Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Pre-configuring a PostgreSQL cluster connection

Written by
Updated at March 19, 2026

You can connect to Managed Service for PostgreSQL cluster hosts:

  • Via the internet, if you configured public access for the host. You can connect over the internet in the following ways:

    • Using an SSL connection.
    • Using IAM authentication.

  • From Yandex Cloud virtual machines located in the same cloud network. For hosts without public access, SSL is not required to connect to them from these virtual machines.

  • From the Serverless Containers container. For hosts without public access, the container must reside in the same cloud network.

Warning

If only some cluster hosts have public access, an automatic master failover can make the master host unreachable from the internet.

Configuring security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the chosen connection method:

Configure all cluster security groups to allow incoming traffic on port 6432 from any IP address. To do this, create the following inbound rule:

  • Port range: 6432.
  • Protocol: TCP.
  • Source: CIDR.
  • CIDR blocks: 0.0.0.0/0.

  1. Configure all cluster security groups to allow incoming traffic on port 6432 from the target VM’s security group. To do this, create the following ingress rule in these groups:

    • Port range: 6432.
    • Protocol: TCP.
    • Source: Security group.
    • Security group: If your cluster and VM share the same security group, select Current. Otherwise, specify the VM security group.

  2. Configure the VM’s security group to enable connections to the VM and traffic between the VM and the cluster hosts.

    VM rule examples:

    • For incoming traffic:

      • Port range: 22.
      • Protocol: TCP.
      • Source: CIDR.
      • CIDR blocks: 0.0.0.0/0.

      This rule allows inbound VM connections over SSH.

    • For outgoing traffic:

      • Port range: 0-65535.
      • Protocol: Any.
      • Destination name: CIDR.
      • CIDR blocks: 0.0.0.0/0.

      This rule permits all outbound traffic, allowing you to install any necessary certificates and tools on your VM.

Note

You can specify more granular security group rules, such as allowing traffic only in specific subnets.

Make sure to properly configure security groups for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster if a manual or automatic master failover occurs.

For more information about security groups, see Security groups.

Obtaining an SSL certificate

Publicly accessible PostgreSQL hosts only support encrypted connections. To assess them, get an SSL certificate:

mkdir -p ~/.postgresql && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
     --output-document ~/.postgresql/root.crt && \
chmod 0655 ~/.postgresql/root.crt

The certificate will be saved to the ~/.postgresql/root.crt file.

mkdir $HOME\.postgresql; curl.exe -o $HOME\.postgresql\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem

The certificate will be saved to the $HOME\.postgresql\root.crt file.

Your corporate security policies and antivirus software may block the certificate download. For more information, see FAQ.

To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.

What's next

  • Get the FQDN of the host you want to connect to.
  • Connect to the cluster using the command-line tools, graphical IDEs, Yandex WebSQL, pgAdmin 4, Looker Studio, and a Docker container.
  • Integrate the cluster connection into your application code.
Previous
Deleting a cluster
Next
FQDNs of hosts