To keep your ApsaraDB for ClickHouse database secure and stable, the system blocks all external IP addresses from accessing ApsaraDB for ClickHouse clusters by default. Before you can connect to an ApsaraDB for ClickHouse cluster, you must add the IP address or CIDR block of your client to a ApsaraDB for ClickHouse whitelist. This topic describes how to set a whitelist.
Notes
Whitelists provide a high level of access security for your ApsaraDB for ClickHouse cluster. We recommend that you maintain your whitelists on a regular basis.
For security reasons, ApsaraDB for ClickHouse does not allow you to add 0.0.0.0/0 to a whitelist.
The default whitelist group, named 'default', contains only the IP address 127.0.0.1. This setting blocks all external IP addresses from accessing the ApsaraDB for ClickHouse cluster. You cannot delete this group, but you can modify the IP addresses in it or clear it.
Do not modify or delete system-generated groups. This action may affect the functionality of related products.
For example, the 'dms' group is the IP whitelist for Data Management Service (DMS).
An ApsaraDB for ClickHouse cluster supports a maximum of 200 IP addresses across all its whitelists. A single whitelist group can contain a maximum of 50 IP addresses.
Impact on clusters
Configuring a whitelist does not affect the normal running of your ApsaraDB for ClickHouse cluster.
Prerequisites
You have created an ApsaraDB for ClickHouse cluster, and the cluster is in the Running state. For more information, see Create a cluster.
Verify that the target IP address is correct.
An IP address must be provided.
Only IPv4 addresses are supported.
NoteThe public IP addresses of servers on a corporate network can change. The IP address that you obtain locally may not be the actual public IP address. We recommend that you use a professional IP lookup service to confirm the public IP address. For example, you can visit https://www.ip.cn/ or run the
curl ifconfig.mecommand in the command line.
Procedure
Log on to the ApsaraDB for ClickHouse console.
In the upper-left corner of the page, select the region in which the cluster is deployed.
On the Cluster List page, select the Instance List for the target cluster type, and then click the ID of the target cluster.
In the navigation pane on the left, click Data Security.
Click Add Whitelist Group.
Configure the parameters as prompted.
Parameter
Description
Example
Group Name
The name of the whitelist group. The name must meet the following rules:
Consists of lowercase letters, digits, or underscores (_).
Starts with a lowercase letter and ends with a lowercase letter or a digit.
Is 2 to 32 characters in length.
test
IP Whitelist
The whitelist configuration rules are as follows.
IP address. For example, 192.168.0.1 allows the IP address 192.168.0.1 to access ApsaraDB for ClickHouse.
CIDR block. For example, 192.168.0.0/24 allows all IP addresses in the 192.168.0.0/24 CIDR block to access ApsaraDB for ClickHouse.
NoteTo add multiple IP addresses or CIDR blocks, separate them with commas.
Setting the whitelist to 127.0.0.1 blocks all external IP addresses from accessing the ApsaraDB for ClickHouse cluster.
For data security, do not set the whitelist to 0.0.0.0 or 0.0.0.0/0.
192.168.xx.xx
The Quick Start tutorial demonstrates how to create a database and a table using DMS and import data using clickhouse-client. For this tutorial, you must add the IP addresses of the DMS server and the clickhouse-client server to the whitelist of your ApsaraDB for ClickHouse cluster.
NoteWhen you create an ApsaraDB for ClickHouse cluster, the system automatically adds a whitelist group named dms to the ApsaraDB for ClickHouse cluster. The system also adds the IP addresses of DMS servers to this group. If this process fails, you must add them manually. For a list of DMS server IP addresses in different regions, see DMS IP CIDR blocks.
Click OK.
After the group is created, it is displayed on the Data Security page.