Pre-configuration for connection to a ClickHouse® cluster
You can connect to Managed Service for ClickHouse® cluster hosts:
-
Over the internet, if you configured public access for the appropriate host. You can only connect to such hosts over an SSL connection.
-
From Yandex Cloud virtual machines located in the same cloud network. If there is no public access to a host, connections from this type of virtual machine don't need to be over SSL.
You can connect to a cluster using encryption via ports 9440 for clickhouse-client and 8443 for the HTTP interface or without encryption via ports 9000 and 8123, respectively.
Configuring security groups
To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.
Rule settings depend on the connection method you select:
Configure all the cluster security groups to allow incoming traffic on ports 8443 and 9440 from any IP address. To do this, create the following rules for incoming traffic:
- Port range:
8443,9440 - Protocol:
TCP - Source:
CIDR - CIDR blocks:
0.0.0.0/0
A separate rule is created for each port.
-
Configure all the cluster security groups to allow incoming traffic on ports 8123, 8443, 9000, and 9440 from the security group where your VM is located. To do this, create the following rules for incoming traffic in these security groups:
- Port range:
8123(or any of the other ports listed). - Protocol:
TCP. - Source:
Security group. - Security group: If your cluster and VM are in the same security group, select
Current(Self). Otherwise, specify the VM security group.
A separate rule is created for each port.
- Port range:
-
Configure the security group where the VM is located to enable connections to the VM and traffic between the VM and the cluster hosts.
For example, you can set the following rules for a VM:
-
For incoming traffic:
- Port range:
22 - Protocol:
TCP - Source:
CIDR - CIDR blocks:
0.0.0.0/0
This rule allows you to connect to a VM over SSH.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535 - Protocol:
Any(Any) - Destination name:
CIDR - CIDR blocks:
0.0.0.0/0
This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for the connection.
- Port range:
-
Note
You can specify more detailed rules for your security groups, e.g., to allow traffic only in specific subnets.
You must configure security groups correctly for all subnets in which the cluster hosts will reside. If security group settings are incomplete or incorrect, you may lose access to the cluster.
For more information about security groups, see DB network and clusters.
Getting SSL certificates
To use an encrypted connection, get SSL certificates:
sudo mkdir --parents /usr/local/share/ca-certificates/Yandex/ && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/RootCA.pem" \
--output-document /usr/local/share/ca-certificates/Yandex/RootCA.crt && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem" \
--output-document /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
sudo chmod 655 \
/usr/local/share/ca-certificates/Yandex/RootCA.crt \
/usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
sudo update-ca-certificates
The certificates will be saved to the following files:
/usr/local/share/ca-certificates/Yandex/RootCA.crt/usr/local/share/ca-certificates/Yandex/IntermediateCA.crt
sudo mkdir -p /usr/local/share/ca-certificates/Yandex/ && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/RootCA.pem" \
--output-document /usr/local/share/ca-certificates/Yandex/RootCA.crt && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem" \
--output-document /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
sudo chmod 655 \
/usr/local/share/ca-certificates/Yandex/RootCA.crt \
/usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
security import /usr/local/share/ca-certificates/Yandex/RootCA.crt -k ~/Library/Keychains/login.keychain; \
security import /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt -k ~/Library/Keychains/login.keychain
The certificates will be saved to the following files:
/usr/local/share/ca-certificates/Yandex/RootCA.crt/usr/local/share/ca-certificates/Yandex/IntermediateCA.crt
-
Download and import the certificates:
mkdir -Force $HOME\.yandex; ` curl.exe https://storage.yandexcloud.net/cloud-certs/RootCA.pem ` --output $HOME\.yandex\RootCA.crt; ` curl.exe https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem ` --output $HOME\.yandex\IntermediateCA.crt; ` Import-Certificate ` -FilePath $HOME\.yandex\RootCA.crt ` -CertStoreLocation cert:\CurrentUser\Root; ` Import-Certificate ` -FilePath $HOME\.yandex\IntermediateCA.crt ` -CertStoreLocation cert:\CurrentUser\Root -
Agree to install the certificates in the
Trusted Root Certification Authorities
store.
The certificates will be saved to the following files:
$HOME\.yandex\RootCA.crt$HOME\.yandex\IntermediateCA.crt
To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.
What's next
- Get the FQDN of the host you want to connect to.
- Connect to the cluster using a browser, graphical IDE, or CLI.
- Integrate the cluster connection into your aplication code.
ClickHouse® is a registered trademark of ClickHouse, Inc.