Snowflake launched egress IPs, but they expire after 90 days and run on US cloud. Get a fixed pair of EU IPs that never expire, for outbound HTTPS calls from Snowpark and SPCS, on any plan.
# Snowpark external access integration
# route outbound HTTPS through fixed EU IPs
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
import requests
r = requests.get(
"https://api.partner.eu/data",
headers={"Authorization": "Bearer .."}
)
Snowflake's native egress IPs are better than the old dynamic pools, but they come with tradeoffs that make them harder to rely on for long-term, EU-compliant integrations.
Snowflake's egress IP ranges come with a 90-day expiration. They are, in Snowflake's own words, "stable, not static." You have to automate retrieval with SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES() and update firewall rules before each window closes, or your integrations break.
Snowflake egresses from AWS, Azure, or GCP regions, all US-owned infrastructure. For GDPR-minded teams, the native option doesn't solve the data-residency side, because the outbound traffic leaves from US cloud regions.
Snowflake egress IPs are generally available only for Snowpark External Access, SPCS External Access, Openflow on SPCS, and the ServiceNow Connector, and only for AWS accounts. Workloads outside that scope still get dynamic cloud IP pools.
You get a "small, specific set of IP address ranges," not a single, predictable pair. Partners have to allowlist multiple CIDR blocks, and when those ranges rotate on the 90-day cycle, the allowlist needs updating again.
"Give me the IP you'll call from, and don't make me update it every 90 days."
You want one fixed answer that never expires, not a rotating set of ranges on a timer.
Snowpark / SPCS
HTTPS Proxy
(Static EU IP)
Partner API
Every outbound HTTPS call from your Snowpark or SPCS workload leaves from the same pair of EU addresses, and those addresses never expire. Two IPs back the account, with automatic failover.
SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES() to poll, no firewall automation to maintain, no 90-day rotation to chase.
HTTPS_PROXY, it works.
Running Snowpark External Access or SPCS workloads that call third-party APIs behind IP allowlists and are tired of the 90-day rotation.
Using Snowflake for EU-regulated data who need outbound calls to leave from European infrastructure, not US cloud regions.
Syncing data from Snowflake to partner platforms (Salesforce, SaaS APIs) that enforce strict IP allowlisting and don't want to manage rotating ranges.
Accountable for where their Snowflake workloads send data, who want a documented EU egress that doesn't change every 90 days.
Set HTTPS_PROXY in your Snowpark or SPCS environment. Outbound HTTPS calls then leave through your fixed EU IP, with no 90-day rotation.
In a Snowpark external access integration or SPCS container, set HTTPS_PROXY. The requests library reads it automatically.
# .env or container environment
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
PARTNER_API_TOKEN=your_token
import os
import requests
# requests honours HTTPS_PROXY from the environment automatically
r = requests.get(
"https://api.partner.eu/data",
headers={"Authorization": f"Bearer {os.environ['PARTNER_API_TOKEN']}"},
)
print(r.status_code) # 200, from your fixed EU IP
Set the variable in your SPCS container spec or Snowpark external access integration. Never paste the proxy string in plaintext.
# SPCS service spec (YAML)
spec:
containers:
- name: app
env:
HTTPS_PROXY: https://user:pass@eu-01.outboundgateway.com:8443
# Snowpark external access integration
# store the proxy in a Snowflake SECRET, not inline
CREATE SECRET og_proxy TYPE = PASSWORD
WITH string_value = 'https://user:pass@eu-01.outboundgateway.com:8443';
Two IPs, no 90-day timer
Your account comes with two static IP addresses (for example 51.xx.xx.10 and 51.xx.xx.11). Unlike Snowflake's native egress IPs, they never expire. Whitelist both on your partner API, and if one proxy node is briefly unavailable, traffic shifts to the other automatically.
📖 Want the longer version? Worked examples, error handling, and other languages are in the Python SSL Proxy Guide, Node.js Guide, and the rest of the docs.
Snowflake runs on US cloud. For GDPR-minded teams, a fixed EU egress fills that gap.
The proxy runs in EU data centres, so your Snowpark and SPCS outbound traffic leaves from European infrastructure instead of a US cloud region.
Because TLS passes straight through, the proxy never decodes your API tokens or request payloads. It forwards encrypted bytes; it doesn't read them.
Traffic doesn't bounce through US infrastructure on its way to your partner API, which keeps the data path inside the EU and removes a wrinkle from GDPR reviews.
When a partner asks where your Snowflake workloads call from, the answer is two fixed EU addresses that never expire. No rotating ranges, no 90-day timer.
Your IPs are yours for the life of the account. No 90-day rotation, no SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES() to automate.
Works for any outbound HTTPS call from Snowpark or SPCS, not just the specific features Snowflake's native egress IPs cover.
European data centres and a GDPR-conscious setup, giving your Snowflake workloads a predictable EU address they don't have natively.
Partners allowlist two fixed addresses, not a set of CIDR blocks that shift every quarter.
TLS passthrough means the proxy can't read your traffic. Tokens and request data stay private the whole way.
Starting from €29/month. Flexible plans for every scale. Cancel anytime.
Stop automating 90-day IP rotations and working around US-only egress. Put your Snowpark and SPCS outbound traffic behind one stable, GDPR-conscious address.
€29/month starter plan • 7-day refund policy • Direct founder support
They help, but with gaps. Snowflake's native egress IPs expire after 90 days (they're "stable, not static"), run on US cloud regions, and are GA only for Snowpark External Access, SPCS External Access, Openflow on SPCS, and the ServiceNow Connector on AWS. OutboundGateway gives you a fixed pair of EU IPs that never expire and work for any outbound HTTPS call, not just those specific features.
Yes. Set HTTPS_PROXY in your external access integration or SPCS container, and standard HTTP clients like requests pick it up automatically. You can also store the proxy URL in a Snowflake SECRET rather than hardcoding it, so it stays out of your code.
If you need EU data residency (Snowflake's IPs leave from US cloud), if you don't want to automate a 90-day rotation with SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES(), or if your workload falls outside the features Snowflake's egress IPs cover, OutboundGateway gives you a simpler, permanent pair of EU addresses with no timer.
Happy to talk through how a two-IP egress fits your specific Snowflake setup, whether it's Snowpark, SPCS, or an Openflow pipeline.
Contact Our Founders →