Setting up a connection
Available connection methods depend on whether the cluster sharding is enabled:
Accessing cluster hosts
You can connect to Yandex Managed Service for Valkey™ cluster hosts:
-
Via the internet if the following conditions are met:
- Public access to hosts is configured.
- An SSL connection is used.
- Your cluster was created with TLS support.
-
From Yandex Cloud virtual machines located in the same cloud network.
- Create a virtual machine with a public IP in the same virtual network as the cluster.
- Connect to the created VM via SSH.
- From this VM, connect to Valkey™ using one of the sample connection strings.
Encryption support
Encrypted SSL connections are supported for Yandex Managed Service for Valkey™ clusters. To use SSL, enable TLS support when creating a cluster.
By default, Valkey™ uses host IP addresses, not their FQDNs. This may prevent connection to Valkey™ hosts in clusters with TLS support. To be able to connect to hosts, do one of the following:
-
Enable the use of FQDNs instead of IP addresses to replace a host's IP address with its FQDN. You can enable this setting when creating or updating a cluster.
This will allow the Valkey™ client to connect to Valkey™ hosts both from Yandex Cloud VMs and over the internet, as well as request verification of the host's FQDN against the certificate, if required.
Note
Some clients do not support this setting and will fail to connect to the cluster hosts. Such clients expect an IP address and will produce errors if you provide an FQDN instead.
-
Disable verification of the host's FQDN against the certificate on the Valkey™ client side.
This will enable you to connect to Valkey™ hosts from Yandex Cloud VMs.
Configuring security groups
To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.
To connect to a cluster from a VM in Yandex Cloud, in its security groups, create rules, enabling:
- VM connections from the internet.
- Traffic between the VM and cluster hosts.
Example of rules for a VM:
-
For incoming traffic:
- Port range:
22
. - Protocol:
TCP
. - Source:
CIDR
. - CIDR blocks:
0.0.0.0/0
.
This rule lets you connect to the VM over SSH.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535
. - Protocol:
Any
(Any
). - Destination name:
CIDR
. - CIDR blocks:
0.0.0.0/0
.
This rule allows all outgoing traffic, which enables you to both connect to the cluster and install the certificates and utilities the VMs need to connect to the cluster.
- Port range:
Security group settings for sharded and non-sharded clusters differ.
Configure all the cluster security groups to allow incoming traffic from the security group where the VM is located on port 6379
for direct connections to the master host or 26379
for connections via Sentinel. If you created your cluster with SSL encryption support, specify port 6380
for direct encrypted connections to the master or 26379
for unencrypted connections using Sentinel.
Warning
Connecting to port 26379
enables you to request cluster information without authenticating. To restrict unauthorized cluster access with host public access enabled, do not specify this port in your security group settings.
To do this, create the following rule for incoming traffic:
-
Port range: create a separate rule for each port:
-
6379
: For direct unencrypted host connections. -
6380
: For direct host connections using SSL encryption. -
26379
: For cluster communication via Sentinel.To connect to a cluster using Sentinel, you must also create a rule enabling connections via port
6379
or6380
.
-
-
Protocol:
TCP
. -
Source:
Security group
. -
Security group: Security group assigned to the VM. If it is the same as the configured group, specify Current.
Configure all the cluster security groups to allow incoming traffic on port 6379
from the security group where the VM is located. If a cluster is created with SSL encryption support, you should only specify port 6380
.
To do this, create the following rule for incoming traffic:
- Port range:
6379
or only6380
for clusters with SSL encryption support. - Protocol:
TCP
. - Source:
Security group
. - Security group: If your cluster and VM are in the same security group, select
Current
. Otherwise, specify the VM security group.
Note
You can specify more detailed rules for your security groups, e.g., to allow traffic only in specific subnets.
You must configure security groups correctly for all subnets in which the cluster hosts will reside. If security group settings are incomplete or incorrect, you may lose access to the cluster if the master is switched manually or automatically.
For more information about security groups, see Security groups.
Getting an SSL certificate
To use an encrypted SSL connection, get an SSL certificate:
mkdir -p ~/.redis && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
--output-document ~/.redis/YandexInternalRootCA.crt && \
chmod 0655 ~/.redis/YandexInternalRootCA.crt
The certificate will be saved to the ~/.redis/YandexInternalRootCA.crt
file.
mkdir $HOME\.redis; curl.exe -o $HOME\.redis\YandexInternalRootCA.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
The certificate will be saved to the $HOME\.redis\YandexInternalRootCA.crt
file.
Corporate policies and antivirus software can block the download of certificates. For more information, see FAQ.
To use graphical IDEs, save a certificate
Valkey™ host FQDN
To connect to a host, you need its fully qualified domain name (FQDN). You can obtain it in one of the following ways:
-
In the management console
, copy the command for connecting to the cluster. This command contains the host FQDN. To get the command, go to the cluster page and click Connect. -
Look up the FQDN in the management console:
- Go to the cluster page.
- Go to Hosts.
- Copy the Host FQDN column value.