[Yandex Cloud documentation](../../../index.md) > [Yandex Managed Service for ClickHouse®](../../index.md) > [Step-by-step guides](../index.md) > Connection > Pre-configuration

# Pre-configuring a ClickHouse® cluster connection

You can connect to Managed Service for ClickHouse® cluster hosts:

* Via the internet, if you [configured](../hosts.md#update) public access for the host. These hosts can only be accessed over SSL.

* From Yandex Cloud virtual machines located in the same [cloud network](../../../vpc/concepts/network.md). For hosts without public access, SSL is not required to connect to them from these virtual machines.


You can connect to a cluster either with encryption (on ports `9440` for [clickhouse-client](https://clickhouse.com/docs/enen/interfaces/cli) and `8443` for the [HTTP interface](https://clickhouse.com/docs/enen/interfaces/http)) or without it (on ports `9000` and `8123`, respectively).



## Configuring security groups {#configuring-security-groups}

To connect to a cluster, [security groups](../../../vpc/concepts/security-groups.md) must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the chosen connection method:

{% list tabs group=connection_method %}

- Over the internet {#internet}

  [Configure all the cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic on ports 8443 and 9440 from any IP address. To do this, create the following rules for incoming traffic:

    * **Port range**: `8443` and `9440`.
    * **Protocol**: `TCP`.
    * **Source**: `CIDR`.
    * **CIDR blocks**: `0.0.0.0/0`.

  Create a separate rule for each port.

  {% note warning %}

  For a more secure cluster, specify only trusted IP addresses or subnets in the **CIDR blocks** field.

  {% endnote %}

- From a Yandex Cloud VM {#cloud}

    1. [Configure all the cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic from your VM's security group on ports 8123, 8443, 9000, and 9440. To do this, create the following rules for incoming traffic in these security groups:

        * **Port range**: `8123` (or any of the other ports listed).
        * **Protocol**: `TCP`.
        * **Source**: `Security group`.
        * **Security group**: If your cluster and VM share the same security group, select `Current` (`Self`). Otherwise, specify the VM security group.

       Create a separate rule for each port.

    1. [Configure the VM security group](../../../vpc/operations/security-group-add-rule.md) to allow VM connections and traffic between the VM and cluster hosts.

       For example, you can set the following rules for your VM:

        * For incoming traffic:
            * **Port range**: `22`.
            * **Protocol**: `TCP`.
            * **Source**: `CIDR`.
            * **CIDR blocks**: `0.0.0.0/0`.

          This rule allows inbound VM [connections](../../../compute/operations/vm-connect/ssh.md#vm-connect) over SSH.

        * For outgoing traffic:
            * **Port range**: `0-65535`.
            * **Protocol**: `Any` (`Any`).
            * **Destination name**: `CIDR`.
            * **CIDR blocks**: `0.0.0.0/0`.

          This rule permits all outbound traffic, allowing you to install any necessary certificates and tools on your VM.

{% endlist %}

{% note info %}

You can specify more granular security group rules, such as allowing traffic only in specific subnets.

Make sure to configure the security groups correctly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster.

{% endnote %}

For more information about security groups, see [Network and database clusters](../../concepts/network.md#security-groups).


## Getting SSL certificates {#get-ssl-cert}

To use an encrypted connection, get an SSL certificate:

{% list tabs group=operating_system %}

- Linux (Bash) {#linux}

   ```bash
   sudo mkdir --parents /usr/local/share/ca-certificates/Yandex/ && \
   sudo wget "https://storage.yandexcloud.net/cloud-certs/RootCA.pem" \
        --output-document /usr/local/share/ca-certificates/Yandex/RootCA.crt && \
   sudo wget "https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem" \
        --output-document /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
   sudo chmod 655 \
        /usr/local/share/ca-certificates/Yandex/RootCA.crt \
        /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
   sudo update-ca-certificates
   ```

   The certificates will be saved to the following files:

   * `/usr/local/share/ca-certificates/Yandex/RootCA.crt`
   * `/usr/local/share/ca-certificates/Yandex/IntermediateCA.crt`

- macOS (Zsh) {#macos}

   ```bash
   sudo mkdir -p /usr/local/share/ca-certificates/Yandex/ && \
   sudo wget "https://storage.yandexcloud.net/cloud-certs/RootCA.pem" \
        --output-document /usr/local/share/ca-certificates/Yandex/RootCA.crt && \
   sudo wget "https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem" \
        --output-document /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
   sudo chmod 655 \
        /usr/local/share/ca-certificates/Yandex/RootCA.crt \
        /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt && \
   security import /usr/local/share/ca-certificates/Yandex/RootCA.crt -k ~/Library/Keychains/login.keychain; \
   security import /usr/local/share/ca-certificates/Yandex/IntermediateCA.crt -k ~/Library/Keychains/login.keychain
   ```

   The certificates will be saved to the following files:

   * `/usr/local/share/ca-certificates/Yandex/RootCA.crt`
   * `/usr/local/share/ca-certificates/Yandex/IntermediateCA.crt`

- Windows (PowerShell) {#windows}

   1. Download and import the certificates:

      ```powershell
      mkdir -Force $HOME\.yandex; `
      curl.exe https://storage.yandexcloud.net/cloud-certs/RootCA.pem `
        --output $HOME\.yandex\RootCA.crt; `
      curl.exe https://storage.yandexcloud.net/cloud-certs/IntermediateCA.pem `
        --output $HOME\.yandex\IntermediateCA.crt; `
      Import-Certificate `
        -FilePath $HOME\.yandex\RootCA.crt `
        -CertStoreLocation cert:\CurrentUser\Root; `
      Import-Certificate `
        -FilePath $HOME\.yandex\IntermediateCA.crt `
        -CertStoreLocation cert:\CurrentUser\Root
      ```

      Your corporate security policies and antivirus software may block the certificate download. For more information, see [FAQ](../../qa/connection.md#get-ssl-error).

   1. Agree to install the certificates in the <q>Trusted Root Certification Authorities</q> storage.

   The certificates will be saved to the following files:

   * `$HOME\.yandex\RootCA.crt`
   * `$HOME\.yandex\IntermediateCA.crt`

{% endlist %}

To use graphical IDEs, [save a certificate](https://storage.yandexcloud.net/cloud-certs/RootCA.pem) to a local folder and specify the path to it in the connection settings.

## What's next {#whats-next}

* [Get the FQDN of the host](fqdn.md) you want to connect to.
* [Connect](clients.md) to the cluster using a browser, graphical IDE, or CLI.
* [Integrate](code-examples.md) the cluster connection into your application code.

## See also {#see-also}

* [ClickHouse® connection FAQ](../../qa/connection.md)

_ClickHouse® is a registered trademark of [ClickHouse, Inc](https://clickhouse.com)._