Private Networking Setup
ClickHouse BYOC supports various private networking options to enhance security and enable direct connectivity for your services. This guide walks you through the recommended approaches for securely connecting ClickHouse Cloud deployments in your own AWS or GCP account to other networks or services, such as your internal applications or analytics tools. We cover options such as VPC Peering, AWS PrivateLink, and GCP Private Service Connect, and outline the main steps and considerations for each.
If you require a private network connection to your ClickHouse BYOC deployment, follow the steps in this guide or consult ClickHouse Support for assistance with more advanced scenarios.
Setup VPC Peering (AWS)
To create or delete VPC peering for ClickHouse BYOC, follow the steps:
Enable private load balancer for ClickHouse BYOC
Contact ClickHouse Support to enable Private Load Balancer.
Create a peering connection
- Navigate to the VPC Dashboard in ClickHouse BYOC account.
- Select Peering Connections.
- Click Create Peering Connection
- Set the VPC Requester to the ClickHouse VPC ID.
- Set the VPC Accepter to the target VPC ID. (Select another account if applicable)
- Click Create Peering Connection.
Accept the peering connection request
Go to the peering account, in the (VPC -> Peering connections -> Actions -> Accept request) page customer can approve this VPC peering request.
Add destination to ClickHouse VPC route tables
In ClickHouse BYOC account,
- Select Route Tables in the VPC Dashboard.
- Search for the ClickHouse VPC ID. Edit each route table attached to the private subnets.
- Click the Edit button under the Routes tab.
- Click Add another route.
- Enter the CIDR range of the target VPC for the Destination.
- Select “Peering Connection” and the ID of the peering connection for the Target.
Add destination to the target VPC route tables
In the peering AWS account,
- Select Route Tables in the VPC Dashboard.
- Search for the target VPC ID.
- Click the Edit button under the Routes tab.
- Click Add another route.
- Enter the CIDR range of the ClickHouse VPC for the Destination.
- Select “Peering Connection” and the ID of the peering connection for the Target.
Edit security group to allow peered VPC access
In the ClickHouse BYOC account, you need to update the Security Group settings to allow traffic from your peered VPC. Please contact ClickHouse Support to request the addition of inbound rules that include the CIDR ranges of your peered VPC.
The ClickHouse service should now be accessible from the peered VPC.
To access ClickHouse privately, a private load balancer and endpoint are provisioned for secure connectivity from the user's peered VPC. The private endpoint follows the public endpoint format with a -private suffix. For example:
- Public endpoint:
h5ju65kv87.mhp0y4dmph.us-west-2.aws.byoc.clickhouse.cloud - Private endpoint:
h5ju65kv87-private.mhp0y4dmph.us-west-2.aws.byoc.clickhouse.cloud
Optional, after verifying that peering is working, you can request the removal of the public load balancer for ClickHouse BYOC.
Setup PrivateLink (AWS)
AWS PrivateLink provides secure, private connectivity to your ClickHouse BYOC services without requiring VPC peering or internet gateways. Traffic flows entirely within the AWS network, never traversing the public internet.
Request PrivateLink Setup
Contact ClickHouse Support to request PrivateLink setup for your BYOC deployment. No specific information is required at this stage—simply indicate that you want to set up PrivateLink connectivity.
ClickHouse Support will enable the necessary infrastructure components, including the private load balancer and PrivateLink service endpoint.
Create an Endpoint in Your VPC
After ClickHouse Support has enabled PrivateLink on their side, you need to create a VPC endpoint in your client application VPC to connect to the ClickHouse PrivateLink service.
- Obtain the Endpoint Service Name:
- ClickHouse Support will provide you with the Endpoint Service name
- You can also find it in the AWS VPC console under "Endpoint Services" (filter by service name or look for ClickHouse services)
- Create the VPC Endpoint:
- Navigate to the AWS VPC Console → Endpoints → Create Endpoint
- Select "Find service by name" and enter the Endpoint Service name provided by ClickHouse Support
- Choose your VPC and select subnets (one per availability zone is recommended)
- Important: Enable "Private DNS names" for the endpoint—this is required for DNS resolution to work correctly
- Select or create a security group for the endpoint
- Click "Create Endpoint"
DNS Requirements:
- Enable "Private DNS names" when creating the VPC endpoint
- Ensure your VPC has "DNS Hostnames" enabled (VPC Settings → DNS resolution and DNS hostnames)
These settings are required for the PrivateLink DNS to function correctly.
- Approve the Endpoint Connection:
- After creating the endpoint, you need to approve the connection request
- In the VPC Console, go to "Endpoint Connections"
- Find the connection request from ClickHouse and click "Accept" to approve it
Add Endpoint ID to Service Allowlist
Once your VPC endpoint is created and the connection is approved, you need to add the Endpoint ID to the allowlist for each ClickHouse service you want to access via PrivateLink.
-
Obtain your Endpoint ID:
- In the AWS VPC Console, go to Endpoints
- Select your newly created endpoint
- Copy the Endpoint ID (it will look like
vpce-xxxxxxxxxxxxxxxxx)
-
Contact ClickHouse Support:
- Provide the Endpoint ID(s) to ClickHouse Support
- Specify which ClickHouse service(s) should allow access from this endpoint
- ClickHouse Support will add the Endpoint ID to the service allowlist
Connect to ClickHouse via PrivateLink
After the Endpoint ID is added to the allowlist, you can connect to your ClickHouse service using the PrivateLink endpoint.
The PrivateLink endpoint format is similar to the public endpoint, but includes a vpce subdomain. For example:
- Public endpoint:
h5ju65kv87.mhp0y4dmph.us-west-2.aws.clickhouse-byoc.com - PrivateLink endpoint:
h5ju65kv87.vpce.mhp0y4dmph.us-west-2.aws.clickhouse-byoc.com
DNS resolution in your VPC will automatically route traffic through the PrivateLink endpoint when you use the vpce subdomain format.
PrivateLink Access Control
Access to ClickHouse services via PrivateLink is controlled at two levels:
- Istio Authorization Policy: ClickHouse Cloud's service-level authorization policies
- VPC Endpoint Security Group: The security group attached to your VPC endpoint controls which resources in your VPC can use the endpoint
The private load balancer's "Enforce inbound rules on PrivateLink traffic" feature is disabled, so access is controlled by Istio authorization policies and your VPC endpoint's security group only.
PrivateLink DNS
PrivateLink DNS for BYOC endpoints (using the *.vpce.{subdomain} format) leverages AWS PrivateLink's built-in "Private DNS names" feature. No Route53 records are required—DNS resolution happens automatically when:
- "Private DNS names" is enabled on your VPC endpoint
- Your VPC has "DNS Hostnames" enabled
This ensures that connections using the vpce subdomain automatically route through the PrivateLink endpoint without additional DNS configuration.
VPC Peering (GCP) and Private Service Connect (GCP)
GCP VPC Peering and Private Service Connect provides similar private connectivity for GCP-based BYOC deployments. This feature is currently in development. If you need VPC Peering or Private Service Connect for your GCP BYOC deployment, please contact ClickHouse Support to discuss availability and setup requirements.
