Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Setting up a connection

Written by
Updated at February 3, 2026

You can connect in different ways depending on whether the cluster is sharded:

Accessing cluster hosts

You can connect to Yandex Managed Service for Valkey™ cluster hosts:

  • Over the internet if the following conditions are met:

  • From Yandex Cloud virtual machines located in the same cloud network:

    1. Create a virtual machine with a public IP address in the same virtual network as the cluster.
    2. Connect to the created VM over SSH.
    3. From this VM, connect to Valkey™ using any of the connection string examples.

Encryption support

Yandex Managed Service for Valkey™ clusters support encrypted SSL connections. To use SSL, enable TLS support when creating the cluster.

By default, Valkey™ uses host IP addresses rather than FQDNs. This may prevent connection to Valkey™ hosts in clusters with TLS support. To enable host connections, do one of the following:

  • Enable the setting that allows FQDNs to replace IP addresses. You can enable it when creating or updating the cluster.

    This will allow Valkey™ clients to connect to Valkey™ hosts both from Yandex Cloud VMs and over the internet, as well as request verification of the host FQDN against the certificate, if required.

    Note

    Some clients do not support this setting and will fail to connect to the cluster hosts. They expect an IP address and will produce errors if you provide an FQDN instead.

  • Disable verification of the host FQDN against the certificate on the Valkey™ client side.

    This will enable you to connect to Valkey™ hosts from Yandex Cloud VMs.

Configuring security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

To connect to a cluster from a VM in Yandex Cloud, create security group rules that allow:

  • Connections to the VM from the internet.
  • Traffic between the VM and cluster hosts.

For example, you can set the following rules for your VM:

  • For incoming traffic:

    • Port range: 22.
    • Protocol: TCP.
    • Source: CIDR.
    • CIDR blocks: 0.0.0.0/0.

    This rule allows inbound VM connections over SSH.

  • For outgoing traffic:

    • Port range: 0-65535.
    • Protocol: Any.
    • Destination name: CIDR.
    • CIDR blocks: 0.0.0.0/0.

    This rule allows all outbound traffic, which enables you to both connect to the cluster and install any required certificates and tools on your VM.

Security group configurations differ for sharded and non-sharded clusters.

Configure all cluster security groups to allow incoming traffic from the VM security group on port 6379 for direct connections to the master host, or on port 26379 for connections via Sentinel. If your cluster supports SSL encryption, use port 6380 for an encrypted direct connection to the master, or port 26379 for an unencrypted Sentinel connection.

Warning

Port 26379 provides unauthenticated access to cluster information. To restrict unauthorized cluster access when public access to cluster hosts is enabled, do not expose this port in your security groups.

To do this, create the following inbound rule:

  • Port range: Create a separate rule for each port:

    • 6379: For direct unencrypted host connections.

    • 6380: For direct host connections with SSL encryption.

    • 26379: For accessing the cluster via Sentinel.

      To connect to a cluster using Sentinel, you also need to create a rule allowing connections on port 6379 or 6380.

  • Protocol: TCP.

  • Source: Security group.

  • Security group: VM security group. If it is the same as the one being configured, specify Current.

Configure all cluster security groups to allow incoming traffic on port 6379 from your VM’s security group. For clusters with SSL encryption enabled, specify port 6380 only.

To do this, create the following inbound rule:

  • Port range: 6379, or 6380 only for clusters with SSL encryption.
  • Protocol: TCP.
  • Source: Security group.
  • Security group: If your cluster and VM share the same security group, select Current. Otherwise, specify the VM security group.

Note

You can specify more granular rules for your security groups, such as only allowing traffic within specific subnets.

Make sure to configure the security groups correctly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster if a manual or automatic master failover occurs.

For more information about security groups, see Security groups.

Getting an SSL certificate

To use an encrypted SSL connection, get an SSL certificate:

mkdir -p ~/.redis && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
     --output-document ~/.redis/YandexInternalRootCA.crt && \
chmod 0655 ~/.redis/YandexInternalRootCA.crt

The certificate will be saved to the ~/.redis/YandexInternalRootCA.crt file.

mkdir $HOME\.redis; curl.exe -o $HOME\.redis\YandexInternalRootCA.crt https://storage.yandexcloud.net/cloud-certs/CA.pem

The certificate will be saved to the $HOME\.redis\YandexInternalRootCA.crt file.

Your corporate security policies and antivirus software may block the certificate download. For more information, see FAQ.

To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.

Valkey™ host FQDN

To connect to a host, you need its fully qualified domain name (FQDN). You can get it using one of the following methods:

  • Request a list of cluster hosts.

  • In the management console, copy the command for connecting to the cluster. This command contains the host FQDN. To get the command, go to the cluster page and click Connect.

  • Look up the FQDN in the management console:

    1. Navigate to the cluster page.
    2. Go to Hosts.
    3. Copy the Host FQDN column value.
Previous
Deleting a cluster
Next
Connecting to a non-sharded cluster