All Products
Search

This Product

    ApsaraDB for ClickHouse:Security white paper

    Document Center

    ApsaraDB for ClickHouse:Security white paper

    Last Updated:Mar 30, 2026

    Legal disclaimer

    Alibaba Cloud reminds you to carefully read and fully understand the terms and conditions of this legal disclaimer before you read or use this document. If you have read or used this document, it shall be deemed as your total acceptance of this legal disclaimer.

    • Download and obtain this document from the Alibaba Cloud website or other Alibaba Cloud-authorized channels, and use this document for your own legal business activities only. The content of this document is considered confidential information of Alibaba Cloud. Strictly abide by the confidentiality obligations. Do not disclose or provide any part of this document to any third party without the prior written consent of Alibaba Cloud.

    • No part of this document shall be excerpted, translated, reproduced, transmitted, or disseminated by any organization, company, or individual in any form or by any means without the prior written consent of Alibaba Cloud.

    • Alibaba Cloud reserves the right to modify the content of this document without notice due to product version upgrades, adjustments, or other reasons. The updated versions of this document will be released through Alibaba Cloud-authorized channels. Download the most up-to-date version from those channels.

    • This document serves only as a reference guide for Alibaba Cloud products and services. Alibaba Cloud provides the document on an "as is", "with all faults", and "as available" basis. Alibaba Cloud makes every effort to provide relevant operational guidance based on existing technologies. However, Alibaba Cloud makes no guarantee — explicit or implicit — on the accuracy, integrity, applicability, or reliability of the content of this document. Alibaba Cloud shall not bear any liability for errors or financial losses incurred by any organization, company, or individual arising from downloading, using, or trusting this document. Alibaba Cloud shall not, under any circumstances, bear responsibility for any indirect, consequential, exemplary, incidental, special, or punitive damages, including lost profits arising from the use of or trust in this document, even if Alibaba Cloud has been notified of the possibility of such a loss.

    • By law, all content of the Alibaba Cloud website — including but not limited to works, products, images, archives, information, materials, website architecture, graphic layout, and webpage design — is intellectual property of Alibaba Cloud and/or its affiliates. This includes, but is not limited to, trademark rights, patent rights, copyrights, and trade secrets. No part of the Alibaba Cloud website, product programs, or content shall be used, modified, reproduced, publicly transmitted, changed, disseminated, distributed, or published without the prior written consent of Alibaba Cloud and/or its affiliates. Names owned by Alibaba Cloud include, but are not limited to, "Alibaba Cloud", "Aliyun", and "HiChina", which appear separately or in combination, as well as auxiliary signs, patterns, or anything similar that third parties identify as Alibaba Cloud and/or its affiliates.

    • Contact Alibaba Cloud directly if you discover any errors in this document.

    Security isolation

    ApsaraDB for ClickHouse runs all computing tasks in individual sandboxes. The sandbox architecture spans multiple layers, from the kernel layer to the Kernel-based Virtual Machine (KVM) layer. Each sandbox uses an authentication mechanism to protect data and prevent server faults caused by accidental changes or malicious operations.

    Network isolation

    ApsaraDB for ClickHouse clusters can only be created inside a Virtual Private Cloud (VPC). All nodes in a cluster run within the same VPC. By default, clusters are accessible only over VPCs. Public endpoints are available on request.

    Access to a cluster is restricted to clients whose IP addresses are added to the cluster's whitelist. Clients not on the whitelist are denied access regardless of connection type.

    Authentication

    ApsaraDB for ClickHouse verifies user identity at database login using the database account and password created by an ApsaraDB for ClickHouse administrator. The service provides cluster-level access control.

    Data security

    ApsaraDB for ClickHouse stores cluster data on Enhanced SSDs (ESSDs), standard SSDs, or ultra disks. All data is stored in three copies to ensure data reliability and consistency.

    Log audit

    ApsaraDB for ClickHouse audits user behavior logs, including operation records and security information.

    Best practices

    Access clusters over VPCs

    Accessing clusters over a VPC is the most secure connection method. Create an Elastic Compute Service (ECS) instance as the client, then connect it to an ApsaraDB for ClickHouse cluster for writing and querying data. Keeping all traffic within the VPC eliminates exposure to the public internet.

    Restrict IP access with whitelists

    All clients must have their IP addresses added to the cluster's whitelist in the console before connecting — this applies to both VPC and internet access. If a client's IP address is on the whitelist but the connection still fails, verify that the IP address is correct.

    Limit the whitelist to specific Classless Inter-Domain Routing (CIDR) blocks from your production network. Opening access too broadly increases the risk of unauthorized connections and potential data leaks. Setting the whitelist to 0.0.0.0/0 (unrestricted access) is not allowed.

    Export access logs

    Run the following command to export access logs:

    SELECT * FROM system.query_log INTO OUTFILE 'access.log'

    Review access logs regularly to detect unusual query patterns or unauthorized access attempts.