Snowflake Editions & Cloud Platforms
Snowflake sells four editions — Standard, Enterprise, Business Critical, and Virtual Private Snowflake (VPS). The exam doesn’t ask you to choose one for a customer; it asks “what’s the MINIMUM edition needed for feature X?” over and over. Today we build the boundary map: which features unlock at which tier, and the four traps Snowflake plants in those questions.
Two terms you’ll need today:
| Term | Plain meaning |
|---|---|
| Time Travel | Lets you query a table as it looked X days ago, or recover a dropped table. Standard = 1 day. Enterprise+ = up to 90 days. Full deep-dive on Day 44. |
| Tri-Secret Secure | An extra encryption layer where your customer-managed key is combined with Snowflake’s key. You hold one of the keys, so neither side alone can decrypt. Business Critical+ only. |
| HIPAA / HITRUST / PCI | Compliance frameworks for healthcare data (HIPAA, HITRUST) and payment card data (PCI). If your data falls under these, you need Business Critical+. |
| PrivateLink | A private network connection to Snowflake over your cloud provider’s backbone — your traffic never touches the public internet. Business Critical+ only. |
Today’s Concept
Micro-Concept 1: The Four Editions, Stacked
Editions are cumulative — each one includes everything from the editions below it, then adds more. Walk up the ladder:
| Edition | Designed for | Headline addition |
|---|---|---|
| Standard | Entry-level. Smaller teams, non-regulated workloads. | Core Snowflake — full SQL, semi-structured data, sharing, always-on encryption |
| Enterprise | Most common production tier. Large analytics teams. | Multi-cluster warehouses, 90-day Time Travel, materialized views, dynamic data masking, search optimization, auto-clustering |
| Business Critical | Regulated industries — healthcare, finance, government. | Tri-Secret Secure, HIPAA/HITRUST/PCI compliance, PrivateLink, account replication & failover/failback |
| Virtual Private Snowflake (VPS) | Strictest isolation requirements — large financial institutions, defense. | Completely isolated Snowflake environment — no shared infrastructure with any other customer |
Pricing rises with the tier — credits cost more on each step up. A credit is roughly $2 on Standard, $3 on Enterprise, $4 on Business Critical, and ~$6 on VPS (US AWS on-demand; varies by cloud and region).
Micro-Concept 2: The Boundary Map (Memorize This)
The exam asks “MINIMUM edition for feature X?” so what you really need is the boundary — at which tier does each feature first appear? Here it is:
| Feature | Minimum edition |
|---|---|
| Always-on AES-256 encryption (rest), TLS (transit) | Standard (all editions) |
| Network policies, MFA, SSO, federated auth | Standard (all editions) |
| Fail-safe (7 days, Snowflake-managed) | Standard (all editions) |
| Time Travel — up to 1 day | Standard |
| Secure Data Sharing | Standard (all editions) |
| Standard, secure, and materialized views | Materialized views = Enterprise |
| Multi-cluster warehouses | Enterprise |
| Time Travel up to 90 days (permanent tables) | Enterprise |
| Dynamic Data Masking, External Tokenization | Enterprise |
| Row Access Policies | Enterprise |
| Object tagging, Data Classification | Enterprise |
| Search Optimization Service | Enterprise |
| Auto-clustering (clustered tables) | Enterprise |
| ACCESS_HISTORY (and most ACCOUNT_USAGE governance views) | Enterprise |
| Tri-Secret Secure (customer-managed keys) | Business Critical |
| HIPAA / HITRUST / PCI / FedRAMP support | Business Critical |
| AWS / Azure PrivateLink | Business Critical |
| Database / account replication, failover & failback | Business Critical (replication can exist on Enterprise; failover/failback is BC+) |
| Completely isolated Snowflake environment | VPS |
Drill this until it’s automatic. The exam loves stacking two requirements (“HIPAA + multi-cluster”) and asking the minimum edition that satisfies both — the answer is whichever requirement sits higher.
Micro-Concept 3: What Stays the Same Across All Editions
Equally important — and just as testable — is what does not depend on edition. The exam plants traps where someone says “X requires Enterprise” but X is actually included in every edition. Always-on, every edition:
→ AES-256 encryption at rest, TLS encryption in transit
→ Network policies (IP allowlists / blocklists)
→ MFA, SSO, federated authentication, OAuth, key-pair auth
→ Fail-safe (7 days, Snowflake-managed)
→ Time Travel (1 day default for permanent tables)
→ Secure Data Sharing & Marketplace consumption
→ Object-level RBAC (DAC + RBAC model)
→ Data unloading and loading (COPY, Snowpipe)
→ Snowsight, SnowSQL, Snowflake CLI, drivers
Encryption is the most-tested non-edition feature. If you see “Encryption requires Business Critical” — false. Always-on encryption is included in Standard.
Micro-Concept 4: The Four Traps (Worth Memorizing)
| Trap statement | Truth |
|---|---|
| “Encryption requires Business Critical” | FALSE — always-on AES-256 is included in Standard |
| “PrivateLink is available on Enterprise” | FALSE — PrivateLink is Business Critical+ |
| “90-day Time Travel is available on Standard” | FALSE — Standard caps at 1 day; 90 days needs Enterprise+ |
| “Multi-cluster warehouses are available on Standard” | FALSE — multi-cluster is Enterprise+ |
Micro-Concept 5: VPS — When You’d Actually Pick It
VPS provides the same features as Business Critical but in a completely isolated Snowflake environment. No shared compute, no shared services, no shared infrastructure of any kind with other customers. It’s the highest tier, costs the most per credit, and is rare outside very large regulated organizations (major banks, defense, health systems with strict tenancy mandates).
The only feature VPS adds beyond Business Critical is full isolation. If a question asks “What’s the MINIMUM edition for HIPAA?” — the answer is Business Critical, not VPS, because HIPAA doesn’t require isolation, just the Business Critical compliance posture.
Micro-Concept 6: How to Read MINIMUM-Edition Questions
The pattern is always the same. The question lists one or more requirements; you pick the lowest tier that covers them all. Walk through it:
→ Step 1 — list each requirement in your head.
→ Step 2 — for each, recall its minimum edition (use the boundary map).
→ Step 3 — pick the highest tier among them.
Example: “We need 30-day Time Travel and PrivateLink. What’s the minimum edition?”
→ 30-day Time Travel needs Enterprise (Standard caps at 1 day).
→ PrivateLink needs Business Critical.
→ Highest tier wins: Business Critical.
Cheat Sheet
| If you need… | Minimum edition |
|---|---|
| Encryption, MFA, SSO, network policies, Fail-safe, 1-day Time Travel, Sharing | Standard |
| Multi-cluster warehouses | Enterprise |
| Time Travel beyond 1 day (up to 90) | Enterprise |
| Materialized views, Search Optimization, Auto-clustering | Enterprise |
| Dynamic Data Masking, Row Access Policies, Object Tagging | Enterprise |
| Data Classification, ACCESS_HISTORY view | Enterprise |
| Tri-Secret Secure | Business Critical |
| HIPAA, HITRUST, PCI, FedRAMP | Business Critical |
| AWS / Azure PrivateLink | Business Critical |
| Failover / failback (DR) | Business Critical |
| Fully isolated environment (no shared infra) | VPS |
If a question lists multiple requirements, pick the highest minimum. “Multi-cluster + HIPAA” → multi-cluster needs Enterprise, HIPAA needs Business Critical, so the answer is Business Critical. The four most-tested traps: (1) encryption is always-on, all editions — never the differentiator. (2) PrivateLink is Business Critical, not Enterprise. (3) Multi-cluster warehouses are Enterprise+, not Standard. (4) HIPAA needs Business Critical, not VPS — VPS only adds isolation, not new compliance. Also: Fail-safe (7 days) is in every edition, but the Time Travel limit changes (1 day on Standard, up to 90 days on Enterprise+).
Hands-On Lab
Confirm your trial is on Enterprise. If you signed up with Enterprise (recommended in Day 1), you’ll have access to multi-cluster, 90-day Time Travel, and materialized views.
SELECT CURRENT_AVAILABLE_ROLES();
SELECT SYSTEM$ALLOWLIST(); -- if this returns, your account is provisioned
SHOW PARAMETERS LIKE 'DATA_RETENTION_TIME_IN_DAYS' IN ACCOUNT;Try an Enterprise-only feature: multi-cluster. If your trial isn’t Enterprise, this command will error — that’s the proof.
ALTER WAREHOUSE lab_xs SET
MIN_CLUSTER_COUNT = 1,
MAX_CLUSTER_COUNT = 2;
SHOW WAREHOUSES LIKE 'LAB_XS';
-- Look at min_cluster_count and max_cluster_count columnsTry Time Travel beyond 1 day. Create a table with a 30-day retention window — only allowed on Enterprise+:
CREATE DATABASE MY_DB;
CREATE SCHEMA MY_SCHEMA;
CREATE OR REPLACE TABLE tt_test (id INT)
DATA_RETENTION_TIME_IN_DAYS = 30;
SHOW TABLES LIKE 'TT_TEST';
-- The retention_time column should show 30Inspect the always-on features. Network policies and MFA exist on every edition:
SHOW NETWORK POLICIES; -- works on all editions
SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN ACCOUNT;Cleanup. Drop the test table and reset the warehouse to a single cluster (we’ll re-enable multi-cluster on Day 9):
DROP TABLE IF EXISTS tt_test;
ALTER WAREHOUSE lab_xs SET
MIN_CLUSTER_COUNT = 1,
MAX_CLUSTER_COUNT = 1;
ALTER WAREHOUSE lab_xs SUSPEND;Snowflake Documentation
External References
Edition-comparison resources.
Practice Questions
Options:
A. Standard
B. Enterprise
C. Business Critical
D. Virtual Private Snowflake (VPS)
Why C: Both HIPAA support and PrivateLink first appear at Business Critical. Both are satisfied at that tier — no need to climb to VPS.
Why not A or B: Standard and Enterprise don’t support HIPAA workloads or PrivateLink.
Why not D: VPS would also work, but it’s not the MINIMUM. VPS adds isolation, which neither requirement asks for.
Options:
A. Standard
B. Enterprise
C. Business Critical
D. VPS
Why B: Time Travel beyond 1 day (up to 90) requires Enterprise+. Multi-cluster warehouses also require Enterprise+. The MINIMUM that satisfies both is Enterprise.
Why not A: Standard caps Time Travel at 1 day and does not support multi-cluster.
Why not C or D: Both work but they’re not the MINIMUM.
Options:
A. Always-on AES-256 encryption at rest
B. Materialized views
C. Multi-Factor Authentication (MFA)
D. Tri-Secret Secure
E. Fail-safe (7 days)
Why A: Encryption is always-on across every edition — never the differentiator.
Why C: MFA, SSO, and federated auth work on Standard.
Why E: Fail-safe is a fixed 7-day window for permanent tables on every edition (not configurable).
Why not B: Materialized views require Enterprise+.
Why not D: Tri-Secret Secure requires Business Critical+.
Options:
A. VPS adds support for HIPAA and PCI; Business Critical does not
B. VPS provides a completely isolated Snowflake environment with no shared infrastructure
C. VPS is the only edition with always-on encryption
D. VPS is the only edition that supports PrivateLink
Why B: VPS includes everything Business Critical offers, but in a completely separate Snowflake environment, isolated from all other Snowflake accounts. Isolation is the only thing it adds.
Why not A: HIPAA and PCI are already covered at Business Critical.
Why not C: Encryption is always-on for all editions.
Why not D: PrivateLink is supported on Business Critical and VPS — not VPS only.
Options:
A. Standard
B. Enterprise
C. Business Critical
D. VPS only
Why C: Tri-Secret Secure (combining a customer-managed key with Snowflake’s key) is one of Business Critical’s headline security features.
Why not A or B: Standard and Enterprise rely entirely on Snowflake-managed keys.
Why not D: VPS includes Tri-Secret Secure too — but Business Critical is the MINIMUM, which is what the question asks.
Today you learned: The four editions stack — Standard → Enterprise → Business Critical → VPS — each cumulative on the one below. Enterprise unlocks multi-cluster, 90-day Time Travel, masking, materialized views, search optimization, and most governance features. Business Critical unlocks HIPAA / HITRUST / PCI compliance, Tri-Secret Secure, PrivateLink, and failover. VPS adds full isolation. Encryption, MFA, SSO, network policies, and Fail-safe are always-on for every edition.
Key takeaway: When the exam asks “MINIMUM edition for X + Y”, recall each requirement’s tier and pick the highest. The four traps: encryption is always-on (no edition gate), PrivateLink is BC+, multi-cluster is Enterprise+, and HIPAA needs BC (not VPS).
Tomorrow (Day 4): The interfaces — Snowsight, Snowflake CLI, SnowSQL, the VS Code extension, and drivers/connectors. We’ll lock in two exam-favourite gotchas: which commands can only run from a CLI client (PUT and GET), and how the new Snowflake CLI relates to legacy SnowSQL.
