Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Pre-configuring a ClickHouse® cluster connection

Written by
Updated at December 10, 2025

You can connect to Managed Service for ClickHouse® cluster hosts:

  • Via the internet, if you configured public access for the host. These hosts can only be accessed over SSL.

  • From Yandex Cloud virtual machines located in the same cloud network. For hosts without public access, SSL is not required to connect to them from these virtual machines.

You can connect to a cluster either with encryption (on ports 9440 for clickhouse-client and 8443 for the HTTP interface) or without it (on ports 9000 and 8123, respectively).

Configuring security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the connection method you select:

Configure all the cluster security groups to allow incoming traffic on ports 8443 and 9440 from any IP address. To do this, create the following rules for incoming traffic:

  • Port range: 8443 and 9440.
  • Protocol: TCP.
  • Source: CIDR.
  • CIDR blocks: 0.0.0.0/0.

Create a separate rule for each port.

Warning

For a more secure cluster, specify only trusted IP addresses or subnets in the CIDR blocks field.

  1. Configure all the cluster security groups to allow incoming traffic from your VM's security group on ports 8123, 8443, 9000, and 9440. To do this, create the following rules for incoming traffic in these security groups:

    • Port range: 8123 (or any of the other ports listed).
    • Protocol: TCP.
    • Source: Security group.
    • Security group: If your cluster and VM are in the same security group, select Current (Self). Otherwise, specify the VM security group.

    Create a separate rule for each port.

  2. Configure the VM security group to allow VM connections and traffic between the VM and cluster hosts.

    For example, you can set the following rules for your VM:

    • For incoming traffic:

      • Port range: 22.
      • Protocol: TCP.
      • Source: CIDR.
      • CIDR blocks: 0.0.0.0/0.

      This rule allows inbound VM connections over SSH.

    • For outgoing traffic:

      • Port range: 0-65535.
      • Protocol: Any (Any).
      • Destination name: CIDR.
      • CIDR blocks: 0.0.0.0/0.

      This rule allows all outgoing traffic, so that you can connect to the cluster as well as install the certificates and utilities your VM needs for connection.

Note

You can specify more granular rules for your security groups, e.g., to allow traffic only in specific subnets.

Make sure to configure the security groups properly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster.

For more information about security groups, see Network and database clusters.

Getting SSL certificates

To use an encrypted connection, get an SSL certificate:

sudo mkdir --parents /usr/local/share/ca-certificates/Yandex/ && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/RootCA.pem" \
     --output-document /usr/local/share/ca-certificates/Yandex/RootCA.crt && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem" \
     --output-document /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
sudo chmod 655 \
     /usr/local/share/ca-certificates/Yandex/RootCA.crt \
     /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
sudo update-ca-certificates

The certificates will be saved to the following files:

  • /usr/local/share/ca-certificates/Yandex/RootCA.crt
  • /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt
sudo mkdir -p /usr/local/share/ca-certificates/Yandex/ && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/RootCA.pem" \
     --output-document /usr/local/share/ca-certificates/Yandex/RootCA.crt && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem" \
     --output-document /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
sudo chmod 655 \
     /usr/local/share/ca-certificates/Yandex/RootCA.crt \
     /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
security import /usr/local/share/ca-certificates/Yandex/RootCA.crt -k ~/Library/Keychains/login.keychain; \
security import /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt -k ~/Library/Keychains/login.keychain

The certificates will be saved to the following files:

  • /usr/local/share/ca-certificates/Yandex/RootCA.crt
  • /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt

  1. Download and import the certificates:

    mkdir -Force $HOME\.yandex; `
curl.exe https://storage.yandexcloud.net/cloud-certs/RootCA.pem `
  --output $HOME\.yandex\RootCA.crt; `
curl.exe https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem `
  --output $HOME\.yandex\IntermediateCA.crt; `
Import-Certificate `
  -FilePath $HOME\.yandex\RootCA.crt `
  -CertStoreLocation cert:\CurrentUser\Root; `
Import-Certificate `
  -FilePath $HOME\.yandex\IntermediateCA.crt `
  -CertStoreLocation cert:\CurrentUser\Root

    Your corporate security policies and antivirus software may block the certificate download. For more information, see FAQ.

  2. Agree to install the certificates in the Trusted Root Certification Authorities storage.

The certificates will be saved to the following files:

  • $HOME\.yandex\RootCA.crt
  • $HOME\.yandex\IntermediateCA.crt

To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.

What's next

See also

ClickHouse® is a registered trademark of ClickHouse, Inc.

Previous
Deleting a cluster
Next
FQDNs of hosts