Merge pull request #3884 from ClickHouse/ip-filter-update

Blargian · web-flow · commit e45664bfe0c9 · 2025-06-03T23:20:49.000+02:00
API key IP filter addition
diff --git a/docs/cloud/security/connectivity-overview.md b/docs/cloud/security/connectivity-overview.md
@@ -10,7 +10,7 @@ This section looks at connectivity and contains the following pages:
 
 | Page                                                                 | Description                                                                                                                   |
 |----------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| [Setting IP Filters](/cloud/security/setting-ip-filters)     | A guide on how to control traffic to your ClickHouse services using IP access lists.                                          |
+| [Setting IP Filters](/cloud/security/setting-ip-filters)     | A guide on how to control traffic to your ClickHouse services and API keys using IP access lists.                                          |
 | [Private Networking](/cloud/security/private-link-overview)  | Information on how to connect your services to your cloud virtual network.                                                    |
 | [Accessing S3 Data Securely](/cloud/security/secure-s3)      | A guide on how to leverage role-based access to authenticate with Amazon Simple Storage Service(S3) and access data securely. |
 | [Cloud IP Addresses](/manage/security/cloud-endpoints-api)   | Tables listing the static IPs and S3 endpoints for each supported cloud and region in ClickHouse Cloud.                       |
diff --git a/docs/cloud/security/setting-ip-filters.md b/docs/cloud/security/setting-ip-filters.md
@@ -11,29 +11,48 @@ import ip_filter_add_single_ip from '@site/static/images/cloud/security/ip-filte
 
 ## Setting IP Filters {#setting-ip-filters}
 
-IP access lists filter traffic to your ClickHouse services by specifying which source addresses are permitted to connect to your ClickHouse service.  The lists are configurable for each service.  Lists can be configured during the deployment of a service, or afterward.  If you do not configure an IP access list during provisioning, or if you want to make changes to your initial list, then you can make those changes by selecting the service and then the **Security** tab.
+IP access lists filter traffic to ClickHouse services or API keys by specifying which source addresses are permitted to connect.  These lists are configurable for each service and each API key.  Lists can be configured during service or API key creation, or afterward.
 
 :::important
-If you skip the creation of the IP Access List for a ClickHouse Cloud service then no traffic will be permitted to the service.
+If you skip the creation of the IP access list for a ClickHouse Cloud service then no traffic will be permitted to the service.
 :::
 
 ## Prepare {#prepare}
-Before you begin, collect the IP Addresses or ranges that should be added to the access list.  Take into consideration remote workers, on-call locations, VPNs, etc. The IP Access List user interface accepts individual addresses and CIDR notation.
-
-Classless Inter-domain Routing (CIDR) notation, allows you to specify IP Address ranges smaller than the traditional Class A, B, or C (8, 6, or 24) subnet mask sizes. [ARIN](https://account.arin.net/public/cidrCalculator) and several other organizations provide CIDR calculators if you need one, and if you would like more information on CIDR notation, please see the [Classless Inter-domain Routing (CIDR)](https://www.rfc-editor.org/rfc/rfc4632.html) RFC.
-
-## Create or modify an IP Access List {#create-or-modify-an-ip-access-list}
-
-From your ClickHouse Cloud services list select the service and then select **Settings**.  Under the **Security** section, you will find the IP access list. Click on the hyperlink where the text says: *You can connect to this service from* **(anywhere | x specific locations)**
-
-A sidebar will appear with options for you to configure:
-
-- Allow incoming traffic from anywhere to the service
-- Allow access from specific locations to the service
-- Deny all access to the service
-
-This screenshot shows an access list which allows traffic from a range of IP Addresses, described as "NY Office range":
-
+Before you begin, collect the IP addresses or ranges that should be added to the access list.  Take into consideration remote workers, on-call locations, VPNs, etc. The IP access list user interface accepts individual addresses and CIDR notation.
+
+Classless Inter-domain Routing (CIDR) notation, allows you to specify IP address ranges smaller than the traditional Class A, B, or C (8, 6, or 24) subnet mask sizes. [ARIN](https://account.arin.net/public/cidrCalculator) and several other organizations provide CIDR calculators if you need one, and if you would like more information on CIDR notation, please see the [Classless Inter-domain Routing (CIDR)](https://www.rfc-editor.org/rfc/rfc4632.html) RFC.
+
+## Create or modify an IP access list {#create-or-modify-an-ip-access-list}
+
+<details>
+  <summary>IP access list for ClickHouse services</summary>
+
+  When you create a ClickHouse service, the default setting for the IP allow list is 'Allow from nowhere.' 
+  
+  From your ClickHouse Cloud services list select the service and then select **Settings**.  Under the **Security** section, you will find the IP access list. Click on the Add IPs button.
+  
+  A sidebar will appear with options for you to configure:
+  
+  - Allow incoming traffic from anywhere to the service
+  - Allow access from specific locations to the service
+  - Deny all access to the service
+  
+</details>
+<details>
+  <summary>IP access list for API keys</summary>
+
+  When you create an API key, the default setting for the IP allow list is 'Allow from anywhere.'
+  
+  From the API key list, click the three dots next to the API key under the **Actions** column and select **Edit**. At the bottom of the screen you will find the IP access list and options to configure:
+
+  - Allow incoming traffic from anywhere to the service
+  - Allow access from specific locations to the service
+  - Deny all access to the service
+  
+</details>
+
+This screenshot shows an access list which allows traffic from a range of IP addresses, described as "NY Office range":
+  
 <Image img={ip_filtering_after_provisioning} size="md" alt="Existing access list in ClickHouse Cloud" border/>
 
 ### Possible actions {#possible-actions}
@@ -60,7 +79,7 @@ To apply the changes you made, you must click **Save**.
 
 ## Verification {#verification}
 
-Once you create your filter confirm connectivity from within the range, and confirm that connections from outside the permitted range are denied.  A simple `curl` command can be used to verify:
+Once you create your filter confirm connectivity to a service from within the range, and confirm that connections from outside the permitted range are denied.  A simple `curl` command can be used to verify:
 ```bash title="Attempt rejected from outside the allow list"
 curl https://<HOSTNAME>.clickhouse.cloud:8443
 ```
@@ -81,4 +100,4 @@ Ok.
 
 ## Limitations {#limitations}
 
-- Currently, IP Access Lists support only IPv4
+- Currently, IP access lists support only IPv4
