To ensure the security and stability of your ApsaraDB for ClickHouse database, ApsaraDB for ClickHouse clusters deny access from all IP addresses by default. Before you can use an ApsaraDB for ClickHouse cluster, you must add the IP address or CIDR block of your client to the whitelist of the ApsaraDB for ClickHouse cluster. This topic describes how to configure a whitelist.
Notes
Configuring a whitelist provides a high level of access security for your ApsaraDB for ClickHouse cluster. We recommend that you maintain the whitelist on a regular basis.
To ensure data security, ApsaraDB for ClickHouse prohibits you from setting the whitelist to 0.0.0.0 or 0.0.0.0/0.
The default whitelist group is named `default` and contains only the IP address 127.0.0.1. This configuration denies access from all other IP addresses to the ApsaraDB for ClickHouse cluster. This group cannot be deleted, but you can modify or clear it.
Do not modify or delete system-generated groups. This can affect the functionality of related products.
For example, `dms` is the whitelist group for the IP addresses of Data Management Service (DMS).
An ApsaraDB for ClickHouse cluster supports a maximum of 200 IP addresses across all its whitelist groups. A single whitelist group can contain up to 50 IP addresses.
Cluster impact
Configuring a whitelist does not affect the normal operation of your ApsaraDB for ClickHouse cluster.
Prerequisites
An ApsaraDB for ClickHouse cluster is created and is in the Running state. For more information, see Create a cluster.
The IP address to be added to the whitelist is correct.
The IP address cannot be empty.
IPv6 addresses are not supported.
NoteThe IP addresses of servers within a corporate network can change. The IP address on your local machine may not be the public IP address of your network. To find the correct public IP address, we recommend that you use a professional IP lookup service. For example, you can visit https://www.ip.cn/ or run the
curl ifconfig.mecommand on the command line.
Procedure
Log on to the ApsaraDB for ClickHouse console.
In the upper-left corner of the page, select the region where your cluster is located.
On the Clusters page, select the tab for your cluster's instance type and click the target cluster ID.
In the navigation pane on the left, click Data Security.
Click the Create Whitelist Group button.
Configure the parameters.
Parameter
Description
Example
Group Name
The name of the whitelist group. The name must meet the following requirements:
Consists of lowercase letters, digits, or underscores (_).
Starts with a lowercase letter and ends with a lowercase letter or a digit.
Is 2 to 32 characters in length.
test
IP Addresses
The IP addresses in the whitelist. The IP addresses must meet the following requirements:
IP address format: For example, `192.168.0.1` allows access from the IP address 192.168.0.1 to ApsaraDB for ClickHouse.
CIDR block format: For example, `192.168.0.0/24` allows access from IP addresses in the range of 192.168.0.1 to 192.168.0.255 to ApsaraDB for ClickHouse.
NoteTo add multiple IP addresses or CIDR blocks, separate them with commas (,).
Setting the value to 127.0.0.1 denies access from all IP addresses to the ApsaraDB for ClickHouse cluster.
To ensure data security, do not set the whitelist to 0.0.0.0 or 0.0.0.0/0.
192.168.xx.xx
The Quick Start tutorial provides an example of how to create a database and table using DMS and import data using clickhouse-client. To complete the tutorial, you must add the IP addresses of the DMS server and the server where clickhouse-client is located to the whitelist of the ApsaraDB for ClickHouse cluster.
NoteWhen an ApsaraDB for ClickHouse cluster is created, the system automatically adds a whitelist group named dms to the ApsaraDB for ClickHouse cluster. This group contains the IP addresses of DMS servers. If the group fails to be added automatically, you can add it manually. For a list of DMS server IP addresses in different regions, see DMS CIDR blocks.
Click OK.