Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Connecting to a database in a MySQL® cluster

Written by
Improved by
Updated at December 5, 2025

You can connect to Managed Service for MySQL® cluster hosts:

  • Over the internet, if you configured public access for the appropriate host. You can only connect to such hosts over an SSL connection.

  • From Yandex Cloud virtual machines located in the same cloud network. If there is no public access to a host, using SSL for connections from such virtual machines is not required.

Warning

If only some cluster hosts have public access, an automatic master failover can make the master host unreachable from the internet.

The maximum number of connections is defined by the Max connections setting that depends on the host class.

Learn more in Network and clusters in Managed Service for MySQL®.

Configuring security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the connection method you select:

Configure all cluster security groups to allow incoming traffic on port 3306 from any IP address. To do this, create the following inbound rule:

  • Port range: 3306
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 0.0.0.0/0

  1. Configure all cluster security groups to allow incoming traffic on port 3306 from the security group assigned to your VM. To do this, create the following inbound rule in these groups:

    • Port range: 3306
    • Protocol: TCP
    • Source: Security group
    • Security group: If your cluster and VM share the same security group, select Current (Self). Otherwise, specify the VM security group.

  2. Configure the VM security group to allow VM connections and traffic between the VM and the cluster hosts.

    For example, you can set the following rules for your VM:

    • For incoming traffic:

      • Port range: 22
      • Protocol: TCP
      • Source: CIDR
      • CIDR blocks: 0.0.0.0/0

      This rule allows VM connections over SSH.

    • For outgoing traffic:

      • Port range: 0-65535
      • Protocol: Any (Any)
      • Destination name: CIDR
      • CIDR blocks: 0.0.0.0/0

      This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for the connection.

Note

You can specify more granular rules for your security groups, such as allowing traffic only within specific subnets.

Make sure to configure the security groups properly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster.

For more information about security groups, see Security groups.

Getting an SSL certificate

Publicly accessible MySQL® hosts only support encrypted connections. To assess them, get an SSL certificate:

mkdir -p ~/.mysql && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
     --output-document ~/.mysql/root.crt && \
chmod 0600 ~/.mysql/root.crt

The certificate will be saved to the ~/.mysql/root.crt file.

mkdir $HOME\.mysql; curl.exe -o $HOME\.mysql\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem

The certificate will be saved to the $HOME\.mysql\root.crt file.

Corporate policies and antivirus software can block the download of certificates. For more information, see FAQ.

To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.

FQDNs of MySQL® hosts

To connect to a host, you will need its FQDN. You can use the FQDN of a particular host in the cluster or a special FQDN always pointing to the current master host or the most recent replica.

Here is a host FQDN example:

rc1a-goh2a9tr********.mdb.yandexcloud.net

Getting a host FQDN

There are several ways to get a MySQL® host FQDN:

  • View the FQDN in the management console:

    1. Navigate to the cluster page.
    2. Navigate to Hosts.
    3. Copy the Host FQDN column value.

  • In the management console, copy the command for connecting to the cluster. This command contains the host FQDN. To get the command, go to the cluster page and click Connect.

  • Get the list of cluster hosts using the CLI or API.

Special FQDNs

Alongside regular FQDNs, Managed Service for MySQL® offers special FQDNs that can also be used for cluster connections.

In multiple-host clusters, special FQDNs may for some time (up to 10 minutes) point to the old host, even if it has changed its role (e.g., from a master to a replica). If using a special FQDN which points to the current master, some write requests may fail if routed to the replica. This is because it takes time to update DNS records for special FQDNs. If your write request returns an error, repeat it later.

Warning

If automatic failover promotes a host without public access to master or most recent replica, you will not be able to connect to that host from the internet. To avoid this, enable public access for all cluster hosts.

Current master

An FQDN in c-<cluster_ID>.rw.mdb.yandexcloud.net format always points to the current master host in the cluster. You can get the cluster ID with the list of clusters in the folder.

When connecting to this FQDN, you can perform read and write operations.

Warning

Use master host special FQDN-based connections only for processes that can cope with database being unavailable for writing for up to 10 minutes.

Most recent replica

An FQDN in c-<cluster_ID>.ro.mdb.yandexcloud.net format points to the replica that is most up-to-date with the current master. You can get the cluster ID with the list of clusters in the folder.

Specifics:

  • When connecting to this FQDN, you can only perform read operations.
  • If there are no active replicas in the cluster, you cannot connect to this FQDN as the respective DNS CNAME record will point to a null object.

Connecting from graphical IDEs

Connections were tested in the following environment:

  • Ubuntu 20.04, DBeaver: 22.2.4
  • MacOS Monterey 12.7:
    • JetBrains DataGrip: 2023.3.4
    • DBeaver Community: 24.0.0

From graphical IDEs, you can only connect to public cluster hosts using an SSL certificate.

To avoid connection errors, save the certificate to a local folder that does not require administrator rights to access.

  1. Create a data source:
    1. Select FileNewData SourceMySQL®.
    2. On the General tab:
      1. Configure the connection as follows:
        • Host: FQDN of any MySQL® host or a special FQDN.
        • Port: 3306.
        • User, Password: Database user name and password.
        • Database: Name of the database to connect to.
      2. Click Download to download the connection driver.
    3. On the SSH/SSL tab:
      1. Enable Use SSL.
      2. In the CA file field, specify the path to the SSL certificate file for your connection.
  2. Click Test Connection. If the connection is successful, you will see the connection status, DBMS information, and driver details.
  3. Click OK to save the data source.
  1. Create a new database connection:
    1. In the Database menu, select New connection.
    2. Select MySQL® from the database list.
    3. Click Next.
    4. Specify the connection settings on the Main tab:
    5. On the SSL tab:
      1. Enable Use SSL.
      2. In the Root certificate field, specify the path to the SSL certificate file you previously saved.
      3. Under Advanced:
        1. Enable Require SSL.
        2. Enable Verify server certificate.
  2. Click Test Connection .... If the connection is successful, you will see the connection status and information about the DBMS and driver.
  3. Click Done to save the database connection settings.

Connecting from Yandex WebSQL

You can send SQL queries to databases in a Managed Service for MySQL® cluster using Yandex WebSQL.

WebSQL is a Yandex Cloud service that allows you to connect to managed database clusters, work with DBs, tables, and schemas, and run SQL queries. It is a web-based tool that requires no additional authorization and simplifies working with SQL commands by suggesting prompts.

To connect from WebSQL to a Managed Service for MySQL® cluster, create a connection:

  1. Go to the folder page and select Managed Service for MySQL.
  2. Click the cluster name.
  3. Enable the WebSQL access option in the cluster settings if it is not enabled yet.
  4. Select the WebSQL tab.
  5. Click Create connection and specify the connection parameters:
    • Connection name.
    • Database type: MySQL®.
    • Cluster: Defaults to your current MySQL® cluster.
    • Username you will use to connect to the database in the cluster.
    • User password.
    • Databases you want to connect to. You can only connect to the databases that exist in this cluster. The user you specified must have access to them configured.
  6. Click Create.

To open the SQL editor, click the created connection on the WebSQL tab.

For more information about working with WebSQL, see the service documentation.

Before you connect from a Docker container

To connect to a Managed Service for MySQL® cluster from a Docker container, add the following lines to the Dockerfile:

RUN apt-get update && \
    apt-get install mysql-client --yes

RUN apt-get update && \
    apt-get install wget mysql-client --yes && \
    mkdir --parents ~/.mysql && \
    wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
         --output-document ~/.mysql/root.crt && \
    chmod 0600 ~/.mysql/root.crt

Examples of connection strings

The Linux examples were tested in the following environment:

  • Yandex Cloud virtual machine running Ubuntu 20.04 LTS.
  • Bash: 5.0.16.
  • Python: 3.8.2; pip3: 20.0.2.
  • PHP: 7.4.3.
  • OpenJDK: 11.0.8; Maven: 3.6.3.
  • Node.JS: 10.19.0, npm: 6.14.4.
  • Go: 1.13.8.
  • Ruby: 2.7.0p0.
  • unixODBC: 2.3.6.

The Windows examples were tested in the following environment:

  • A local machine with Windows 10 Pro build 19042.1052.
  • PowerShell: 5.1.19041.
  • cURL: 7.55.1 WinSSL.

You can only connect to public MySQL® hosts using an SSL certificate.

Bash

Before connecting, install the mysql utility:

sudo apt update && sudo apt install --yes mysql-client

mysql --host=<MySQL®_host_name>.mdb.yandexcloud.net \
      --port=3306 \
      --ssl-ca=~/.mysql/root.crt \
      --ssl-mode=VERIFY_IDENTITY \
      --user=<username> \
      --password \
      <DB_name>

mysql --host=<FQDN_of_any_MySQL®_host> \
      --port=3306 \
      --ssl-mode=DISABLED \
      --user=<username> \
      --password \
      <DB_name>

To learn how to get a host FQDN, see this guide.

When running any command, enter the DB user password.

After connecting to the DBMS, run the SELECT version(); command.

If the connection to the cluster and the test query are successful, the MySQL® version is output.

Go

Before connecting, install the following dependencies:

sudo apt update && sudo apt install --yes golang git && \
go get github.com/go-sql-driver/mysql

connect.go

package main

import (
  "io/ioutil"
  "crypto/tls"
  "crypto/x509"
  "database/sql"
  "fmt"
  "github.com/go-sql-driver/mysql"
)

const (
  host     = "<FQDN_of_any_MySQL®_host>"
  port     = 3306
  user     = "<username>"
  password = "<user_password>"
  dbname   = "<DB_name>"
)

func main() {
  rootCertPool := x509.NewCertPool()
  pem, err := ioutil.ReadFile("/home/<home_directory>/.mysql/root.crt")
  if err != nil {
    panic(err)
  }
  if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
    panic("Failed to append PEM.")
  }

  mysql.RegisterTLSConfig("custom", &tls.Config{
    RootCAs: rootCertPool,
  })

  mysqlInfo := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?tls=custom",
    user, password, host, port, dbname)
  conn, err := sql.Open("mysql", mysqlInfo)
  if err != nil {
    panic(err)
  }

  defer conn.Close()

  q, err := conn.Query("SELECT version()")
  if err != nil {
    panic(err)
  }

  var result string

  for q.Next() {
   q.Scan(&result)
   fmt.Println(result)
  }
}

For this connection method, the code must include the full path to the root.crt certificate for MySQL® in the ca variable.

connect.go

package main

import (
  "database/sql"
  "fmt"
  _ "github.com/go-sql-driver/mysql"
)

const (
  host     = "<FQDN_of_any_MySQL®_host>"
  port     = 3306
  user     = "<username>"
  password = "<user_password>"
  dbname   = "<DB_name>"
)

func main() {
  mysqlInfo := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s",
    user, password, host, port, dbname)
  conn, err := sql.Open("mysql", mysqlInfo)
  if err != nil {
    panic(err)
  }

  defer conn.Close()

  q, err := conn.Query("SELECT version()")
  if err != nil {
    panic(err)
  }

  var result string

  for q.Next() {
   q.Scan(&result)
   fmt.Println(result)
  }
}

To learn how to get a host FQDN, see this guide.

Connecting:

go run connect.go

If the connection to the cluster and the test query are successful, the MySQL® version is output.

Java

Before connecting:

  1. Install the dependencies:

    sudo apt update && sudo apt install --yes default-jdk maven

  2. Add the SSL certificate to the Java trusted certificate store (Java Key Store) so that the MySQL® driver can use this certificate for secure connections to the cluster hosts. Set a password in the -storepass parameter for storage protection:

    cd ~/.mysql && \
sudo keytool -importcert \
             -alias YandexCA \
             -file root.crt \
             -keystore YATrustStore \
             -storepass <certificate_store_password> \
             --noprompt

    Where storepass is your certificate store password, a minimum of 6 characters.

  3. Create a folder for the Maven project:

    cd ~/ && mkdir -p project/src/java/com/example && cd project/

  4. Create a configuration file for Maven:

    pom.xml
    <?xml version="1.0" encoding="UTF-8"?>
<project
    xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>app</artifactId>
    <packaging>jar</packaging>
    <version>0.1.0</version>
    <properties>
	    <maven.compiler.source>1.8</maven.compiler.source>
	    <maven.compiler.target>1.8</maven.compiler.target>
    </properties>
    <dependencies>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>8.0.21</version>
        </dependency>
	</dependencies>
	<build>
     	<finalName>${project.artifactId}-${project.version}</finalName>
     	<sourceDirectory>src</sourceDirectory>
	 	<resources>
     		<resource>
	 	     	<directory>src</directory>
     		</resource>
     	</resources>
    	<plugins>
    		<plugin>
	     		<groupId>org.apache.maven.plugins</groupId>
	     		<artifactId>maven-assembly-plugin</artifactId>
	     		<executions>
	     			<execution>
	     				<goals>
	 	    				<goal>attached</goal>
	     				</goals>
	 	    			<phase>package</phase>
	 	    			<configuration>
	 		    			<descriptorRefs>
	 			    			<descriptorRef>jar-with-dependencies</descriptorRef>
	 		    			</descriptorRefs>
	 			    		<archive>
	 			    			<manifest>
	 			    				<mainClass>com.example.App</mainClass>
	 			    			</manifest>
	 	    				</archive>
	 	    			</configuration>
	 	    		</execution>
	     		</executions>
    		</plugin>
	 		<plugin>
     			<groupId>org.apache.maven.plugins</groupId>
	     		<artifactId>maven-jar-plugin</artifactId>
     			<version>3.1.0</version>
    			<configuration>
	     			<archive>
	     				<manifest>
	      					<mainClass>com.example.App</mainClass>
	  	     			</manifest>
	 	    		</archive>
    			</configuration>
    		</plugin>
	 	</plugins>
	</build>
</project>

    You can check the current mysql-connector-java version on the project page in the Maven repository.

src/java/com/example/App.java

package com.example;

import java.sql.*;

public class App {
  public static void main(String[] args) {
    String DB_URL     = "jdbc:mysql://<FQDN_of_any_MySQL®_host>:3306/<DB_name>?useSSL=true";
    String DB_USER    = "<username>";
    String DB_PASS    = "<user_password>";

    System.setProperty("javax.net.ssl.trustStore", "/home/<home_directory>/.mysql/YATrustStore");
    System.setProperty("javax.net.ssl.trustStorePassword", "<certificate_store_password>");

    try {
      Class.forName("com.mysql.cj.jdbc.Driver");

      Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASS);
      ResultSet q = conn.createStatement().executeQuery("SELECT version()");
      if(q.next()) {System.out.println(q.getString(1));}

      conn.close();
    }
    catch(Exception ex) {ex.printStackTrace();}
  }
}

In this code, the javax.net.ssl.trustStore property must specify the full path to the YATrustStore certificate store for the MySQL® driver.

src/java/com/example/App.java

package com.example;

import java.sql.*;

public class App {
  public static void main(String[] args) {
    String DB_URL     = "jdbc:mysql://<FQDN_of_any_MySQL®_host>:3306/<DB_name>?useSSL=false";
    String DB_USER    = "<username>";
    String DB_PASS    = "<user_password>";

    try {
      Class.forName("com.mysql.cj.jdbc.Driver");

      Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASS);
      ResultSet q = conn.createStatement().executeQuery("SELECT version()");
      if(q.next()) {System.out.println(q.getString(1));}

      conn.close();
    }
    catch(Exception ex) {ex.printStackTrace();}
  }
}

To learn how to get a host FQDN, see this guide.

Connecting:

mvn clean package && \
java -jar target/app-0.1.0-jar-with-dependencies.jar

If the connection to the cluster and the test query are successful, the MySQL® version is output.

Node.js

Before connecting, install the following dependencies:

sudo apt update && sudo apt install --yes nodejs npm && \
npm install mysql2

app.js

"use strict"
const fs = require('fs');
const mysql = require('mysql2');

const config = {
  host     : '<FQDN_of_any_MySQL®_host>',
  port     : 3306,
  user     : '<username>',
  password : '<user_password>',
  database : '<DB_name>',
  ssl: {
    rejectUnauthorized: true,
    ca: fs.readFileSync('/home/<home_directory>/.mysql/root.crt').toString(),
  },
}

const conn = mysql.createConnection(config)
conn.connect(err => {if (err) throw err})
  conn.query('SELECT version()', (err, result, fields) => {
    if (err) throw err
    console.log(result[0])
    conn.end()
  })

For this connection method, the code must include the full path to the root.crt certificate for MySQL® in the ca variable.

app.js

"use strict"
const mysql = require('mysql2');

const config = {
  host     : '<FQDN_of_any_MySQL®_host>',
  port     : 3306,
  user     : '<username>',
  password : '<user_password>',
  database : '<DB_name>',
}

const conn = mysql.createConnection(config)
conn.connect(err => {if (err) throw err})
  conn.query('SELECT version()', (err, result, fields) => {
    if (err) throw err
    console.log(result[0])
    conn.end()
  })

To learn how to get a host FQDN, see this guide.

Connecting:

node app.js

If the connection to the cluster and the test query are successful, the MySQL® version is output.

ODBC

Before connecting, install the following dependencies:

sudo apt update && sudo apt install --yes unixodbc && \
wget https://dev.mysql.com/get/Downloads/Connector-ODBC/8.0/mysql-connector-odbc_8.0.21-1ubuntu20.04_amd64.deb && \
sudo dpkg -i mysql-connector-odbc_8.0.21-1ubuntu20.04_amd64.deb

The MySQL® Connector/ODBC driver will be registered automatically in /etc/odbcinst.ini. Current version of the driver: mysql-connector-odbc.

Set the connection parameters in /etc/odbc.ini.

odbc.ini

[mysql]
Driver=MySQL ODBC 8.0 Unicode Driver
SERVER=<FQDN_of_any_MySQL®_host>
UID=<username>
PWD=<user_password>
DATABASE=<DB_name>
PORT=3306
SSLCA=/home/<home_directory>/.mysql/root.crt
SSLVERIFY=1

For this connection method, the SSLCA parameter in /etc/odbc.ini must specify the full path to the root.crt certificate for MySQL®.

odbc.ini

[mysql]
Driver=MySQL ODBC 8.0 Unicode Driver
SERVER=<FQDN_of_any_MySQL®_host>
UID=<username>
PWD=<user_password>
DATABASE=<DB_name>
PORT=3306

To learn how to get a host FQDN, see this guide.

Connecting:

isql -v mysql

After connecting to the DBMS, run the SELECT version(); command.

If the connection to the cluster and the test query are successful, the MySQL® version is output.

PHP

Before connecting, install the following dependencies:

sudo apt update && apt install --yes php php-mysql

connect.php

<?php
    $conn = mysqli_init();

    $conn->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
    $conn->ssl_set(NULL, NULL, '/home/<home_directory>/.mysql/root.crt', NULL, NULL);
    $conn->real_connect('<FQDN_of_any_MySQL®_host>', '<username>', '<user_password>', '<database_name>', 3306, NULL, MYSQLI_CLIENT_SSL);

    $q = $conn->query('SELECT version()');
    $result = $q->fetch_row();
    echo($result[0]);

    $q->close();
    $conn->close();
?>

For this connection method, the code must include the full path to the root.crt certificate for MySQL® in the ssl_set method.

connect.php

<?php
    $conn = mysqli_init();

    $conn->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, false);
    $conn->real_connect('<FQDN_of_any_MySQL®_host>', '<username>', '<user_password>', '<database_name>', 3306, NULL, NULL);

    $q = $conn->query('SELECT version()');
    $result = $q->fetch_row();
    echo($result[0]);

    $q->close();
    $conn->close();
?>

To learn how to get a host FQDN, see this guide.

Connecting:

php connect.php

If the connection to the cluster and the test query are successful, the MySQL® version is output.

PowerShell

Before connecting, download and install MySQL Shell.

mysqlsh --host=<FQDN_of_any_MySQL®_host> `
        --port=3306 `
        --ssl-ca=<absolute_path_to_certificate_file> `
        --ssl-mode=VERIFY_IDENTITY `
        --user=<username> `
        --password `
        --database=<DB_name> `
        --sql

mysqlsh --host=<FQDN_of_any_MySQL®_host> `
        --port=3306 `
        --ssl-mode=DISABLED `
        --user=<username> `
        --password `
        --database=<DB_name>

To learn how to get a host FQDN, see this guide.

When running any command, enter the DB user password.

After connecting to the DBMS, run the SELECT version(); command.

If the connection to the cluster and the test query are successful, the MySQL® version is output.

Python

Before connecting, install the following dependencies:

sudo apt update && sudo apt install --yes python3 python3-pip libmysqlclient-dev && \
pip3 install mysqlclient

connect.py

import MySQLdb

conn = MySQLdb.connect(
      host="<FQDN_of_any_MySQL®_host>",
      port=3306,
      db="<DB_name>",
      user="<username>",
      passwd="<user_password>",
      ssl={'ca': '~/.mysql/root.crt'})

cur = conn.cursor()
cur.execute('SELECT version()')

print(cur.fetchone()[0])

conn.close()

connect.py

import MySQLdb

conn = MySQLdb.connect(
      host="<FQDN_of_any_MySQL®_host>",
      port=3306,
      db="<DB_name>",
      user="<username>",
      passwd="<user_password>")

cur = conn.cursor()
cur.execute('SELECT version()')

print(cur.fetchone()[0])

conn.close()

To learn how to get a host FQDN, see this guide.

Connecting:

python3 connect.py

If the connection to the cluster and the test query are successful, the MySQL® version is output.

Ruby

Before connecting, install the following dependencies:

sudo apt update && sudo apt install --yes ruby ruby-mysql2

connect.rb

require "mysql2"

conn = Mysql2::Client.new(
        :host => "<FQDN_of_any_MySQL®_host>",
        :port => 3306,
        :database => "<DB_name>",
        :username => "<username>",
        :password => "<user_password>",
        :ssl_mode => "verify_identity",
        :sslca => "~/.mysql/root.crt")

q = conn.query("SELECT version()")

q.each do |result|
  puts result["version()"]
end

conn.close()

connect.rb

require "mysql2"

conn = Mysql2::Client.new(
        :host => "<FQDN_of_any_MySQL®_host>",
        :port => 3306,
        :database => "<DB_name>",
        :username => "<username>",
        :password => "<user_password>")

q = conn.query("SELECT version()")

q.each do |result|
  puts result["version()"]
end

conn.close()

To learn how to get a host FQDN, see this guide.

Connecting:

ruby connect.rb

If the connection to the cluster and the test query are successful, the MySQL® version is output.

Previous
Deleting a cluster
Next
SQL queries in Yandex WebSQL