DB network and clusters
When creating a cluster, you can:
- Set the network for the cluster itself.
- Set the subnets for each host in the cluster.
- Request a public IP address to access the cluster from outside Yandex.Cloud.
You can create a cluster without specifying any subnets for the hosts, if the availability zone selected for each host contains exactly one subnet of the cluster network.
Hostname and FQDN
Managed Service for PostgreSQL generates a name for each cluster host during creation. This name will be the host's fully qualified domain name (FQDN). The hostname and, consequently, the FQDN cannot be changed.
You can use the FQDN to access the host within a single cloud network. Read more in the Yandex Virtual Private Cloud documentation.
Public access to a host
Any cluster host can be accessible from outside Yandex.Cloud if you requested public access when creating the host. To connect to such a host, use its FQDN.
It is not possible to request a public address after creating a host, but you can replace one of the existing hosts with a new host that has a public address.
When deleting a host with a public FQDN, the assigned IP address is revoked.
Security groups follow the principle "All traffic that is not allowed is prohibited". Therefore, security group rules for a cluster's cloud network might prevent connections to the cluster if one or more groups are assigned to it.
Let's say that a VM in Yandex.Cloud is used to access the cluster. In this case, if only the 10.133.0.0/24 subnet is specified in the incoming traffic rules for the security group, but the VM is in the 10.128.0.0/16 subnet, the VM won't be able to connect to the cluster. A VM also won't be able to connect from the 10.133.0.0/24 subnet if it tries to access a port not specified in the security group rules.
When connecting to a cluster from within its cloud network, be sure to configure security groups both for the cluster and the connecting host.
Specifics of working with security groups:
Security group settings only affect the capacity to connect to the cluster. They don't affect cluster features, such as replication, sharding, and backups.
Even if the cluster and the connecting host are in the same security group, the connection won't be possible unless rules that allow traffic between the host and cluster are set up in this group.
However, by default, those rules are contained in the security group that is added automatically when creating a cloud network. Those are the
Selfrules that allow unlimited traffic within a group.
For more information, see the Virtual Private Cloud documentation.