# Pre-configuring a OpenSearch cluster connection


You can connect to Managed Service for OpenSearch cluster hosts with the `DATA` [role](../../concepts/host-roles.md#data):

* Over the internet, if you configured public access to the host group you need.

* Over the internet using a [special FQDN](fqdn.md#special-fqdns) if you configured public access to the host group with the `DASHBOARDS` [role](../../concepts/host-roles.md#dashboards).

* From Yandex Cloud VMs residing in the same [virtual network](../../../vpc/concepts/network.md).


Regardless of the connection method, Managed Service for OpenSearch only supports cluster host connections with an [SSL certificate](#ssl-certificate).


## Configuring security groups {#security-groups}

## Configuring security groups {#configuring-security-groups}

To connect to a cluster, [security groups](../../../vpc/concepts/security-groups.md) must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Settings of access policies depend on the connection method you select:

{% list tabs group=connection_method %}

- Over the internet {#internet}

   [Configure all the cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic on ports 443 (`Dashboards`) and 9200 (OpenSearch) from any IP address. To do this, create the following rules for incoming traffic:

   * **Port range**: `443` and `9200`
   * **Protocol**: `TCP`
   * **Source**: `CIDR`
   * **CIDR blocks**: `0.0.0.0/0`

   Create a separate rule for each port.

- From a Yandex Cloud VM {#cloud}

   1. [Configure all the cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic on ports 443 (`Dashboards`) and 9200 (OpenSearch) from your VM’s security group. To do this, create the following rules for incoming traffic in these security groups:

      * **Port range**: `443` and `9200`
      * **Protocol**: `TCP`
      * **Source**: `Security group`
      * **Security group**: If your cluster and VM share the same security group, select `Current` (`Self`). Otherwise, specify the VM security group.

      Create a separate rule for each port.

   1. [Configure all the security groups](../../../vpc/operations/security-group-add-rule.md) assigned to your VM to allow connections to the VM and traffic between the VM and cluster hosts.

      For example, you can set the following rules for your VM:

      * For incoming traffic:

         * **Port range**: `22`, `443`, `9200`
         * **Protocol**: `TCP`
         * **Source**: `CIDR`
         * **CIDR blocks**: `0.0.0.0/0`

         Create a separate rule for each port.

      * For outgoing traffic:

         * **Port range**: `0-65535`
         * **Protocol**: `Any` (`Any`)
         * **Destination name**: `CIDR`
         * **CIDR blocks**: `0.0.0.0/0`

         This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for connection.

{% endlist %}

{% note info %}

You can specify more granular rules for your security groups, e.g., to allow traffic only in specific subnets.

Make sure to configure the security groups correctly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster.

{% endnote %}

For more information about security groups, see [Security groups](../../concepts/network.md#security-groups).


## Getting an SSL certificate {#ssl-certificate}

To use an encrypted connection, get an SSL certificate:

{% list tabs group=operating_system %}

- Linux (Bash)/macOS (Zsh) {#linux-macos}

   ```bash
   mkdir -p ~/.opensearch && \
   wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
        --output-document ~/.opensearch/root.crt && \
   chmod 0600 ~/.opensearch/root.crt
   ```

   The certificate will be saved to the `~/.opensearch/root.crt` file.

- Windows (PowerShell) {#windows}

   ```powershell
   mkdir $HOME\.opensearch; curl.exe -o $HOME\.opensearch\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
   ```

   The certificate will be saved to the `$HOME\.opensearch\root.crt` file.

   Your corporate security policies and antivirus software may block the certificate download. For more information, see [FAQ](../../qa/index.md#get-ssl-error).

{% endlist %}

## What's next {#whats-next}

* [Get the FQDN of the host](fqdn.md) you want to connect to.
* [Connect](clients.md) to the cluster from a Docker container.
* [Integrate](code-examples.md) the cluster connection into your application code.
* [Configure SAML authentication](../saml-authentication.md).