Yandex Managed Service for Valkey™ network and DB clusters
When creating a cluster, you can:
- Specify a network for the entire cluster.
- Specify subnets for each host in the cluster.
- Enable TLS support to connect to the cluster from outside Yandex Cloud.
Host name and FQDN
Yandex Managed Service for Valkey™ generates a name for each cluster host when it is created. This name will be the host's fully qualified domain name (FQDN). The host name and, consequently, FQDN cannot be changed.
To learn how to get a host FQDN, see this guide.
You can use the FQDN to connect to the host from the cloud network or over the internet.
Public access to cluster hosts
If you create a Yandex Managed Service for Valkey™ cluster with TLS support, you can connect to it both from a Yandex Cloud VM and from the internet.
If you created a cluster without TLS support, you can only connect to it from a Yandex Cloud VM on the same cloud network. You cannot enable public access to a host in this type of cluster.
Any host in a cluster with TLS support enabled can be accessible from outside Yandex Cloud if you requested public access when creating or modifying the host.
You cannot update a public IP address after creating a host; however, you can replace an existing host with a new one that has a public IP address.
When deleting a publicly accessible host, the assigned IP address is revoked.
Using FQDNs instead of IP addresses
Valkey™ uses host IP addresses, not their FQDNs. If a Yandex Managed Service for Valkey™ cluster supports TLS, this prevents connection to Valkey™ hosts in the following situations:
-
The Valkey™ client connects to a host via SSL and requests to verify the host's FQDN against the certificate.
The certificate contains the host's FQDN, not its IP address, so this verification will fail.
-
Public access is enabled for the host.
Valkey™ returns the host's internal IP address, even if public access is enabled for that host. Such an IP address is not accessible from the internet.
Enable the use of FQDNs instead of IP addresses to replace a host's IP address with its FQDN. You can do this when creating or updating any Yandex Managed Service for Valkey™ cluster; however, this setting is typically used in clusters with TLS support to bypass the above limitations.
Note
Some clients do not support this setting and will fail to connect to the cluster hosts. Such clients expect an IP address and will produce errors if you provide an FQDN instead.
Example of how this works
In non-sharded Yandex Managed Service for Valkey™ clusters, Sentinel is often used to get the address of the Valkey™ master host. Since Sentinel gets the address from Valkey™ itself, the result will vary depending on whether the Use FQDN instead of IP addresses option is enabled.
Let's assume a cluster has a Valkey™ master host with
rc1a-abcd********5678.mdb.yandexcloud.net
for FQDN and10.0.0.222
for internal IP address. The host address returned by Sentinel will look like this:
- Option disabled:
10.0.0.222:6379
- Option enabled:
rc1a-abcd********5678.mdb.yandexcloud.net:6379
Security groups
Security groups follow the All traffic that is not allowed is prohibited principle. To connect to a cluster, configure security group rules. These rules allow traffic from certain ports, IP addresses, or other security groups. For example, a VM will not be able to connect to a cluster in the following cases:
- The VM is in subnet 10.128.0.0/16, whereas the incoming traffic rules only specify subnet 10.133.0.0/24.
- The VM is in subnet 10.133.0.0/24 but attempts to access a port not specified in the security group rules.
For information on how to configure security groups, see Configuring security groups.
Tip
When connecting to a cluster from the same cloud network, configure security groups both for the cluster and the connecting host.
Specifics of working with security groups:
-
Even if the cluster and host are in the same security group, rules allowing traffic between them must be in place to establish a connection to the cluster from that host. By default, such rules are included in the security group created together with the cloud network. They are the
Self
rules that allow unlimited traffic within a security group. -
Security group settings only affect whether it will be possible to connect to the cluster. They do not affect cluster features, such as replication, sharding, and backups.
For more information, see the Virtual Private Cloud documentation.