Allowlists in Managed Service for ClickHouse®

This page explains what allowlists are and which IP address allocation methods are used to define them. Allowlists are often referred to as access lists.


An allowlist consists of CIDRs and dedicated IP addresses you define as approved to access your cluster. You can also allow or block the DoubleCloud system services from accessing the data on your cluster.

IP addresses not added to the allowlist can't access your cluster.

IP address allocation methods

There are two main IP address allocation methods in DoubleCloud allowlists: CIDRs and single IP addresses.

  • CIDR is a compact method for specifying IP addresses and their routing suffixes.

    You can express, for example, the IP address range from to by using a much shorter CIDR notation of, where 24 represents the Netmask (or the Subnet mask)

    Keep in mind that an IPv4 address is 32 bits in size, so the Netmask value for a CIDR can be between 0 and 32.

    You can check the Netmask value with an external subnet calculator, if needed. For example, CIDR Subnet calculator .

  • Single IP address allows you to add one IP address to your allowlist.

Accessible ports

When allowing connection to your Managed Service for ClickHouse® cluster, you open the following ports:

  • 9440: the Native interface port, use it to connect with the clickhouse-client and other CLI tools.

  • 8443 and 443: TLS ports to send requests to the HTTP interface.

  • 9363: the metrics port to connect Prometheus or other third-party solutions.


All these ports are SSL-encrypted.

See also