Skip to main content

Configure network access to a ClickHouse cluster

By default, in clusters with a public subnet, the connection is allowed for all IP addresses provided you have a login and password.

For a cluster in a private subnet, the connection is allowed from the cluster subnet and from those subnets that are connected to the cluster subnet via a cloud router.

You can restrict access to a Managed Database cluster using security groups.

Any changes to network access settings are the client's responsibility.

Security groups in a Managed Database cluster

A security group in a Managed Database cluster is a set of rules for filtering incoming and outgoing cluster traffic.For security groups to work, traffic filtering (port security).

If filtering is enabled on the network, a default security group is assigned to all ports in this network, which allows all traffic through the ports. You can assign a different security group when creating a cluster or in an existing cluster.

In addition to the security groups you select when you create a cluster, a service security group is automatically assigned to the Managed Database cluster network ports. This group keeps the cluster running and cannot be changed or deleted. The service group appears only in the OpenStack CLI and Terraform.

Learn more about security groups in the Security Groups section.

Assign a security group in an existing cluster

warning

After assigning a group, all active sessions that do not comply with the group's rules will be dropped.

  1. Ensure that port security (traffic filtering) is enabled in the cluster network. To do this, in the Control panel in the top menu click ProductsCloud ServersNetworkPrivate networks or Public networks tab. A network with enabled filtering is marked with .

    If filtering is disabled, to use security groups, create a new cluster in a new subnet or in a subnet with traffic filtering enabled.

  2. In the Dashboard, on the top menu, click Products and select Managed Databases.

  3. Open the Active tab.

  4. Open the database cluster page → Settings tab.

  5. In the Security block, click Edit.

  6. Select the security group you want to assign to all ports in the cluster network.

  7. Click .