Security

Ingress traffic

The Posit Team Native App runs in Snowpark Container Services (SPCS) and is accessible via a secured subdomain provided by Snowflake, such as https://<prefix>.snowflakecomputing.com or https://<prefix>.privatelink.snowflakecomputing.com. SPCS ingress manages access to Posit Team. All standard Snowflake authentication methods, including organizational SSO requirements, apply. For details on ingress, see Ingress: Using a Service from outside Snowflake.

Egress traffic

By default, the Posit Team Native App configures network rules to allow open egress traffic.

To restrict egress, refer to instructions for changing the egress policy for Workbench or Connect via their management pages. The application itself only connects to Snowflake for the following purposes:

  • OAuth authentication flow

  • Database ODBC driver calls

  • Online Certificate Status Protocol (OCSP) certificate validation

As you consider egress restrictions, be aware that development workflows might need to access external resources.

Default egress policy

The Native App’s default egress policy includes these endpoints. Optional ones can be removed:

Endpoint Required Product Description To remove endpoint
<organization>-<account>.snowflakecomputing.com:443 Yes Workbench, Connect For Snowflake OAuth and ODBC queries N/A
ocsp.snowflakecomputing.com:80 Yes Workbench, Connect For Snowflake certificate validation N/A
ocsp.digicert.com:80 Yes Workbench, Connect For Snowflake certificate validation N/A
p3m.dev:443, packagemanager.posit.co:443, rspm-sync.rstudio.com:443 Optional Workbench, Connect, Package Manager For downloading PyPi, R, Bioconductor packages, and VS Code/Positron extensions from Posit-managed mirror Configure Package Manager in the Posit Team Native App (serves packages and extensions internally)
*.vscode-cdn.net:443 Optional Workbench For downloading VS Code and Positron extensions Configure Package Manager in the Posit Team Native App (serves extensions internally)
0.0.0.0:443, 0.0.0.0:80 Optional Workbench, Connect Allows open egress; required for some Snowflake VS Code Extension functionality Restrict egress rules + configure Package Manager

You can determine your Snowflake account’s endpoint using this SQL query:

Snowsight UI
SELECT REPLACE(LOWER(CURRENT_ORGANIZATION_NAME()), '_', '-') || '-' || REPLACE(LOWER(CURRENT_ACCOUNT_NAME()), '_', '-') || '.snowflakecomputing.com';

Visit the generated URL in your browser and verify that it points to the Snowflake account hosting the Posit Team Native App.

For further details, see Snowflake Network Rules.

Egress reduction path

Organizations can reduce their egress surface area over time by following this progression:

  1. Default configuration: All optional endpoints are available to support external package downloads and extension installations.

  2. Add Posit Package Manager: Configure Package Manager in your Posit Team Native App to serve packages and extensions internally. This eliminates the need for direct access to p3m.dev, packagemanager.posit.co, rspm-sync.rstudio.com, and *.vscode-cdn.net. Users download packages and extensions from their Native App’s Package Manager instance instead of external sources.

  3. Restrict egress rules: After Package Manager is serving packages and extensions internally, remove the optional package-related endpoints from the egress policy. You can further restrict egress to only the required Snowflake OAuth and certificate validation endpoints. Refer to instructions for changing the egress policy for Workbench or Connect via their management pages.

  4. Private Link (optional): Route remaining traffic through your VPC using Snowflake Private Link. This keeps all traffic within your network perimeter. For details, see the Snowflake AWS PrivateLink documentation or Snowflake Azure Private Link documentation.

Root access in the Posit Team Native App

Posit Team prohibits root access. No users, including administrators, have sudo access. This ensures:

  • System reliability
  • User data isolation (no access to other users’ files)
  • Protection of managed OAuth credentials
Back to top