Azure Private Preview

Private preview in ClickHouse Cloud

Note

BYOC on Azure is in private preview. To participate, contact the ClickHouse team.

Overview

BYOC on Azure lets you run ClickHouse in your own Azure subscription. Onboarding uses a Terraform module that provisions the cross-tenant authentication required for ClickHouse Cloud's provisioner to create and manage Azure resources in your tenant and subscription.

Other aspects of the deployment—such as architecture, network security, features, and connectivity—are broadly similar to the AWS and GCP BYOC offerings; refer to those pages for more details.

Prerequisites

• An Azure subscription and tenant where you want to host the BYOC deployment
• The subscription ID and tenant ID to share with the ClickHouse team

Onboarding

1. Apply the Terraform module

To start BYOC Azure onboarding, apply the Terraform module for Azure provided by ClickHouse in your target tenant and subscription.

Use the module's documentation for required variables and apply steps. After applying, the module will have set up the necessary identity and permissions in your Azure environment.

2. Provide IDs to ClickHouse

Share the following with the ClickHouse team:

• Target subscription ID — The Azure subscription where BYOC resources will be created
• Target tenant ID — The Azure AD (Entra) tenant that owns that subscription
• Region — The Azure region(s) where you want to deploy your ClickHouse services.
• VNet CIDR range — The IP address range you would like used for the BYOC VNet.

The ClickHouse team will use these to create the BYOC infrastructure and complete the onboarding

How cross-tenant authentication works

Following Azure guidance for cross-tenant authentication, the Terraform module:

1. Provisions a multi-tenant application as an Enterprise Application (service principal) in your target tenant
2. Assigns the required permissions to that application, scoped to your target subscription

This allows the ClickHouse Cloud Control Plane to create and manage Azure resources (such as resource groups, AKS, storage, and networking) within your subscription, without storing your Azure credentials in ClickHouse.

For more detail on multi-tenant apps and cross-tenant scenarios in Azure, see:

• Single and multi-tenant apps in Microsoft Entra ID
• Authorize cross-tenant access (Azure SignalR example)