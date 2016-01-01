Connecting ClickHouse Cloud to Azure Blob Storage
This guide covers how to securely connect ClickHouse Cloud to Azure Blob Storage for data ingestion, external tables, and other integration scenarios.
Overview
ClickHouse Cloud can connect to Azure Blob Storage using several authentication methods. This guide will help you choose the right approach and configure your connection securely.
Supported use cases:
- Reading data from Azure Blob Storage using the azureBlobStorage table function
- Creating external tables with the AzureBlobStorage table engine
- Ingesting data via ClickPipes
- Storing backups in Azure Blob Storage
When your ClickHouse Cloud service and Azure Blob Storage container are deployed in the same Azure region, IP address whitelisting does not work.
This happens because Azure routes same-region traffic through its internal network (VNet + Service Endpoints), bypassing public internet and NAT gateways. As a result, your Azure Storage Account firewall rules based on public IP addresses will not be applied.
IP whitelisting works when:
- Your ClickHouse Cloud service is in a different Azure region than storage account
- Your ClickHouse Cloud service is on AWS/GCP connecting to Azure storage
IP whitelisting fails when:
- Your ClickHouse Cloud service and storage are in the same Azure region. Use Shared Access Signatures (SAS) via connection string instead of IP whitelisting or deploy ABS and ClickHouse in different regions.
Network configuration (Cross-region only)
This section applies only when your ClickHouse Cloud service and Azure Blob Storage container are in different Azure regions, or when ClickHouse Cloud is on AWS/GCP. For same-region deployments, use SAS tokens instead.
Find your ClickHouse Cloud egress IPs
To configure IP-based firewall rules, you need to allowlist the egress IP addresses for your ClickHouse Cloud region.
Run the following command to retrieve a list of egress and ingress ips per region.
Replace
eastus below with your region to filter out other regions:
You will see something similar to:
See Azure regions for a list of supported Cloud regions, and the "Programmatic name" column of Azure regions list for which name to use.
See "Cloud IP addresses" for more details.
Configure Azure storage firewall
Navigate to your Storage Account in Azure Portal
- Go to Networking → Firewalls and virtual networks
- Select Enabled from selected virtual networks and IP addresses
- Add each ClickHouse Cloud egress IP address obtained in the previous step to the Address range field
Do not add ClickHouse Cloud private IPs (10.x.x.x addresses)
- Click Save
See Configure Azure Storage firewalls docs for more details.
ClickPipes configuration
When using ClickPipes with Azure Blob Storage, you need to configure authentication in the ClickPipes UI. See "Creating your first Azure ClickPipe" for more details.
ClickPipes uses separate static IP addresses for outbound connections. These IPs must be allowlisted if you're using IP-based firewall rules.
The same-region IP whitelisting limitation mentioned at the start of this document applies to ClickPipes as well. If your ClickPipes service and Azure Blob Storage are in the same region, use SAS token authentication instead of IP whitelisting.