Azure Private Preview
BYOC on Azure is in private preview. To participate, contact the ClickHouse team.
Overview
BYOC on Azure lets you run ClickHouse in your own Azure subscription. Onboarding uses a Terraform module that provisions the cross-tenant authentication required for ClickHouse Cloud's provisioner to create and manage Azure resources in your tenant and subscription.
Other aspects of the deployment—such as architecture, network security, features, and connectivity—are broadly similar to the AWS and GCP BYOC offerings; refer to those pages for more details.
Prerequisites
- An Azure subscription and tenant where you want to host the BYOC deployment
- The subscription ID and tenant ID to share with the ClickHouse team
Onboarding
1. Apply the Terraform module
To start BYOC Azure onboarding, apply the Terraform module for Azure provided by ClickHouse in your target tenant and subscription.
Use the module's documentation for required variables and apply steps. After applying, the module will have set up the necessary identity and permissions in your Azure environment.
2. Provide IDs to ClickHouse
Share the following with the ClickHouse team:
- Target subscription ID — The Azure subscription where BYOC resources will be created
- Target tenant ID — The Azure AD (Entra) tenant that owns that subscription
The ClickHouse team will use these to complete the onboarding and connect the provisioner to your environment.
How cross-tenant authentication works
Following Azure guidance for cross-tenant authentication, the Terraform module:
- Provisions a multitenant application as an Enterprise Application (service principal) in your target tenant
- Assigns the required permissions to that application, scoped to your target subscription
This allows the ClickHouse Cloud provisioner to create and manage Azure resources (such as resource groups, AKS, storage, and networking) within your subscription, without storing your Azure credentials in ClickHouse.
For more detail on multitenant apps and cross-tenant scenarios in Azure, see:
