Tutorial · Estimated reading 22 mins

Clash split rules for Snowflake Cortex Code in 2026:
Web console, account APIs, Cortex paths, and Git integration domains

Snowflake shipped Cortex Code as a first-class AI coding assistant for data teams—CLI workflows, Snowflake-native context, and Git-backed projects—not a browser-only chatbot you can proxy with a handful of openai.com rows. After general availability in early 2026, engineers install the tool locally, authenticate against their account, and immediately hit the same painful pattern as other B2B clouds: the Snowflake web console completes SSO while the CLI still fails token refresh, or git pull stalls because Git traffic picked a different exit than snowflakecomputing.com. This article lays out a maintainable Clash / Mihomo plan—DOMAIN-SUFFIX baselines, optional rule provider slices, and a developer network checklist—explicitly unlike generic ChatGPT routing guides.

Snowflake · Cortex Code · Clash split · DOMAIN-SUFFIX · Rule provider · Developer network · 2026

1 Cortex Code is not “another ChatGPT tab” for your ruleset

Plenty of teams already maintain a catch-all list for ChatGPT or other public LLM front doors. Those articles optimize for browser chat, REST inference APIs, and a narrow set of CDN-backed model hosts. Snowflake Cortex Code, especially after its 2026 general-availability push for the CLI, anchors on the Snowflake data plane: account-specific hosts under snowflakecomputing.com, the web console and documentation on snowflake.com, and whatever identity provider your enterprise chose for SSO. When the CLI prints obscure TLS or OAuth errors, the root cause is rarely “missing OpenAI suffix”—it is split routing between two registrable domains that your subscription bundle treated differently.

Reusing a generic “AI” rule provider also breaks governance conversations. Auditors care whether warehouse metadata crossed a sanctioned egress, not whether you tagged a hop as “model traffic.” A disciplined Clash split routing profile names Snowflake planes explicitly, keeps Git integration (often github.com or self-managed GitLab) in a clearly labeled developer slice, and only then adds optional rows for third-party model endpoints if your org actually enables them. That separation mirrors how platform teams think about the developer network: data cloud first, collaboration second, optional inference third.

Install a maintained desktop build from our download page before you tune rules. Upstream repositories are useful for license verification; curated installers remain the safer default for day-to-day laptops that also hold warehouse credentials.

2 Four planes: web console, account API hosts, Cortex features, and Git

Plane one—Web console, marketing, and learning paths. Operators still spend meaningful time in the browser: tenant administration, worksheet debugging, release notes, and onboarding wizards that bounce across snowflake.com subdomains and occasional third-party CDNs that Snowflake links for static assets. SSO flows may redirect through your Okta, Azure AD, or Ping tenant before returning to Snowflake. If the browser completes login while the Cortex Code CLI cannot refresh tokens, compare SNIs for snowflake.com versus your IdP hostnames—two different suffix families that must either share one trusted exit or carry documented exceptions for compliance-driven DIRECT hops.

Plane two—Account locator and REST on snowflakecomputing.com. Classic Snowflake accounts resolve to regional hosts such as xy12345.us-east-1.aws.snowflakecomputing.com (exact patterns vary by cloud and edition). SQL, REST, and drivers—including what the CLI uses for session setup—terminate on that registrable domain family. Treat snowflakecomputing.com as the backbone of your Clash policy: missing or mis-ordered DOMAIN-SUFFIX rows here produces the “works in VPN office, fails at home” class of bugs even when the console looks healthy because the browser cached an older cookie path.

Plane three—Cortex analytics, agents, and optional model egress. Cortex Code sits beside warehouse-native AI features. Depending on feature flags and region, you may see additional Snowflake-controlled endpoints for orchestration, telemetry, or partner models. Rather than guessing hostnames monthly, run a short capture while executing a representative CLI command against a dev account, then promote new suffixes from Mihomo logs into a versioned rule provider. Prefer explicit DOMAIN or DOMAIN-SUFFIX over DOMAIN-KEYWORD,snow, which collides with unrelated brands and marketing sites.

Plane four—Git integration and adjacent developer traffic. Teams link repositories for CI/CD, dbt projects, or notebook sync. Remotes usually live on github.com, githubusercontent.com, or enterprise GitLab hostnames. If Git pulls ride DIRECT while snowflakecomputing.com uses a high-latency node, large clone operations appear to “hang” after authentication succeeds. Align the developer network slice with the same quality bar you use for the data plane unless policy intentionally separates them.

Capture a five-minute CLI session Sign in through the browser, run one warehouse query from Cortex Code, then perform a small git fetch. Export Mihomo logs and list distinct suffixes before you freeze YAML—evidence beats copying stale community lists.

3 DOMAIN-SUFFIX coverage you can start from for Snowflake

A pragmatic baseline routes these suffixes to a dedicated select group (call it PROXY_SNOWFLAKE): DOMAIN-SUFFIX,snowflakecomputing.com for account-specific API and SQL endpoints; DOMAIN-SUFFIX,snowflake.com for the web console, docs, status pages, and many interactive flows; plus any additional Snowflake-controlled suffixes your Mihomo logs reveal during SSO or feature previews. Pair that block with your IdP: DOMAIN-SUFFIX,okta.com, DOMAIN-SUFFIX,microsoftonline.com, or whichever hostname your enterprise SSO actually uses—otherwise the Snowflake login page loads while the token exchange still fails mid-redirect.

For Git integration, add DOMAIN-SUFFIX,github.com, DOMAIN-SUFFIX,githubusercontent.com, and any self-hosted GitLab suffix your remotes reference. Keep those rows adjacent to your Snowflake block in YAML so reviewers see one coherent “data engineering workstation” story instead of scattered one-offs imported from unrelated gaming or streaming lists inside the same subscription.

Avoid lazy DOMAIN-KEYWORD,snowflake matches: they catch unrelated marketing pages, community mirrors, and occasionally non-Snowflake assets with coincidental path segments. Production Mihomo profiles favor explicit suffix families, ordered above blunt GEOIP imports that might otherwise send US-West warehouse traffic through unintended exits.

4 Rule order, GEOIP, and enterprise SSO reality

Clash evaluates rules: top-down; the first match wins. Subscription bundles that inject aggressive GEOIP,CN,DIRECT or regional shortcuts near the top can starve snowflakecomputing.com traffic of your intended exit even when a lower DOMAIN-SUFFIX row exists—because it never runs. Move Snowflake, IdP, and Git suffix rows above imported mega-lists so the browser, the Cortex Code CLI, and background daemons share one coherent path during OAuth device flows and token refresh bursts.

Enterprise SSO often enforces geo or device posture checks. Indiscriminate global proxying can satisfy warehouse TLS while still violating an IdP policy that expects a domestic residential ASN. When security mandates a DIRECT carve-out for a specific login host, document it beside the rule so future edits do not “optimize latency” and silently break compliance. Our Microsoft 365 Copilot routing guide walks through the same first-match discipline for another SaaS-heavy stack—useful background even though hostnames differ.

Overlapping VPN and TUN capture If always-on corporate VPN and Mihomo TUN both intercept the same IdP IP ranges, OAuth loops look like “Snowflake is down.” Disable one capture layer methodically before you rewrite half the profile.

5 Illustrative YAML for proxy groups, DOMAIN-SUFFIX rows, and rule providers

The fragment below is educational. Rename groups to match your merge style, validate with your GUI linter, and host remote rule provider URLs on infrastructure your security team trusts—public paste bins are convenient until someone typos a policy line that exfiltrates metadata.

config.yaml (snippet) 
# Example only — merge into your full profile
proxy-groups:
  - name: PROXY_SNOWFLAKE
    type: select
    proxies:
      - AUTO-BEST
      - DIRECT

rule-providers:
  snowflake-saas:
    type: http
    behavior: classical
    url: "https://example.com/rules/snowflake-saas.txt"
    path: ./ruleset/snowflake-saas.yaml
    interval: 86400

rules:
  - RULE-SET,snowflake-saas,PROXY_SNOWFLAKE
  - DOMAIN-SUFFIX,snowflakecomputing.com,PROXY_SNOWFLAKE
  - DOMAIN-SUFFIX,snowflake.com,PROXY_SNOWFLAKE
  - DOMAIN-SUFFIX,github.com,PROXY_SNOWFLAKE
  - DOMAIN-SUFFIX,githubusercontent.com,PROXY_SNOWFLAKE
  # Add your SSO IdP suffixes above generic GEOIP imports

Pair suffix routing with coherent DNS. FakeIP, DoH, and OS stub resolvers that disagree still produce “rule matched but TLS alert” symptoms when the CLI reuses a stale answer. Our DNS leak prevention guide explains resolver alignment that applies equally to warehouse clients and long-lived SSH sessions.

Version-control your Snowflake slice Keep the Snowflake + IdP + Git block in a small repo beside your profile. When Cortex Code adds a new dependency host after a release, diff one file instead of merging anonymous upstream lists blindly.

6 Regions, private connectivity, and VPC service endpoints

Snowflake accounts differ by cloud (AWS, Azure, GCP) and region; account locators embed that context in hostnames under snowflakecomputing.com. If you lift YAML from a colleague in us-west-2 while your warehouse lives in eu-central-1, you might still appear fine at first—until failover or read-only secondary endpoints appear in logs. Treat suffix coverage as cloud-agnostic at the registrable domain, then refine with DOMAIN rows when internal runbooks mandate pinning to specific regional edges.

Enterprises sometimes enable private connectivity (for example AWS PrivateLink-style paths) where the public Internet hostname no longer matches what the laptop resolves. Those designs intentionally bypass consumer proxies; do not “fix” them by forcing traffic through a residential node unless architecture review approves. Document DIRECT exceptions for RFC1918 targets beside your public-cloud Clash split routing block so operators understand which plane is intentional air-gapping versus accidental leakage.

7 Git remotes, package managers, and the wider developer toolchain

Cortex Code projects rarely live in isolation: engineers pull from Git, fetch container bases, and sometimes call auxiliary APIs from the same shell session. Chromium-based tools usually respect the system proxy; native git often ignores it unless you export HTTPS_PROXY or capture flows with Mihomo TUN. Our Clash Verge Rev TUN guide covers verification patterns that keep CLI and browser traffic aligned after sleep, dock, or VPN toggles—exactly the failure modes data engineers hit when switching between office uplink and tethered LTE.

If your team standardizes on MCP servers and npm mirrors, keep those suffix families in separate rule providers so a Snowflake change never silently drags half the Node ecosystem through the wrong exit. The pattern mirrors our Cursor IDE routing article: one coherent base profile, modular overlays per toolchain.

When optional LLM backends sit outside Snowflake—partner models or external evaluators—add their suffixes explicitly rather than bolting a giant “AI” list that also captures unrelated consumer sites. That restraint keeps latency investigations honest: you can show which registrable domain matched first instead of blaming “the model” when the hop was actually a blocked CDN asset on an unrelated keyword rule.

8 DNS, TLS, and troubleshooting with Mihomo logs

Start incidents by filtering Mihomo logs for your PROXY_SNOWFLAKE group. If the console loads worksheets but the Cortex Code CLI cannot open a session, compare timestamps on snowflakecomputing.com hosts versus IdP redirects—two exits usually mean two winning rules, stale IPv6 preference, or a resolver that answered differently between processes. Rotate exit nodes only after ordering and DNS look coherent; otherwise you chase latency ghosts while the real issue is a token handshake that still rides DIRECT.

Certificate errors after reconnecting VPN or sleeping often mean the operating system resolver cache disagrees with Clash’s DNS pipeline. Flush both, then retry a controlled login. HTTP 403 responses from Snowflake APIs frequently indicate role or network policy issues on the warehouse side, not packet loss—confirm grants and network policies before you rewrite routing based on hunches.

Keep observability proportional: export short log windows, redact account identifiers before sharing externally, and prefer reproducible steps (“run this CLI command against dev warehouse after fresh SSO”) over anecdote. Solid Clash split routing accelerates triage because you can prove which DOMAIN-SUFFIX matched first—not merely that “Snowflake felt slow.”

9 FAQ

  • Is snowflake.com enough without snowflakecomputing.com? No—browser flows may work while drivers and the CLI still fail; keep both suffixes unless telemetry proves otherwise.
  • Should I reuse my ChatGPT rule list for Cortex Code? Only for genuinely external model hosts you measured; warehouse traffic still needs Snowflake-specific rows.
  • Why does Git pull fail after a successful Snowflake login? Different registrable domains; verify Git remotes and proxy capture for native git.
  • Can I stay on system proxy only? Sometimes for browsers; CLIs and language runtimes often need TUN or explicit env proxies—test both.

10 Wrap-up

Snowflake Cortex Code in 2026 belongs in the same mental bucket as other enterprise data-cloud tools: route the console, the account plane on snowflakecomputing.com, Cortex-adjacent APIs you observe in logs, enterprise SSO hosts, and Git integration domains as one coherent story. Express that in Clash or Mihomo with explicit DOMAIN-SUFFIX rows ordered above blunt regional imports, curated rule provider slices your team owns, and DNS settings aligned with how laptops resolve names on the developer network. Compared with ChatGPT-centric lists, this approach stays legible to security reviewers because it mirrors actual Snowflake architecture—not a generic “AI” keyword bucket.

Among proxy stacks, Clash’s transparent YAML and mature desktop clients suit operators who juggle browsers, CLIs, and occasional containers on one machine. When you need installers, prefer our download hub for curated builds; cite upstream repositories for transparency, not as the default end-user installer path.

When routing stops stealing attention cycles, data teams can focus on SQL quality, governance, and the prompts that actually move metrics—which is what a dependable network should unlock for Snowflake users this year.

→ Download Clash for free and experience the difference

Tags: Snowflake Cortex Code Clash split routing DOMAIN-SUFFIX Rule provider Developer network Mihomo 2026
Clash client logo for Snowflake Cortex Code split routing

Clash Verge Rev

Next-gen Clash client · Free and open source

One client for system proxy, optional TUN, and readable logs—so Snowflake console SSO, snowflakecomputing.com APIs, Cortex Code CLI sessions, and Git remotes share one coherent split-routing story.

TUN full traffic takeover Mihomo high-performance core Precise rule routing DNS leak helpers Multi-subscription management
Windows macOS Linux

Related reading

Enterprise SaaS

Microsoft 365 Copilot: SSO and cloud suffix discipline—same routing mindset, different hostnames

 Developer APIs

GitHub Models: inference API auth domains split from everyday Git