To ensure the security and stability of ApsaraDB ClickHouse databases, ApsaraDB ClickHouse clusters block access from all IP addresses by default. Before you use an ApsaraDB ClickHouse cluster, add IP addresses or CIDR blocks that are used to access the ApsaraDB ClickHouse cluster to the whitelist of the cluster. This topic describes how to configure the whitelist.


  • You can configure a whitelist to enable fine-grained access control for your ApsaraDB ClickHouse cluster. We recommend that you update the whitelist on a regular basis.
  • When you configure the whitelist, the running of the ApsaraDB ClickHouse cluster is not affected.
  • To ensure data security, ApsaraDB ClickHouse does not allow you to specify or
  • The whitelist labeled default can be modified and cleared, but cannot be deleted.
  • The default whitelist of an ApsaraDB ClickHouse cluster contains only the IP address This specifies that no IP addresses are allowed to access the cluster.
  • Do not modify or delete the whitelists that are automatically generated for Alibaba Cloud services. If you delete these whitelists, the related Alibaba Cloud services cannot connect to your cluster. For example, do not delete ali_dms_group, which is the IP address whitelist of Data Management (DMS).


An ApsaraDB ClickHouse cluster is created and is in the Running state. For more information, see Create a cluster.


  1. Log on to the ApsaraDB for ClickHouse console.
  2. In the upper-left corner of the page, select the region where the cluster is deployed.

  3. In the left-side navigation pane, click Data Security.
  4. Click Create Whitelist Group.
  5. Set the following parameters based on the on-screen instructions that are displayed.
    Parameter Description Example
    Group Name The name of the whitelist.
    • The name can contain lowercase letters, digits, and underscores (_).
    • The name must start with a lowercase letter and end with a lowercase letter or a digit.
    • The name must be 2 to 32 characters in length.
    IP Addresses The IP addresses or CIDR blocks that are added to the whitelist.
    • You can set this parameter to an IP address. For example, you can set this parameter to This specifies that the ApsaraDB ClickHouse cluster can be accessed from the IP address
    • You can set this parameter to a CIDR block. For example, you can set this parameter to This specifies that the ApsaraDB ClickHouse cluster can be accessed from IP addresses that range from to
    • If you need to add multiple IP addresses or CIDR blocks, separate them with commas (,).
    • If you set this parameter to, all IP addresses are prohibited from accessing the ApsaraDB ClickHouse cluster.
    • To ensure data security, do not specify or
    In the example of the Quick Start tutorial, DMS is used to create a database and a table, and clickhouse-client is used to import data. Therefore, in this tutorial, you must add the IP address of DMS and the IP address of the server in which clickhouse-client is deployed to the whitelist of the ApsaraDB ClickHouse cluster.
    Note When you create an ApsaraDB ClickHouse cluster, the system automatically adds a whitelist named ali_dms_group for the ApsaraDB ClickHouse cluster and adds the IP addresses of DMS servers to the whitelist. If the whitelist fails to be added, you must manually add the whitelist. For information about the IP addresses of DMS servers in different regions, see DMS IP addresses and CIDR blocks.
  6. Click OK.
    After the whitelist is added, you can view the whitelist on the Data Security page.

What to do next

Connect to a cluster