Pre-configuring a Greenplum® cluster connection
Since Greenplum® is based on PostgreSQL, the same tools are used for connecting to both.
You can only connect to a Greenplum® cluster through the primary master host. To identify host roles, get a list of hosts in the cluster.
You can connect to a cluster:
-
From Yandex Cloud VMs located in the same cloud network
-
Over the internet if you configured public access for your cluster.
You can connect over the internet in the following ways:
- Use an SSL connection.
- Use IAM authentication.
Without an SSL connection, internal cloud network traffic is not encrypted.
Configuring security groups
You can assign one or more security groups to a Greenplum® cluster. To connect to a cluster, security groups must include rules allowing traffic on port 6432 from certain IP addresses or other security groups.
Note
A security group assigned to a cluster controls traffic between the cluster and other cloud or external resources. You do not need to configure interaction between cluster hosts, as it is controlled by a separate system security group.
Rule settings depend on the chosen connection method:
-
For incoming traffic:
- Port range:
6432. - Protocol:
TCP. - Source:
CIDR. - CIDR blocks: Range of addresses to connect from.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535. - Protocol:
Any(Any). - Source:
CIDR. - CIDR blocks:
0.0.0.0/0.
This rule enables Yandex MPP Analytics for PostgreSQL to use external data sources, e.g., PXF or GPFDIST.
- Port range:
-
Add the following rules to the cluster security group:
-
For incoming traffic:
- Port range:
6432. - Protocol:
TCP. - Source:
Security group. - Security group: If your cluster and VM share the same security group, select
Current. Otherwise, specify the VM security group.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535. - Protocol:
Any. - Source:
CIDR. - CIDR blocks:
0.0.0.0/0.
This rule enables Yandex MPP Analytics for PostgreSQL to use external data sources, e.g., PXF or GPFDIST.
- Port range:
-
-
Configure the VM security group to allow connections to the VM as well as traffic between the VM and the cluster hosts.
-
For inbound traffic:
- Port range:
22. - Protocol:
TCP. - Source:
CIDR. - CIDR blocks: Range of addresses to connect from.
This rule allows VM connections over SSH.
- Port range:
-
For outbound traffic:
- Port range:
0-65535. - Protocol:
Any. - Destination name:
CIDR. - CIDR blocks:
0.0.0.0/0.
This rule permits all outbound traffic, allowing you to install any necessary certificates and tools on your VM.
- Port range:
-
Obtaining an SSL certificate
To use an SSL connection, get a certificate:
mkdir -p ~/.postgresql && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
--output-document ~/.postgresql/root.crt && \
chmod 0655 ~/.postgresql/root.crt
The certificate will be saved to the ~/.postgresql/root.crt file.
mkdir $HOME\.postgresql; curl.exe -o $HOME\.postgresql\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
The certificate will be saved to the $HOME\.postgresql\root.crt file.
Corporate policies and antivirus software can block the download of certificates. For more information, see FAQ.
To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.
What's next
- Get the FQDN of the host you want to connect to.
- Connect to the cluster from a graphical IDE, pgAdmin 4 or Docker container.
- Integrate the cluster connection into your application code.
Greenplum® and Greenplum Database® are registered trademarks or trademarks of Broadcom Inc. in the United States and/or other countries.