aws-ia / cfn-ps-clickhouse-cluster

Apache License 2.0
10 stars 6 forks source link

Unable to connect to get response from NLB from outside the private subnet #22

Closed ianleon closed 9 months ago

ianleon commented 1 year ago

I am unclear about how I (or one of my apps) is supposed to connect to the database.

qiaow02 commented 1 year ago

Hi, For security reasons, by default, ClickHouse can only be deployed in private subnets, and is not accessible to the public network.
Your client needs to also be deployed in the same private subnets, or open the access restrictions of the private subnets security group according to your needs.
According to the solution design, NLB provides the HTTP protocol for port 8123. If you want to use Clickhouse-client, you need to use port 9000 to directly connect to each server in ClickHouse cluster.

ianleon commented 1 year ago

Hello,

My application needs to be publicly accessible.

Would it be unadvisable to put my application in the same public subnet as the bastion host? Alternatively, I am considering updating my application’s container to create an ssh tunnel (ssh -L) to port 8123 via the bastion.

I want it to preserve the security properties of this solution as much as possible.

ezotrickser commented 8 months ago

did you find a solution?