Using a Public Gateway to connect to a deployment in a Private Network

Reviewed on January 12, 2026

Private Networks allow your resources to interact securely in an environment isolated from the public internet. You can access a Private Network by adding a Public Gateway to it, which allows you to connect to your resources via SSH Bastion.

This page explains how to connect to a Data Warehouse for ClickHouse® deployment located in a Private Network using SSH Bastion. This can be achieved by:

using a direct tunnel between your local machine and the Data Warehouse deployment
connecting to an Instance located in the same Private Network as your Data Warehouse deployment

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization
Created a Private Network
Created a Data Warehouse deployment, and attached it to the Private Network
Created a Public Gateway attached to the Private Network and enabled SSH bastion

Connecting your local machine to your deployment via SSH bastion

From the Scaleway console, access the Overview page of your Data Warehouse for ClickHouse® deployment.
From the Network section of the Overview page, remove the public endpoint of your deployment if it has one.
Download the TLS certificate from the Frameworks section of the Overview page and store it in the desired folder.
On your local machine, open a terminal, and run the command below to create an SSH tunnel to map your machine's 9440 port to the deployment's 9440 port, through the SSH bastion. Do not forget to replace the placeholders with the appropriate values:
```
ssh -L 9440:<DEPLOYMENT_PRIVATE_ENDPOINT_URL>.internal:9440 bastion@<PUBLIC_GATEWAY_IP> -p <BASTION_PORT> -N
```
The SSH tunnel between your deployment and your local machine remains active as long as this terminal is open.
Note

You can find the private endpoint URL in the Network section of your deployment's Overview page.

You can find the Public Gateway IP and SSH bastion port in the Overview page of the Public Gateway.

In a second terminal, run the command below in the folder where you stored the certificate (assuming it is named certificate.pem) to create a clickhouse-client.xml config file. Make sure to add the password to log in to your deployment:

cat <<EOF >clickhouse-client.xml
<config>
    <user>scwadmin</user>
    <password>PASSWORD</password>
    <secure>true</secure>
    <openSSL>
    <client>
      <caConfig>certificate.pem</caConfig>
    </client>
    </openSSL>
</config>
EOF

Run the command below to connect to the ClickHouse® client using the clickhouse-client.xml configuration file to the localhost of your machine:
```
clickhouse-client --host localhost \
  --port 9440 \
  --config clickhouse-client.xml \
  --database default
```

You are now connected to your isolated Data Warehouse for ClickHouse® deployment through the SSH bastion of the Public Gateway.

Connecting to a deployment within a Private Network via an Instance

This section explains how to connect to a Data Warehouse for ClickHouse® deployment located in a Private Network via an Instance within the same Private Network using the SSH bastion of a Public Gateway.

If you have not done it yet, create an Instance and attach it to the same Private Network as the Data Warehouse deployment and Public Gateway.
From the Overview page of your Instance, detach the Flexible IP to isolate it from the public internet.
Download the TLS certificate from the Frameworks section of the Overview page of your Data Warehouse deployment and store it in the desired folder.
Copy the certificate previously downloaded into the instance using the scp command, via the SSH bastion of the Public Gateway:
```
scp -J bastion@<PUBLIC_GATEWAY_IP>:<BASTION_PORT> certificate.pem root@<INSTANCE_PRIVATE_IP>:~/certificate.pem
```

ssh -J bastion@<PUBLIC_GATEWAY_IP>:<BASTION_PORT> root@<INSTANCE_PRIVATE_IP>

Update the package manager and install the ClickHouse® client:
```
apt-get update
apt install clickhouse-client
```

Create a clickhouse-client.xml configuration file at the location where you copied the TLS certificate. Make sure to add the password to log in to your deployment:

cat <<EOF >clickhouse-client.xml
<config>
    <user>scwadmin</user>
    <password>PASSWORD</password>
    <secure>true</secure>
    <openSSL>
    <client>
      <caConfig>certificate.pem</caConfig>
    </client>
    </openSSL>
</config>
EOF

Connect to the ClickHouse® Client using the clickhouse-client.xml configuration file:

clickhouse-client --host <DEPLOYMENT_PRIVATE_ENDPOINT_URL> \
  --port 9440 \
  --config clickhouse-client.xml \
  --database default

You are now connected to the isolated Data Warehouse deployment through the Instance, via the SSH bastion of the Public Gateway.

Tips

For enhanced security, you can set IP restrictions for the SSH bastion of your Public Gateway.
Once you are done, disable the SSH bastion of the Public Gateway for maximum security.

Still need help?

Create a support ticket