Security

Private preview in ClickHouse Cloud

Managed Postgres is built with enterprise-grade security features to protect your data and meet compliance requirements. This page covers network security, encryption, and backup retention policies.

IP whitelisting

IP filters control which source IP addresses are permitted to connect to your Managed Postgres instance, providing network-level access control to protect your database from unauthorized connections.

Configuring IP filters

For detailed information on configuring IP filters, see the Settings page.

You can specify:

Individual IP addresses (e.g., 203.0.113.5)
CIDR ranges for networks (e.g., 192.168.1.0/24)
Anywhere to allow all IP addresses (not recommended for production)
Nowhere to block all connections

Production best practices

If no IP filters are configured, connections from all IP addresses are permitted. For production workloads, restrict access to known IP addresses or CIDR ranges. Consider limiting access to:

Your application servers
VPN gateway IP addresses
Bastion hosts for administrative access
CI/CD pipeline IPs for automated deployments

Encryption

Managed Postgres encrypts your data both at rest and in transit to ensure comprehensive data protection.

Encryption at rest

All data stored by Managed Postgres is encrypted at rest to protect against unauthorized access to the underlying storage infrastructure.

NVMe storage encryption

Your database files, transaction logs, and temporary files stored on NVMe drives are encrypted using industry-standard encryption algorithms. This encryption is transparent to your applications and requires no configuration.

Object storage encryption (S3)

Backups and Write-Ahead Log (WAL) archives stored in object storage are also encrypted at rest. This includes:

Full daily backups
Incremental WAL archives
Point-in-time recovery data

All backup data is stored in dedicated, isolated storage buckets with credentials scoped to each individual instance, ensuring that backup data remains secure and accessible only to authorized systems.

References

Encryption at rest is enabled by default for all Managed Postgres instances and cannot be disabled. No additional configuration is required.

Encryption in transit

All network connections to Managed Postgres are secured using TLS (Transport Layer Security) to protect data as it moves between your applications and the database.

TLS/SSL configuration

By default, connections use TLS encryption without certificate verification. For production workloads, we recommend connecting with verified TLS to ensure you're communicating with the correct server.

For more details on TLS configuration and connection options, see the Connection page.

Private Link

Private Link enables private connectivity between your Managed Postgres instance and your Virtual Private Cloud (VPC) without exposing traffic to the public internet. This provides an additional layer of network isolation and security.

Manual setup required

Private Link support is available but requires manual configuration by ClickHouse support. This feature is ideal for enterprise customers with strict network isolation requirements.

Requesting Private Link setup

To enable Private Link for your Managed Postgres instance:

Contact ClickHouse support by creating a support ticket
Provide the following information:
- Your ClickHouse organization ID
- ID/hostname of postgres service
- AWS account IDs/ARNs which you'd like to connect the private link with
  - (Optional) Any regions other than the Postgres instance region you'd like to connect from
ClickHouse support will:
- Provision the Private Link endpoint on the Managed Postgres side
- Provide you with endpoint connection details which you can use to create an endpoint interface.
Setup your Private Link:
- Create the Private Link by heading over to endpoint interface in AWS settings and using the configuration provided by the ClickHouse support.
- Once your Private Link is in an "Available" state, you can connect to it by using the Private DNS name provided in the AWS UI.

Backup retention

Managed Postgres automatically backs up your data to protect against accidental deletion, corruption, or other data loss scenarios.

Retention policy

Default retention period: 7 days
Backup frequency: Daily full backups + continuous WAL archiving (every 60 seconds or 16 MB, whichever comes first)
Recovery granularity: Point-in-time recovery to any moment within the retention window

Backup security

Backups are stored with the same security guarantees as your primary data:

Encryption at rest in object storage
Isolated storage buckets per instance with scoped credentials
Access control limited to the Postgres Instance linked to the backup.

For more details on backup strategies and point-in-time recovery, see the Backup and restore page.

IP whitelisting​

Configuring IP filters​

Encryption​

Encryption at rest​

NVMe storage encryption​

Object storage encryption (S3)​

Encryption in transit​

TLS/SSL configuration​

Private Link​

Requesting Private Link setup​

Backup retention​

Retention policy​

Backup security​