To ensure the security and stability of the ApsaraDB for ClickHouse databases, ApsaraDB for ClickHouse clusters block access from all IP addresses by default. Before you use an ApsaraDB for ClickHouse cluster, add the client IP addresses or CIDR blocks that you use to access the cluster to the whitelist of ApsaraDB for ClickHouse. This topic describes how to configure the whitelist for an ApsaraDB for ClickHouse cluster.
Prerequisites
An ApsaraDB for ClickHouse cluster has been created and is in the Running state. For more information, see Create a cluster.
Precautions
You can configure the whitelist to enable fine-grained access control for your ApsaraDB for ClickHouse cluster. We recommend that you update the whitelist on a regular basis.
When you configure the whitelist for your ApsaraDB for ClickHouse cluster, the normal operation of the cluster is not affected.
To ensure data security, you cannot add 0.0.0.0 or 0.0.0.0/0 to the whitelist of your ApsaraDB for ClickHouse cluster.
ApsaraDB for ClickHouse provides a whitelist group named default. You cannot delete the group. You can only modify or clear the settings in the group.
The default whitelist group contains only 127.0.0.1. It means the ApsaraDB for ClickHouse cluster does not allow access from all IP addresses.
Do not modify or delete the whitelist groups that are automatically generated for Alibaba Cloud services. If you delete these whitelist groups, the related Alibaba Cloud services cannot connect to your cluster. For example, do not modify or delete ali_dms_group, which is the IP address whitelist group for Data Management Service (DMS).
You can add a maximum of 200 IP addresses to the whitelist of an ApsaraDB for ClickHouse cluster. Each whitelist group supports up to 50 IP addresses.
Obtain the CIDR block of the VPC where an ApsaraDB for ClickHouse cluster is deployed
Copy the ID of the virtual private cloud (VPC) where the ApsaraDB for ClickHouse cluster is deployed.
Log on to the ApsaraDB for ClickHouse console with your Alibaba Cloud account.
In the top navigation bar, select the region where the cluster is deployed.
On the Clusters page, click the Default Instances tab or the Cloud-native Instances tab, find the cluster that you want to manage, and then click the ID of the cluster.
On the Cluster Information page, view and copy the VPC ID.
In the VPC console, obtain the CIDR block of the VPC where the ApsaraDB for ClickHouse cluster is deployed.
Log on to the VPC console with your Alibaba Cloud account.
In the top navigation bar, select the region where the VPC is deployed.
Select VPC ID from the drop-down list. In the search box, paste the VPC ID copied in the preceding step. Click the search icon.ApsaraDB for ClickHouse
In the list, find the desired CIDR block.
NoteYou can add the CIDR block of the VPC where the ApsaraDB for ClickHouse cluster is deployed to the whitelist of the source database.
Configure a whitelist
Log on to the ApsaraDB for ClickHouse console.
In the upper-left corner of the page, select the region where the cluster that you want to manage is deployed.
On the Clusters page, click the Default Instances tab, find the cluster that you want to manage, and then click the ID of the cluster.
In the left-side navigation pane, click Data Security.
Click Create Whitelist Group.
Set the following parameters as prompted.
Parameter
Description
Example
Group Name
The name of the whitelist group.
The name must contain lowercase letters, digits, and underscores (_).
The name must start with a lowercase letter and end with a lowercase letter or digit.
The name must be 2 to 32 characters in length.
test
IP Addresses
The IP addresses or CIDR blocks that are added to the whitelist group. Valid formats:
IP address. For example, 192.168.0.1 indicates that you allow access to your ApsaraDB for ClickHouse cluster from the IP address 192.168.0.1.
CIDR block. For example, 192.168.0.0/24 indicates that you allow access to your ApsaraDB for ClickHouse cluster from the IP addresses that range from 192.168.0.1 to 192.168.0.255.
NoteIf you need to add multiple IP addresses or CIDR blocks, separate them with commas (,).
If you need to block access to your ApsaraDB for ClickHouse cluster from all IP addresses, you can set the value to 127.0.0.1.
To ensure the data security of your ApsaraDB for ClickHouse cluster, do not add 0.0.0.0 or 0.0.0.0/0 to the whitelist.
192.168.xx.xx
NoteWhen you create an ApsaraDB for ClickHouse cluster, the system automatically creates a whitelist group named ali_dms_group for the ApsaraDB for ClickHouse cluster and adds the IP addresses of DMS servers to the group. If the whitelist group fails to be added automatically, you must manually add the group. For more information about the IP addresses of DMS servers in different regions, see DMS IP addresses and CIDR blocks.
Click OK.
After the whitelist group is created, you can view the whitelist group on the Data Security page.