I need to create a private hosted zone
".privatelink.snowflakecomputing.com" in route53
Does it have to use this domain name ?Is it mandatory to have a domain created with "privatelink.snowflakecomputing.com" ?
Related
showing "Unable to obtain dns hostname of active directory domain controller with ntdsa object name" msg while authentication with Active Directory on Windows Server 2012.
It depends on where your DNS is routing you.
Could be as simple as getting your DNS to talk to your server properly / take you to another DC in priority.
Since you just enter "the AD" here... You need to prioties to one DC since you are using more than one DC.
You can also refer this document1 and Document2 for troubleshooting your issue.
The scenario is this: Our snowflake will only be accessible by whitelisted IP addresses. If we plan to use AWS Glue what IP address can we use so that it will allow us to connect to snowflake? I need a way to identify that this AWS Glue job with IP address (endpoint) so that it can be identified in Snowflake. I want to use an AWS Glue because it is a serverless orchestration tool.
Thanks,
D.
AWS has specified the ip-ranges of several services and regions, but Glue is currently not listed.
You can achieve the required behavior with the following workaround:
Create a VPC with private and public subnet. Public subnet's route table will have the Internet Gateway, while private subnet's route table will have the NAT Gateway configured. Assign an Elastic IP address to your NAT Gateway.
Create a Glue Connection. You may enter any arbitrary JDBC string and password, yet you will assign the VPC and private subnet you just created. Assign the security group with all the inbound and outbound traffic open.
Attach this Glue Connection to your Glue Job, and from now on all the Glue Job traffic will pass through the NAT Gateway. The NAT Gateway's IP address must be whitelisted in snowflake.
More details about Glue Connection properties. Please consider that there's an extra hop of NAT Gateway that may cause minor delays.
To add onto #amsh's answer, the the NAT gateway should be created in the Public subnet but assigned in the route table of private subnet.
We have setup the snowflake privatelink and its working well from AWS side.
As per my understanding to make it work from on prem, on prem DNS records creation needs to be taken into consideration for *.privatelink.snowflakecomputing.com and as per the company DNS team this is not possible and it does not work as what is expected in case of AWS route53 private DNS scope.
I could not find any useful docs in the snowflake side or any other public domain about the on premise configuration.
I need to connect to the privatelink url or any URL from the on prem server and browser which will take me through the VPC endpoints and land me in snowflake private link console. I tried to create Network load balancer mapping towards the Private IP addresses of the snowflake related VPC endpoints , but it does not work , throws me 403 access denied .
#deb-pal regarding the point "DNS team told its not a good practice to recreate the the total hosted zone records in their private DNS," your DNS team is correct that this has not been a traditional practice. However, this sort of DNS override to support private communications with SaaS and cloud is a growing practice.
Snowflake's version of this is a little more guarded than some. We do not ask you to host anything in the form <label>.snowflakecomputing.com. That would have you potentially overriding records where we are clearly authoritative. Instead we ask you to host things in the form <label>.privatelink.snowflakecomputing.com. Snowflake will never host anything in that form.
The 403 Forbidden error occurs when you try to access the Snowflake privatelink endpoint via the internet. This means that your network isn't set up to route traffic to that endpoint via your AWS VPC. You will need to ensure:
You have connectivity between your local machine and the AWS VPC. You should be able to ping an ec2 machine with a private IP address from your machine.
The on-premises DNS needs to be set up to point the privatelink.snowflakecomputing.com at the AWS endpoint. If your on-premises DNS directs machines to the public IP address, it won't work (as this will be routed through public internet).
We have seen this issue with lots of Snowflake Customers . Their private link works well from AWS Route 53 side but fails to reach the private link endpoint from on-prem.
It seems your local DNS is not able to reach Route 53 CNAME.
You will have to configure DNS forwarding to make sure it reaches Route 53 hosted zone CNAME.
Tenant HANA database installed in same host.
All tenant database has same host name and system number i.e. 00.
To access XS server we follow link http:/<hostname>:80<instance> since for all tenant we have same host name and system number.
How can we access XS server of tenant database?
In order to access the individual tenants you need to modify the configuration settings. This pertains to the xsc engine.
Each tenant has to be enabled and you need to modify your local hosts file or DNS entries for them.
In the following link you can see the step by step guide to doing it.
Essentianly though the settings in the xsengine.ini for "public_urls" is the key area there you can set additional tenants. You can get to those via saphanastudio or via the SQL console or [tag: hdbsql] command.
ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'database', 'HXE')
SET ('public_urls', 'http_url') = 'http://hxe.mysystem.com:8090'
WITH RECONFIGURE;
Once you have each of your tenants set and a public url set you can either do DNS entries if you have access to do so or you can set it in your local hosts file. This giving a unique URL to each tenant you have created on the system. The same goes for the "https_url" if you have https enabled.
ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'database', 'HXE')
SET ('public_urls', 'https_url') = 'https://hxe.mysystem.com:8090'
WITH RECONFIGURE;
One can use
new PrincipalContext(ContextType.Domain,null)
without providing any connection strings for the Active Directory.
When using ActiveDirectoryMembershipProvider you must provide an LDAP endpoint in web.config.
The site I'm working on will be deployed on multiple sites and I don't want to have to fill the details in the web.config for each deplyoment.
How To: Use Forms Authentication with Active Directory in Multiple Domains on MSDN specifies 3 (!) membership providers to deal with 3 domains which is not impressive. However, this article is from 2005 and it deals with a different tasks then what I'm after.
The question:
Is is possible to use ActiveDirectoryMembershipProvider in a way that the LDAP end point is not hard-coded in the web.config?
I would prefer to use ActiveDirectoryMembershipProvider rather than PrincipalContext to have (potentially) the ability to call ChangePassword etc.
No, it is not possible to use ActiveDirectoryMembershipProvider without specifying a target LDAP server.
The connection string must be specified, and the string must contain a server (contains ADS_FORMAT_SERVER)
You must create a connectionStrings Element (ASP.NET Settings Schema)
entry in the Web.config file that identifies the Active Directory
server, Active Directory domain, or ADAM application partition to use.
The provider will only operate at domain scope, or in a subscope
within a domain.
If you want to support an active directory forest, and losing forms authentication is an option, consider using Windows Authentication. Windows Authentication will use NTLM and Kerberos to get the user's identity within a forest, and you can still change a users password via impersonation. See WindowsIdentity.Impersonate().