Pre-configuring a MySQL® cluster connection
You can connect to Managed Service for MySQL® cluster hosts:
-
Via the internet, if you configured public access for the host. You can connect over the internet in the following ways:
- Using an SSL connection.
- Using IAM authentication.
-
From Yandex Cloud virtual machines located in the same cloud network. For hosts without public access, SSL is not required to connect to them from these virtual machines.
Warning
If only some cluster hosts have public access, an automatic master failover can make the master host unreachable from the internet.
The maximum number of connections is defined by the Max connections setting that depends on the host class.
For more information, see Network and clusters in Managed Service for MySQL®.
Configuring security groups
To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.
Rule settings depend on the connection method you select:
Configure all cluster security groups to allow incoming traffic on port 3306 from any IP address. To do this, create the following ingress rule:
- Port range:
3306. - Protocol:
TCP. - Source:
CIDR. - CIDR blocks:
0.0.0.0/0.
-
Configure all cluster security groups to allow incoming traffic on port 3306 from the security group assigned to your VM. To do this, create the following ingress rule in these groups:
- Port range:
3306. - Protocol:
TCP. - Source:
Security group. - Security group: If your cluster and VM share the same security group, select
Current(Self). Otherwise, specify the VM security group.
- Port range:
-
Configure the VM security group to allow VM connections and traffic between the VM and cluster hosts.
For example, you can set the following rules for your VM:
-
For incoming traffic:
- Port range:
22. - Protocol:
TCP. - Source:
CIDR. - CIDR blocks:
0.0.0.0/0.
This rule allows inbound VM connections over SSH.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535. - Protocol:
Any. - Destination name:
CIDR. - CIDR blocks:
0.0.0.0/0.
This rule permits all outbound traffic, allowing you to connect to the cluster and install any necessary certificates and tools on your VM.
- Port range:
-
Note
You can specify more granular security group rules, such as allowing traffic only in specific subnets.
Make sure to configure the security groups correctly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster.
For more information about security groups, see Security groups.
Obtaining an SSL certificate
Publicly accessible MySQL® hosts only support encrypted connections. To assess them, get an SSL certificate:
mkdir -p ~/.mysql && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
--output-document ~/.mysql/root.crt && \
chmod 0600 ~/.mysql/root.crt
The certificate will be saved to the ~/.mysql/root.crt file.
mkdir $HOME\.mysql; curl.exe -o $HOME\.mysql\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
The certificate will be saved to the $HOME\.mysql\root.crt file.
Your corporate security policies and antivirus software may block the certificate download. For more information, see FAQ.
To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.
What's next
- Get the FQDN of the host you want to connect to.
- Connect to the cluster from a graphical IDE, Docker container, or CLI.
- Integrate the cluster connection into your application code.