ApsaraDB for ClickHouse:Configure a whitelist

Usage notes

• You can configure a whitelist to enable fine-grained access control for your ApsaraDB for ClickHouse cluster. We recommend that you update the whitelist on a regular basis.

• When you configure the whitelist for your ApsaraDB for ClickHouse cluster, the normal operation of the cluster is not affected.

• To ensure data security, you cannot add 0.0.0.0 or 0.0.0.0/0 to the whitelist of your ApsaraDB for ClickHouse cluster.

• ApsaraDB for ClickHouse provides a whitelist group named default. You cannot delete the group. You can only modify or clear the settings in the group.

• The default whitelist group contains only 127.0.0.1. It means that the ApsaraDB for ClickHouse cluster blocks access from all IP addresses.

• Do not modify or delete the whitelist groups that are automatically generated for Alibaba Cloud services. If you delete these whitelist groups, the related Alibaba Cloud services cannot connect to your cluster. For example, do not modify or delete ali_dms_group, which is the IP address whitelist group for Data Management (DMS).

• You can add a maximum of 200 IP addresses to the whitelists of an ApsaraDB for ClickHouse cluster. Each whitelist group supports up to 50 IP addresses.

Prerequisites

An ApsaraDB for ClickHouse cluster is created and is running. For more information about how to create an ApsaraDB for ClickHouse cluster, see Create an ApsaraDB for ClickHouse cluster.

Procedure

1. Log on to the ApsaraDB for ClickHouse console.

2. In the top navigation bar, select the region where the cluster is deployed.

3. On the Default Instances tab of the Clusters page, click the ID of the cluster that you want to manage.

4. In the left-side navigation pane, click Data Security.

5. Click Create Whitelist Group.

6. Set the following parameters as prompted.

   Parameter	Description	Example
   Group Name	The name of the whitelist group. The name can contain lowercase letters, digits, and underscores (_). The name must start with a lowercase letter and end with a lowercase letter or a digit. The name must be 2 to 32 characters in length.	test
   IP Addresses	The IP addresses or CIDR blocks that are added to the whitelist group. Valid formats: IP address. For example, 192.168.0.1 indicates that you allow access to your ApsaraDB for ClickHouse cluster from the IP address 192.168.0.1. CIDR block. For example, 192.168.0.0/24 indicates that you allow access to your ApsaraDB for ClickHouse cluster from the IP addresses that range from 192.168.0.1 to 192.168.0.255. Note If you need to add multiple IP addresses or CIDR blocks, separate them with commas (,). If you need to block access to your ApsaraDB for ClickHouse cluster from all IP addresses, you can set the value to 127.0.0.1. To ensure the data security of your ApsaraDB for ClickHouse cluster, do not add 0.0.0.0 or 0.0.0.0/0 to the whitelist group.	192.168.xx.xx

   In the examples of the Quick Start tutorial, DMS is used to create a database and a table, and clickhouse-client is used to import data. Therefore, in this tutorial, you must add the IP address of the DMS server and the IP address of the server in which clickhouse-client is installed to the whitelist group of your ApsaraDB for ClickHouse cluster.

   Note

   When you create an ApsaraDB for ClickHouse cluster, the system automatically creates a whitelist group named ali_dms_group for the ApsaraDB for ClickHouse cluster and adds the IP address of the DMS server to the whitelist group. If the whitelist group fails to be added automatically, you must manually add the whitelist group. For more information about the IP addresses of DMS servers in different regions, see DMS IP addresses and CIDR blocks.

7. Click OK.

   After the whitelist group is created, you can view the whitelist group on the Data Security page.

What to do next

Connect to an ApsaraDB for ClickHouse cluster