Connecting to a Sharded PostgreSQL cluster
You can connect to Managed Service for Sharded PostgreSQL cluster hosts:
-
Via the internet, if you configured public access for these hosts. You can only access such hosts over an SSL connection.
-
From Yandex Cloud VMs located in the same cloud network For hosts without public access, SSL is not required to connect to them from these virtual machines.
You can connect to all host types: INFRA, ROUTER, COORDINATOR, PostgreSQL cluster hosts. The connection is established through port 6432. In the case of COORDINATOR hosts and the Sharded PostgreSQL admin console, you must connect as the spqr-console user to the spqr-console database. You can use the admin console to configure sharding rules. For more information, see the SPQR documentation.
Configuring security groups
To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.
Security group settings will vary depending on the connection method you choose:
Configure all cluster security groups to allow incoming traffic on port 6432 from any IP address. To do this, create the following ingress rule:
- Port range:
6432. - Protocol:
TCP. - Source:
CIDR. - CIDR blocks:
0.0.0.0/0.
If the shared cluster and shard security group has rules configured to connect the router to shard hosts, no additional configuration of security groups is required to access the cluster over the internet.
-
Configure all cluster security groups to allow incoming traffic on port
6432from your VM’s security group. To do this, create the following rule for incoming traffic in these groups:- Port range:
6432. - Protocol:
TCP. - Source:
Security group. - Security group: If your cluster and VM share the same security group, select
Current(Self). Otherwise, specify the VM security group.
- Port range:
-
Configure the VM security group to allow VM connections and traffic between the VM and cluster hosts.
For example, you can set the following rules for your VM:
-
For incoming traffic:
- Port range:
22. - Protocol:
TCP. - Source:
CIDR. - CIDR blocks:
0.0.0.0/0.
This rule allows inbound VM connections over SSH.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535. - Protocol:
Any(Any). - Destination name:
CIDR. - CIDR blocks:
0.0.0.0/0.
This rule permits all outbound traffic, allowing you to connect to the cluster and install any necessary certificates and tools on your VM.
- Port range:
-
Note
You can specify more granular security group rules, such as allowing traffic only in specific subnets.
Make sure to properly configure security groups for all subnets where the cluster hosts will reside.
Obtaining an SSL certificate
Publicly accessible Sharded PostgreSQL hosts only support encrypted connections. To assess them, get an SSL certificate:
mkdir -p ~/.postgresql && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
--output-document ~/.postgresql/root.crt && \
chmod 0655 ~/.postgresql/root.crt
The certificate will be saved to the ~/.postgresql/root.crt file.
mkdir $HOME\.postgresql; curl.exe -o $HOME\.postgresql\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
The certificate will be saved to the $HOME\.postgresql\root.crt file.
Your corporate security policies and antivirus software may block the certificate download. For more information, see FAQ.
Sharded PostgreSQL host FQDN
To connect to a host, you need its fully qualified domain name (FQDN).
You can view the FQDN in the management console:
- Navigate to the cluster page.
- Navigate to Hosts.
- Copy the Host FQDN column value.
Connecting with Bash
Before connecting, install the required dependencies:
sudo apt update && sudo apt install --yes postgresql-client
-
Connect to a database:
psql "host=<host_FQDN> \ port=6432 \ sslmode=disable \ dbname=<DB_name> \ user=<username> \ target_session_attrs=read-write"Where
target_session_attrsdefines the type of request to the host. For example,read-writeenables both reading and writing. For more information, see the SPQR documentation.After you run this command, enter the user password to complete the connection procedure.
-
To check the connection, run the following query:
SELECT version();
-
Connect to a database:
psql "host=<host_FQDN> \ port=6432 \ sslmode=verify-full \ dbname=<DB_name> \ user=<username> \ target_session_attrs=read-write"Where
target_session_attrsdefines the type of request to the host. For example,read-writeenables both reading and writing. For more information, see the SPQR documentation.After you run this command, enter the user password to complete the connection procedure.
-
To check the connection, run the following query:
SELECT version();
Connecting from pgAdmin 4
The connection was tested for pgAdmin 4 version 9.1 on Windows 10.
You can only use pgAdmin 4 to connect to public cluster hosts using an SSL certificate.
Create a new server connection:
-
Select Object → Register → Server....
-
On the General tab, in the Name field, specify the cluster name to be shown in the pgAdmin 4 interface. You can set any name.
-
In the Connection tab, specify the connection settings:
- Host name/address: Host FQDN.
- Port:
6432. - Maintenance database: Target database name.
- Username: Username used to establish the connection.
- Password: User password.
-
In the Parameters tab:
- Set the SSL mode parameter to
verify-full. - Add a new Root certificate parameter and specify the path to the saved SSL certificate file in it.
- Set the SSL mode parameter to
-
Click Save to save the server connection settings.
As a result, the cluster appears in the server list in the navigation menu.