What causes PrivateLinkConnectionError?

The VPC endpoint or Azure private endpoint was created but the connection request was not approved in Snowflake. DNS is resolving the Snowflake account URL to the public endpoint instead of the private endpoint hostname. The security group or NSG attached to the private endpoint does not allow outbound traffic on port 443. The client is connecting from outside the VPC/VNet where the private endpoint was configured. The Snowflake account private link feature was not enabled by Snowflake Support on the account

How do I fix PrivateLinkConnectionError?

Verify the private endpoint connection status in the AWS VPC console or Azure portal — it must show 'Approved'.. Test DNS resolution: nslookup .privatelink.snowflakecomputing.com should return a private IP, not a public one.. Confirm the security group or NSG allows TCP port 443 outbound from the client subnet to the endpoint.. Use SYSTEM$ALLOWLIST_PRIVATELINK() to get the list of Snowflake IPs the private endpoint must reach.. Contact Snowflake Support to verify the PrivateLink feature is enabled on the account if endpoints appear correctly configured.

High severityconnection

Power BI Refresh Error:
PrivateLinkConnectionError

What does this error mean?

A Snowflake client could not establish a connection through AWS PrivateLink or Azure Private Link. The endpoint is either not configured, not approved, or DNS is not resolving the private endpoint hostname correctly.

Common causes

1The VPC endpoint or Azure private endpoint was created but the connection request was not approved in Snowflake
2DNS is resolving the Snowflake account URL to the public endpoint instead of the private endpoint hostname
3The security group or NSG attached to the private endpoint does not allow outbound traffic on port 443
4The client is connecting from outside the VPC/VNet where the private endpoint was configured
5The Snowflake account private link feature was not enabled by Snowflake Support on the account

How to fix it

1Verify the private endpoint connection status in the AWS VPC console or Azure portal — it must show 'Approved'.
2Test DNS resolution: nslookup <account>.privatelink.snowflakecomputing.com should return a private IP, not a public one.
3Confirm the security group or NSG allows TCP port 443 outbound from the client subnet to the endpoint.
4Use SYSTEM$ALLOWLIST_PRIVATELINK() to get the list of Snowflake IPs the private endpoint must reach.
5Contact Snowflake Support to verify the PrivateLink feature is enabled on the account if endpoints appear correctly configured.

Frequently asked questions

How do I test if DNS is pointing to the private endpoint?

From inside the VPC or VNet, run nslookup <account>.privatelink.snowflakecomputing.com. If it returns a private IP (e.g. 10.x.x.x), DNS is correct. If it returns a public Snowflake IP, the private DNS zone is not configured correctly.

Can I use both private and public endpoints simultaneously?

Yes — Snowflake supports split access where internal clients use the private endpoint and external clients use the public endpoint. However, network policies on the Snowflake account may restrict or block the public endpoint when PrivateLink is enabled.