All Products
Search

This Product

    ApsaraDB for ClickHouse:Configure a whitelist

    Document Center

    ApsaraDB for ClickHouse:Configure a whitelist

    Last Updated:Mar 28, 2026

    ApsaraDB for ClickHouse clusters block all incoming connections by default. To connect to a cluster, add your client IP addresses or CIDR blocks to the whitelist.

    Prerequisites

    Before you begin, ensure that you have:

    • An ApsaraDB for ClickHouse cluster in the Running state. For more information, see Create a cluster

    • The IP addresses or CIDR blocks of all clients that need to connect—including remote workers, on-call locations, and VPN exit nodes

    Usage notes

    • Updating the whitelist does not affect cluster operation.

    • We recommend that you update the whitelist on a regular basis to maintain fine-grained access control.

    • The cluster has a built-in whitelist group named default, which contains only 127.0.0.1. This group cannot be deleted, but you can modify or clear its entries.

    • Do not modify or delete whitelist groups that Alibaba Cloud services create automatically. If you delete these groups, the associated services lose access to your cluster. For example, deleting ali_dms_group disconnects Data Management Service (DMS) from your cluster.

    • A cluster whitelist supports up to 200 IP addresses in total, with a maximum of 50 IP addresses per whitelist group.

    Warning

    Do not add 0.0.0.0 or 0.0.0.0/0 to the whitelist. This allows unrestricted access to your cluster.

    Get the CIDR block of your VPC

    If you want to allow connections from other resources in the same virtual private cloud (VPC), get the VPC's CIDR block first.

    1. Log on to the ApsaraDB for ClickHouse console.

    2. In the top navigation bar, select the region where your cluster is deployed.

    3. On the Clusters page, click the Default Instances tab or the Cloud-native Instances tab, find your cluster, and click its ID.

    4. On the Cluster Information page, copy the VPC ID.

    5. Log on to the VPC console.

    6. In the top navigation bar, select the same region.

    7. In the search bar, select VPC ID from the drop-down list, paste the VPC ID, and click the search icon.

    8. In the results list, find the CIDR block for your VPC.

    Obtain the CIDR block of the VPC
    Note

    You can add this CIDR block to the whitelist of your source database to allow connections from your ClickHouse cluster.

    Create a whitelist group

    1. Log on to the ApsaraDB for ClickHouse console.

    2. In the upper-left corner, select the region where your cluster is deployed.

    3. On the Clusters page, click the Default Instances tab, find your cluster, and click its ID.

    4. In the left-side navigation pane, click Data Security.

    5. Click Create Whitelist Group.

    6. Configure the following parameters:

      Note

      When you create a cluster, the system automatically creates an ali_dms_group whitelist group and adds the IP addresses of DMS servers to it. If this group was not created automatically, add it manually. For DMS server IP addresses by region, see DMS IP addresses and CIDR blocks.

      ParameterDescriptionExample
      Group nameName of the whitelist group. Must contain lowercase letters, digits, and underscores (_). Must start with a lowercase letter and end with a lowercase letter or digit. Length: 2–32 characters.test
      IP addressesIP addresses or CIDR blocks allowed to connect to the cluster. Separate multiple entries with commas (,). Accepted formats: single IP address (for example, 192.168.0.1) or CIDR block (for example, 192.168.0.0/24 allows 192.168.0.1192.168.0.255). To block all external connections, enter 127.0.0.1.192.168.xx.xx

    7. Click OK.

    The new whitelist group appears on the Data Security page.

    What's next