🇪🇺 EU egress for Snowflake, no 90-day rotation

🇪🇺 Static IP for Snowflake

Snowflake launched egress IPs, but they expire after 90 days and run on US cloud. Get a fixed pair of EU IPs that never expire, for outbound HTTPS calls from Snowpark and SPCS, on any plan.

Snowpark external access

# Snowpark external access integration

# route outbound HTTPS through fixed EU IPs

HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443

import requests

r = requests.get(

  "https://api.partner.eu/data",

  headers={"Authorization": "Bearer .."}

)

Snowflake egress IPs: a step forward, with gaps

Snowflake's native egress IPs are better than the old dynamic pools, but they come with tradeoffs that make them harder to rely on for long-term, EU-compliant integrations.

They expire after 90 days

Snowflake's egress IP ranges come with a 90-day expiration. They are, in Snowflake's own words, "stable, not static." You have to automate retrieval with SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES() and update firewall rules before each window closes, or your integrations break.

They run on US cloud, not EU

Snowflake egresses from AWS, Azure, or GCP regions, all US-owned infrastructure. For GDPR-minded teams, the native option doesn't solve the data-residency side, because the outbound traffic leaves from US cloud regions.

GA only for specific features

Snowflake egress IPs are generally available only for Snowpark External Access, SPCS External Access, Openflow on SPCS, and the ServiceNow Connector, and only for AWS accounts. Workloads outside that scope still get dynamic cloud IP pools.

A set of ranges, not one pair

You get a "small, specific set of IP address ranges," not a single, predictable pair. Partners have to allowlist multiple CIDR blocks, and when those ranges rotate on the 90-day cycle, the allowlist needs updating again.

When a partner asks

"Give me the IP you'll call from, and don't make me update it every 90 days."

You want one fixed answer that never expires, not a rotating set of ranges on a timer.

The Solution

Route Snowflake outbound HTTPS through a fixed EU IP pair

Snowpark / SPCS

HTTPS Proxy

(Static EU IP)

Partner API

Every outbound HTTPS call from your Snowpark or SPCS workload leaves from the same pair of EU addresses, and those addresses never expire. Two IPs back the account, with automatic failover.

No 90-day rotation. Your IPs are yours for the life of the account, with no timer and no automation needed.
EU egress where Snowflake offers none natively. Your outbound traffic leaves from European infrastructure.
TLS passes straight through, so API tokens and request payloads stay unreadable at the proxy.

What this gives a Snowflake integration

Two fixed EU addresses that never expire. No SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES() to poll, no firewall automation to maintain, no 90-day rotation to chase.
EU egress where Snowflake has none. The native egress IPs leave from US cloud regions; OutboundGateway routes the same traffic through European infrastructure.
Works for any outbound HTTPS call, not just the features Snowflake's egress IPs cover. If your Snowpark or SPCS workload can set HTTPS_PROXY, it works.
Lines up with GDPR. A documented, stable EU egress is exactly what a data-residency review wants to see for outbound calls from your data platform.
One pair, not a set of ranges. Partners allowlist two addresses, not multiple CIDR blocks that shift every quarter.

Who it's built for

Data engineers

Running Snowpark External Access or SPCS workloads that call third-party APIs behind IP allowlists and are tired of the 90-day rotation.

EU data teams

Using Snowflake for EU-regulated data who need outbound calls to leave from European infrastructure, not US cloud regions.

Integration teams

Syncing data from Snowflake to partner platforms (Salesforce, SaaS APIs) that enforce strict IP allowlisting and don't want to manage rotating ranges.

Compliance-minded teams

Accountable for where their Snowflake workloads send data, who want a documented EU egress that doesn't change every 90 days.

Implementation

Set HTTPS_PROXY in your Snowpark or SPCS environment. Outbound HTTPS calls then leave through your fixed EU IP, with no 90-day rotation.

Python (Snowpark external access)

In a Snowpark external access integration or SPCS container, set HTTPS_PROXY. The requests library reads it automatically.

# .env or container environment
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
PARTNER_API_TOKEN=your_token

import os
import requests

# requests honours HTTPS_PROXY from the environment automatically
r = requests.get(
    "https://api.partner.eu/data",
    headers={"Authorization": f"Bearer {os.environ['PARTNER_API_TOKEN']}"},
)

print(r.status_code)  # 200, from your fixed EU IP

SPCS container or Snowpark config

Set the variable in your SPCS container spec or Snowpark external access integration. Never paste the proxy string in plaintext.

# SPCS service spec (YAML)
spec:
  containers:
    - name: app
      env:
        HTTPS_PROXY: https://user:pass@eu-01.outboundgateway.com:8443

# Snowpark external access integration
# store the proxy in a Snowflake SECRET, not inline
CREATE SECRET og_proxy TYPE = PASSWORD
  WITH string_value = 'https://user:pass@eu-01.outboundgateway.com:8443';

Two IPs, no 90-day timer

Your account comes with two static IP addresses (for example 51.xx.xx.10 and 51.xx.xx.11). Unlike Snowflake's native egress IPs, they never expire. Whitelist both on your partner API, and if one proxy node is briefly unavailable, traffic shifts to the other automatically.

📖 Want the longer version? Worked examples, error handling, and other languages are in the Python SSL Proxy Guide, Node.js Guide, and the rest of the docs.

EU egress for Snowflake workloads

Snowflake runs on US cloud. For GDPR-minded teams, a fixed EU egress fills that gap.

European infrastructure

The proxy runs in EU data centres, so your Snowpark and SPCS outbound traffic leaves from European infrastructure instead of a US cloud region.

GDPR-conscious by design

Because TLS passes straight through, the proxy never decodes your API tokens or request payloads. It forwards encrypted bytes; it doesn't read them.

No transatlantic detours

Traffic doesn't bounce through US infrastructure on its way to your partner API, which keeps the data path inside the EU and removes a wrinkle from GDPR reviews.

An egress you can name

When a partner asks where your Snowflake workloads call from, the answer is two fixed EU addresses that never expire. No rotating ranges, no 90-day timer.

Why teams route Snowflake through OutboundGateway

Never expires

Your IPs are yours for the life of the account. No 90-day rotation, no SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES() to automate.

No feature gating

Works for any outbound HTTPS call from Snowpark or SPCS, not just the specific features Snowflake's native egress IPs cover.

EU-hosted

European data centres and a GDPR-conscious setup, giving your Snowflake workloads a predictable EU address they don't have natively.

One pair, not ranges

Partners allowlist two fixed addresses, not a set of CIDR blocks that shift every quarter.

Encrypted end to end

TLS passthrough means the proxy can't read your traffic. Tokens and request data stay private the whole way.

Flexible plans

Starting from €29/month. Flexible plans for every scale. Cancel anytime.

Give your Snowflake workloads a fixed EU egress

Stop automating 90-day IP rotations and working around US-only egress. Put your Snowpark and SPCS outbound traffic behind one stable, GDPR-conscious address.

€29/month starter plan • 7-day refund policy • Direct founder support

Frequently asked questions

Don't Snowflake egress IPs already solve this?

They help, but with gaps. Snowflake's native egress IPs expire after 90 days (they're "stable, not static"), run on US cloud regions, and are GA only for Snowpark External Access, SPCS External Access, Openflow on SPCS, and the ServiceNow Connector on AWS. OutboundGateway gives you a fixed pair of EU IPs that never expire and work for any outbound HTTPS call, not just those specific features.

Does this work with Snowpark External Access?

Yes. Set HTTPS_PROXY in your external access integration or SPCS container, and standard HTTP clients like requests pick it up automatically. You can also store the proxy URL in a Snowflake SECRET rather than hardcoding it, so it stays out of your code.

Why would I use this instead of Snowflake's native IPs?

If you need EU data residency (Snowflake's IPs leave from US cloud), if you don't want to automate a 90-day rotation with SYSTEM$GET_SNOWFLAKE_EGRESS_IP_RANGES(), or if your workload falls outside the features Snowflake's egress IPs cover, OutboundGateway gives you a simpler, permanent pair of EU addresses with no timer.

Still weighing it up?

Happy to talk through how a two-IP egress fits your specific Snowflake setup, whether it's Snowpark, SPCS, or an Openflow pipeline.

Contact Our Founders →