chmonitor
GuideGuides

Connect a firewalled ClickHouse (Cloud)

Connect a firewalled ClickHouse to chmonitor Cloud — Cloudflare Tunnel (recommended), dedicated egress IPs for allowlisting, jump host, and why allowlisting Cloudflare's shared ranges does not work.

chmonitor Cloud (dash.chmonitor.dev) runs entirely on Cloudflare Workers. When your ClickHouse is behind a firewall, the Worker has to reach it — and because Workers do not have a single fixed public IP by default, a plain "allowlist our IP" is not straightforward. Pick the option that fits, ranked below by how well it works with chmonitor.

Self-hosting? You don't need any of this

Self-hosted chmonitor (Docker / Kubernetes / your own Worker) runs inside your network, so it reaches ClickHouse directly. This page is only for connecting a firewalled ClickHouse to the hosted Cloud.

A Cloudflare Tunnel runs a small cloudflared connector next to your ClickHouse. It makes only outbound connections to Cloudflare, so you open no inbound ports and allowlist no IPs. You then protect the tunnel's public hostname with Cloudflare Access and give chmonitor a service token so only chmonitor can reach it.

Create the tunnel

Install cloudflared (2025.7.0+) on a host that can reach ClickHouse, then create a tunnel with a public hostname pointing at ClickHouse's HTTP port (8123 / 8443):

cloudflared tunnel create chmonitor
cloudflared tunnel route dns chmonitor ch.example.com

Protect it with an Access service token

Add an Access application on ch.example.com with a service token policy, then copy the generated Client ID and Client Secret.

Add the host in chmonitor

Add the host with URL https://ch.example.com and paste the service-token Client ID / Secret into the connection's headers (CF-Access-Client-Id / CF-Access-Client-Secret).

Why this is the default: no inbound firewall hole, no IP allowlist to maintain, the token is per-connection and revocable, and traffic is TLS end-to-end. It works today (not beta) on free/standard Zero Trust tiers.

Other options

If a tunnel doesn't fit your environment, choose the path that matches your constraint.

Use this when a security team requires a literal firewall allowlist. chmonitor talks to ClickHouse over HTTP (@clickhouse/client-web, i.e. Worker fetch()), and Cloudflare's Dedicated Egress IPs do apply to fetch() (they do not apply to raw-TCP connect()). That gives the Worker a stable source IP you can allowlist.

Caveats:

  • It is an enterprise add-on on chmonitor's Cloudflare account — contact us if your deployment needs it.
  • The IP is shared across chmonitor's account egress, so the allowlist authorizes "traffic from chmonitor," not a single tenant. Always pair it with TLS + a least-privilege ClickHouse user.

Do not allowlist Cloudflare's public IP ranges

Cloudflare publishes its IP ranges, but Worker egress over those ranges is shared by every Cloudflare customer. Allowlisting them authorizes the entire Cloudflare fleet — it is not a real allowlist. Use a tunnel or dedicated egress IPs instead.

Run a small reverse proxy (nginx / HAProxy) on a VM with a static public IP that forwards to ClickHouse, and allowlist only that proxy. chmonitor then connects to the proxy over HTTPS with auth. This always works and is fully under your control, but you own the proxy's uptime, TLS, and hardening.

Workers VPC (currently beta) lets a Worker reach a private service through a Cloudflare Tunnel with no public hostname at all — the cleanest private-connectivity story. We will adopt it for Cloud once it reaches general availability.

Troubleshooting

Hyperdrive cannot front ClickHouse

Cloudflare Hyperdrive only supports PostgreSQL and MySQL, so it cannot front a ClickHouse connection.

On this page