Connecting ClickHouse Cloud to Azure Blob Storage

This guide covers how to securely connect ClickHouse Cloud to Azure Blob Storage for data ingestion, external tables, and other integration scenarios.

Overview

ClickHouse Cloud can connect to Azure Blob Storage using several authentication methods. This guide will help you choose the right approach and configure your connection securely.

Supported use cases:

• Reading data from Azure Blob Storage using the azureBlobStorage table function
• Creating external tables with the AzureBlobStorage table engine
• Ingesting data via ClickPipes
• Storing backups in Azure Blob Storage

Important Network Limitation

When your ClickHouse Cloud service and Azure Blob Storage container are deployed in the same Azure region, IP address whitelisting does not work.

This happens because Azure routes same-region traffic through its internal network (VNet + Service Endpoints), bypassing public internet and NAT gateways. As a result, your Azure Storage Account firewall rules based on public IP addresses will not be applied.

IP whitelisting works when:

• Your ClickHouse Cloud service is in a different Azure region than storage account
• Your ClickHouse Cloud service is on AWS/GCP connecting to Azure storage

IP whitelisting fails when:

• Your ClickHouse Cloud service and storage are in the same Azure region. Use Shared Access Signatures (SAS) via connection string instead of IP whitelisting or deploy ABS and ClickHouse in different regions.

Network Configuration (Cross-Region Only)

Cross-Region Only

This section applies only when your ClickHouse Cloud service and Azure Blob Storage container are in different Azure regions, or when ClickHouse Cloud is on AWS/GCP. For same-region deployments, use SAS tokens instead.

Find Your ClickHouse Cloud Egress IPs

To configure IP-based firewall rules, you need to allowlist the egress IP addresses for your ClickHouse Cloud region.

Run the following command to retrieve a list of egress and ingress ips per region. Replace eastus below with your region to filter out other regions:

# For Azure regions
curl https://api.clickhouse.cloud/static-ips.json | jq '.azure[] | select(.region == "westus")'

You will see something similar to:

{
  "egress_ips": [
    "20.14.94.21",
    "20.150.217.205",
    "20.38.32.164"
  ],
  "ingress_ips": [
    "4.227.34.126"
  ],
  "region": "westus3"
}

Tip

See Azure regions for a list of supported Cloud regions, and the "Programmatic name" column of Azure regions list for which name to use.

See "Cloud IP addresses" for more details.

Configure Azure Storage Firewall

Navigate to your Storage Account in Azure Portal

1. Go to Networking → Firewalls and virtual networks
2. Select Enabled from selected virtual networks and IP addresses
3. Add each ClickHouse Cloud egress IP address obtained in the previous step to the Address range field

Note

Do not add ClickHouse Cloud private IPs (10.x.x.x addresses)

4. Click Save

See Configure Azure Storage firewalls docs for more details.

ClickPipes Configuration

When using ClickPipes with Azure Blob Storage, you need to configure authentication in the ClickPipes UI. See "Creating your first Azure ClickPipe" for more details.

Note

ClickPipes uses separate static IP addresses for outbound connections. These IPs must be allowlisted if you're using IP-based firewall rules.

See "List of Static IPs"

Tip

The same-region IP whitelisting limitation mentioned at the start of this document applies to ClickPipes as well. If your ClickPipes service and Azure Blob Storage are in the same region, use SAS token authentication instead of IP whitelisting.