Manage access to the ClickHouse® cluster using the allowlist
The allowlist allows you to control what IP addresses can connect to the cluster. This article explains how you can add, edit, or delete allowlist entries and control access from other DoubleCloud services.
About allowlist entries
On DoubleCloud, you can allow access to clusters to both single ID addresses and CIDR blocks.
You can add single IP addresses to the allowlist. By default, the address that the cluster was created from is included in the allowlist.
You can IP address ranges as CIDR blocks.
For example, you can add the range of addresses from 192.168.0.1 to 192.168.0.255
by using a shorter CIDR notation of 192.168.0.1/24.
In this example, 24 corresponds to the 255.255.255.0 netmask (or subnet mask).
The netmask value in a CIDR can be between 0 and 32 because an IPv4 address is 32 bits long.
To calculate the netmask, use the CIDR subnet calculator .
Available ports
When you allow access to your Managed ClickHouse® cluster, you open the following ports:
-
9440: Native interface port. Use it to connect with the ClickHouse client or other CLI tools. -
8443and443: TLS ports to send requests to the HTTP interface. -
9363: Metrics port to connect Prometheus or other third-party solutions.
Note
All these ports are SSL encrypted.
Add an allowlist entry
-
Go to the Clusters page in the console.
-
Select the ClickHouse® cluster where you want to add an entry to the allowlist.
-
Switch to the Allowlist tab.
-
In the Allowlist section, click Edit.
-
In the dialog, click + Add item.
-
In the new IP address or CIDR field, enter a single IP address or a range in the CIDR format.
The CIDR range notation has the
<ip-address>/<netmask>format. To calculate the netmask value, you can use the CIDR subnet calculator . -
Click Save.
Updating the cluster allowlist settings usually takes around five minutes.
Remove access restrictions
Warning
Removing access restrictions opens your ClickHouse® cluster to any outside connection and may cause security issues. Only do that if it's absolutely necessary.
To remove access restrictions in your ClickHouse® cluster and allow connections from any IP address, take the following steps:
-
Go to the Clusters page in the console.
-
Select the ClickHouse® cluster where you want to remove access restrictions.
-
Switch to the Allowlist tab.
-
In the Allowlist section, click Edit.
-
In the dialog, click + Add item.
-
In IP address or CIDR, enter
0.0.0.0/0to allow all connections via IPv4 or::/0for IPv6. -
(Optional) Enter a description.
-
Click Save
Edit an allowlist entry
-
Go to the Clusters page in the console.
-
Select the cluster where you want to edit an allowlist entry.
-
Switch to the Allowlist tab.
-
In the Allowlist section, click Edit.
-
In the dialog, edit the IP addresses, CIDRs, and descriptions.
The CIDR range notation has the
<ip-address>/<netmask>format. To calculate the netmask value, you can use the CIDR subnet calculator . -
Click Save.
Updating the cluster allowlist settings usually takes around five minutes.
Delete an allowlist entry
-
Go to the Clusters page in the console.
-
Select the cluster where you want to delete an allowlist entry.
-
Switch to the Allowlist tab.
-
In the Allowlist section, click Edit.
-
In the dialog, click next to the allowlist entries you want to delete.
-
Click Save.
Updating the cluster allowlist settings usually takes around five minutes.
Control access from DoubleCloud services
To enable or disable access to your ClickHouse® cluster from DoubleCloud Visualization and WebSQL, do the following:
-
Go to the Clusters page in the console.
-
Select the cluster where you want to edit access from DoubleCloud services.
-
In the Access from DoubleCloud services section, allow or block access for Visualization and WebSQL.
