What causes 390189 (IP not in allowlist)?

A cloud provider dynamically assigned a new NAT gateway IP to an ETL service and the previous IP in the Snowflake network policy is no longer the source address. A VPN or corporate proxy was changed and users are now connecting from a different IP range that is not whitelisted. A new deployment environment (e.g., a new CI/CD runner or a new cloud region) was added without updating the Snowflake network policy

How do I fix 390189 (IP not in allowlist)?

Step 1: Capture the exact blocked IP from the error message or Snowflake LOGIN_HISTORY: SELECT CLIENT_IP, ERROR_MESSAGE FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY WHERE ERROR_MESSAGE LIKE '%not allowed%'.. Step 2: Add the IP or CIDR range to the appropriate network policy: ALTER NETWORK POLICY SET ALLOWED_IP_LIST = (' ', ' ').. Step 3: If using dynamic IPs, consider using Snowflake Private Link or VPC endpoint to avoid IP-based allowlisting entirely.. Step 4: Assign the updated network policy at the account level if it is not already: ALTER ACCOUNT SET NETWORK_POLICY = .

Critical severityauthenticationSnowflake →

Snowflake Error:
390189 (IP not in allowlist)

What does this error mean?

A Snowflake connection was rejected because the source IP address is not included in the account's or user's active network policy allowlist — the client must connect from a permitted IP range.llowlist, preventing the login from completing.

Common causes

1A cloud provider dynamically assigned a new NAT gateway IP to an ETL service and the previous IP in the Snowflake network policy is no longer the source address
2A VPN or corporate proxy was changed and users are now connecting from a different IP range that is not whitelisted
3A new deployment environment (e.g., a new CI/CD runner or a new cloud region) was added without updating the Snowflake network policy

How to fix it

1Step 1: Capture the exact blocked IP from the error message or Snowflake LOGIN_HISTORY: SELECT CLIENT_IP, ERROR_MESSAGE FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY WHERE ERROR_MESSAGE LIKE '%not allowed%'.
2Step 2: Add the IP or CIDR range to the appropriate network policy: ALTER NETWORK POLICY <name> SET ALLOWED_IP_LIST = ('<existing>', '<new_ip>').
3Step 3: If using dynamic IPs, consider using Snowflake Private Link or VPC endpoint to avoid IP-based allowlisting entirely.
4Step 4: Assign the updated network policy at the account level if it is not already: ALTER ACCOUNT SET NETWORK_POLICY = <name>.

Frequently asked questions

How can I find which network policy is blocking me?

Query SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY to see failed logins with ERROR_MESSAGE containing the blocked IP. Then use SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN ACCOUNT to identify the active policy.

Is Snowflake Private Link immune to network policy blocks?

Private Link connections bypass public internet IP allowlisting and are not subject to network policy IP restrictions, making it a more robust connectivity option for services with dynamic IP addresses.

Source · docs.snowflake.com/en/error-codes/error-390189