Secure Your Cluster (Archival Material)


This page is for archival purposes only and is due to be deleted. For the updated page, visit Secure Your Cluster.

Each Hydrolix cluster can be configured to use different access restrictions. Access restrictions come in the form of IP allow-lists, Role-Based Access Control (RBAC) and authentication. Enable (TLS) to secure endpoints, including the UI, ingestion, and query.

Data at Rest

Hydrolix leverages cloud storage layers such as S3, Google Cloud Storage and Azure blob storage. These storage layers encrypt data at rest by default. For more information, see the platform documentation:

Encrypting data at rest ensures that nobody can read your data in your storage layer except for you.

To connect to those storage layers, Hydrolix requires a service account or a secret key. Customers create and manage permissions for Hydrolix clusters in the cluster configuration file. Controlling access with a service account or service key ensures that only your Hydrolix cluster can access your storage layers.

Hydrolix clusters use a cache that stores metadata to disk. This cache is managed by your cloud storage layer provider, and thus is encrypted.

Data in Transit

To retrieve data from cloud storage, Hydrolix clusters use token-based authentication over TLS. When data is loaded into memory in the Hydrolix cluster, access is restricted to the Virtual Private Cloud (VPC) of the Kubernetes deployment.

Network Access

When you create your Hydrolix cluster, you can select different load balancers. Hydrolix supports the following load balancers using the traefik_service_type variable:

public load balancerpublic_lbA load balancer using a routable public IP address.
private load balancerprivate_lbA load balancer using a private IP in the same subnet as the Kubernetes nodes.
cluster IPcluster_ipNo load balancer at all. You can only access your cluster from within your Kubernetes cluster.
node portnode_portA custom load balancer provided externally.

Depending on your usage and use case you might want a publicly addressable cluster or a private one.

Regardless of the load balancer you can and should Configure IP Access.

Query Access

Hydrolix can enforce TLS communication between end users and your cluster. To enforce TLS between end users and your cluster, Enable TLS.

When TLS is enabled, Hydrolix disables non-secure port access.

You can query data in several ways:

  • via Clickhouse native protocol
  • via the REST API
  • via Clickhouse HTTP protocol

To secure query access, enable query authentication. This enforces user authentication on every endpoint. Query authentication is only enforced on clusters that use TLS.

You can use Role-Based Access Control (RBAC) to configure per-user access to projects and tables.