Legal disclaimer

Alibaba Cloud reminds you to carefully read and fully understand the terms and conditions of this legal disclaimer before you read or use this document. If you have read or used this document, it shall be deemed as your total acceptance of this legal disclaimer.
  • You shall download and obtain this document from the Alibaba Cloud website or other channels authorized by Alibaba Cloud, and use this document for your own legal business activities only. The content of this document is considered confidential information of Alibaba Cloud. You shall strictly abide by the confidentiality obligations. No part of this document shall be disclosed or provided to any third party for use without the prior written consent of Alibaba Cloud.
  • No part of this document shall be excerpted, translated, reproduced, transmitted, or disseminated by any organization, company, or individual in any form or by any means without the prior written consent of Alibaba Cloud.
  • The content of this document may be modified due to product version upgrades, adjustments, or other reasons. Alibaba Cloud reserves the right to modify the content of this document without notice. The updated versions of this document will be occasionally released through channels authorized by Alibaba Cloud. You shall pay attention to the version changes of this document as they occur and download and obtain the most up-to-date version of this document from channels authorized by Alibaba Cloud.
  • This document serves only as a reference guide for your use of Alibaba Cloud products and services. Alibaba Cloud provides the document in the context that Alibaba Cloud products and services are provided on an "as is", "with all faults" and "as available" basis. Alibaba Cloud makes every effort to provide relevant operational guidance based on existing technologies. However, Alibaba Cloud hereby makes a clear statement that it in no way guarantees the accuracy, integrity, applicability, and reliability of the content of this document, either explicitly or implicitly. Alibaba Cloud shall not bear any liability for any errors or financial losses incurred by any organizations, companies, or individuals arising from their download, use, or trust in this document. Alibaba Cloud shall not bear any liability for any errors or financial losses incurred by any organizations, companies, or individuals arising from their download, use, or trust in this document. Alibaba Cloud shall not, under any circumstances, bear responsibility for any indirect, consequential, exemplary, incidental, special, or punitive damages, including lost profits arising from the use or trust in this document, even if Alibaba Cloud has been notified of the possibility of such a loss.
  • By law, all the content of the Alibaba Cloud website, including but not limited to works, products, images, archives, information, materials, website architecture, website graphic layout, and webpage design, are intellectual property of Alibaba Cloud and/or its affiliates. This intellectual property includes, but is not limited to, trademark rights, patent rights, copyrights, and trade secrets. No part of the Alibaba Cloud website, product programs, or content shall be used, modified, reproduced, publicly transmitted, changed, disseminated, distributed, or published without the prior written consent of Alibaba Cloud and/or its affiliates. The names owned by Alibaba Cloud include, but are not limited to, "Alibaba Cloud", "Aliyun", "HiChina", and other brands of Alibaba Cloud and/or its affiliates, which appear separately or in combination, as well as the auxiliary signs and patterns of the preceding brands, or anything similar to the company names, trade names, trademarks, product or service names, domain names, patterns, logos, marks, signs, or special descriptions that third parties identify as Alibaba Cloud and/or its affiliates.
  • Please contact Alibaba Cloud directly if you discover any errors in this document.

Security isolation

ApsaraDB for ClickHouse runs all computing tasks in individual sandboxes. The sandbox architecture has multiple layers from the kernel layer to the Kernel-based Virtual Machine (KVM) layer. The sandboxes use an authentication mechanism to ensure data security and prevent server faults caused by accidental changes or malicious operations.

Network isolation

ApsaraDB for ClickHouse clusters can be created only in virtual private clouds (VPCs). All nodes in a cluster run within the same VPC. By default, only access over VPCs is provided. You can manually apply for public endpoints. Only clients whose IP addresses are added to the whitelists of an ApsaraDB for ClickHouse cluster can access the cluster.

Authentication

The identity of a user is verified when the user logs on to a database by using the database account and password created by an ApsaraDB for ClickHouse administrator.

ApsaraDB for ClickHouse provides cluster-level access control.

Data security

ApsaraDB for ClickHouse cluster data is stored in enhanced SSDs (ESSDs), standard SSDs, or ultra disks. Data is stored in three copies to ensure data reliability and consistency.

Log audit

ApsaraDB for ClickHouse audits user behavior logs, including operation records and security information.

Best practices

1. Access clusters over VPCs

To ensure security, we recommend that you access clusters over VPCs. You can create an ECS instance as a client, and then connect the instance to an ApsaraDB for ClickHouse database that acts as a server for writing and querying data.

2. Add client IP addresses to whitelists

Regardless of whether you access an ApsaraDB for ClickHouse database over a VPC or the Internet, you must add the client IP address to a whitelist of the database in the console. Otherwise, access is denied. If the client IP address is added to the whitelist but you still cannot connect to the database, check whether the client IP address is correct.

To reduce risks of data leaks, we recommend that you include only specific Classless Inter-Domain Routing (CIDR) blocks of the production network in the whitelist. You cannot include 0.0.0.0/0 in the whitelist.

3. Export access logs

You can run the following command in the command-line tool to export access logs: SELECT * FROM system.query_log INTO OUTFILE access.log.