub Cloud routes outbound ingestion traffic through a fixed set of NAT Gateway egress IPs, and if those IPs are not present in the Snowflake account's network policy allowlist, Snowflake will refuse the connection at the network layer. This is not a DataHub product defect — it is expected behavior for any managed SaaS deployment where outbound IPs are fixed and must be explicitly permitted by the target data source.
Error Messages
250001 (08001): Failed to connect to DB: <your-account>.snowflakecomputing.com:443. Incoming request with IP/Token <egress-ip> is not allowed to access Snowflake. Contact your account administrator.
You Might Be Asking
- Why is my Snowflake ingestion failing with an IP not allowed error even though my credentials are correct?
- What IP addresses does DataHub Cloud use to connect to Snowflake?
- How do I allowlist DataHub Cloud egress IPs in my Snowflake network policy?
- Can I avoid IP allowlisting by using a self-hosted Remote Executor instead?
Solution
-
Identify the egress IP being blocked.
The IP address is shown directly in the Snowflake error message. It will appear in the format:
Incoming request with IP/Token <egress-ip> is not allowed to access Snowflake.Note this IP. If you are unsure of all egress IPs used by your DataHub Cloud environment, contact DataHub Support to obtain the full list for your deployment region, as your environment may use more than one NAT Gateway IP.
-
Identify the active Snowflake network policy on the target account.
Log in to Snowflake as an account administrator and run the following query to see the network policy applied at the account level:
SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN ACCOUNT;If the network policy is applied at the user level rather than the account level, run:
SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN USER <your-datahub-service-user>; -
Add the DataHub Cloud egress IP(s) to the network policy allowlist.
Retrieve the current allowed IP list for the policy, then alter it to include the DataHub Cloud egress IP(s). Replace
<your-network-policy>,<existing-allowed-ip-list>, and<datahub-egress-ip>with your actual values:-- View existing policy definition DESCRIBE NETWORK POLICY <your-network-policy>; -- Alter the policy to add the DataHub Cloud egress IP ALTER NETWORK POLICY <your-network-policy> SET ALLOWED_IP_LIST = ( '<existing-allowed-ip-1>', '<existing-allowed-ip-2>', '<datahub-egress-ip>' );If no network policy currently exists and you need to create one that permits DataHub Cloud while restricting other traffic:
CREATE NETWORK POLICY datahub_ingestion_policy ALLOWED_IP_LIST = ('<datahub-egress-ip>') COMMENT = 'Allows DataHub Cloud ingestion egress IPs'; -
Verify connectivity.
After the Snowflake administrator has applied the updated network policy, return to your DataHub ingestion source configuration and use the Test Connection button to confirm the connection is now successful before re-running the full ingestion pipeline.
Alternative: Self-Hosted Remote Executor
If allowlisting managed SaaS egress IPs is not feasible due to your organization's security policies, you can deploy a self-hosted Remote Executor within your own network infrastructure. When ingestion jobs are routed through a Remote Executor, Snowflake connections originate from your own known, controlled network IPs rather than DataHub Cloud's egress IPs. Remote Executors require only outbound connectivity from your network — no inbound firewall rules or VPN tunnels are needed on the DataHub side.
Additional Notes
- DataHub Cloud environments may use more than one NAT Gateway egress IP (for example, across availability zones or following infrastructure changes). If connectivity still fails after adding the IP shown in the error message, contact DataHub Support to confirm all active egress IPs for your specific deployment region and cluster.
- In rare cases, a DataHub Cloud infrastructure event (such as a NAT Gateway replacement) may result in a new egress IP being assigned. If ingestion was previously working and stopped unexpectedly with this error, contact DataHub Support to verify whether your environment's egress IP has changed.
- This requirement applies to all UI-managed ingestion sources running on DataHub Cloud. Ingestion sources running via a self-hosted Remote Executor or a local CLI will use different source IPs and are not affected by this specific scenario.
- Snowflake network policies can be applied at the account level or the user level. Ensure the policy being updated is the one actually applied to the service account used by DataHub for ingestion.
Related Documentation
- DataHub Metadata Ingestion Security — IP Allowlisting Requirements
- Setting Up a Remote Ingestion Executor
- Snowflake Connector Configuration and Authentication
- Snowflake Documentation: Network Policies
Tags: snowflake, ingestion, network-policy, ip-allowlist, connectivity, managed-datahub, remote-executor, egress-ip, firewall, saas