[Yandex Cloud documentation](../index.md) > [Yandex Managed Service for OpenSearch](index.md) > Getting started

# Getting started with Managed Service for OpenSearch

To get started:
1. [Create a cluster](#create-cluster).
1. [Configure security groups](#configure-security-groups).
1. [Connect to the cluster](#connect).
1. [Connect to OpenSearch Dashboards](#dashboards-connect).


## Getting started {#before-you-begin}

1. Log in to the [management console](https://console.yandex.cloud) or sign up if you do not have an account yet.

1. If you do not have a folder yet, create one:

    1. In the [management console](https://console.yandex.cloud), in the top panel, click ![image](../_assets/console-icons/layout-side-content-left.svg) or ![image](../_assets/console-icons/chevron-down.svg) and select the [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
    1. To the right of the cloud name, click ![image](../_assets/console-icons/ellipsis.svg).
    1. Select ![image](../_assets/console-icons/plus.svg) **Create folder**.
    
       ![create-folder1](../_assets/resource-manager/create-folder-1.png)
    
    1. Give your [folder](../resource-manager/concepts/resources-hierarchy.md#folder) a name. The naming requirements are as follows:
    
        * Length: between 3 and 63 characters.
        * It can only contain lowercase Latin letters, numbers, and hyphens.
        * It must start with a letter and cannot end with a hyphen.
    
    1. Optionally, specify the description for your folder.
    1. Select **Create a default network**. This will create a [network](../vpc/concepts/network.md#network) with subnets in each availability zone. Within this network, you will also have a [default security group](../vpc/concepts/security-groups.md#default-security-group), within which all network traffic will be allowed.
    1. Click **Create**.
    
       ![create-folder2](../_assets/resource-manager/create-folder-2.png)

1. [Assign](../iam/operations/roles/grant.md) the [vpc.user](../vpc/security/index.md#vpc-user) role and the [managed-opensearch.editor role (or higher)](security/index.md#roles-list) to your Yandex Cloud account. These roles allow you to create a cluster.

    To attach the service account to a cluster, e.g., to [use Yandex Object Storage](operations/s3-access.md), your account also needs the [iam.serviceAccounts.user](../iam/security/index.md#iam-serviceAccounts-user) role or higher.

    {% note info %}
    
    If you cannot manage roles, contact your cloud or organization administrator.
    
    {% endnote %}

1. You can connect to an OpenSearch cluster both from inside Yandex Cloud and from the internet:

    * To connect from inside Yandex Cloud, [create a Linux-based VM](../compute/quickstart/quick-create-linux.md) in the same network as the cluster.

    * To connect to a cluster from the internet, [request public access](operations/cluster-create.md) to hosts with the `DATA` [role](concepts/host-roles.md#data) when creating the cluster.

{% note info %}

This guide deals with connecting to the cluster from the internet.

{% endnote %}


## Create a cluster {#create-cluster}

1. In the [management console](https://console.yandex.cloud), select the folder where you want to create a cluster.
1. Navigate to **Managed Service for&nbsp;OpenSearch**.
1. Click **Create cluster**. For more information, see [Creating a cluster](operations/cluster-create.md).
1. Configure the cluster.

    
    To access the OpenSearch Dashboards web interface, request public access. To do this, navigate to **Virtual node group** with the **Dashboards** group type and select **Public access**.

    {% note tip %}
    
    You can use OpenSearch Dashboards even if you cannot get public access to your hosts, e.g., for security reasons. To do this, proxy the connections via the virtual machine in Yandex Compute Cloud that resides in the same [network](../vpc/concepts/network.md#network) as the cluster. For more information, see [Connecting to OpenSearch Dashboards](operations/connect/clients.md#dashboards).
    
    {% endnote %}


1. Click **Create cluster**.
1. Wait until the cluster is ready: its status on the Managed Service for OpenSearch dashboard will switch to **Creating** and then to **Alive**. This may take a while.


## Configure security groups {#configure-security-groups}

## Configuring security groups {#configuring-security-groups}

To connect to a cluster, [security groups](../vpc/concepts/security-groups.md) must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Settings of access policies depend on the connection method you select:

{% list tabs group=connection_method %}

- Over the internet {#internet}

   [Configure all the cluster security groups](../vpc/operations/security-group-add-rule.md) to allow incoming traffic on ports 443 (`Dashboards`) and 9200 (OpenSearch) from any IP address. To do this, create the following rules for incoming traffic:

   * **Port range**: `443` and `9200`
   * **Protocol**: `TCP`
   * **Source**: `CIDR`
   * **CIDR blocks**: `0.0.0.0/0`

   Create a separate rule for each port.

- From a Yandex Cloud VM {#cloud}

   1. [Configure all the cluster security groups](../vpc/operations/security-group-add-rule.md) to allow incoming traffic on ports 443 (`Dashboards`) and 9200 (OpenSearch) from your VM’s security group. To do this, create the following rules for incoming traffic in these security groups:

      * **Port range**: `443` and `9200`
      * **Protocol**: `TCP`
      * **Source**: `Security group`
      * **Security group**: If your cluster and VM share the same security group, select `Current` (`Self`). Otherwise, specify the VM security group.

      Create a separate rule for each port.

   1. [Configure all the security groups](../vpc/operations/security-group-add-rule.md) assigned to your VM to allow connections to the VM and traffic between the VM and cluster hosts.

      For example, you can set the following rules for your VM:

      * For incoming traffic:

         * **Port range**: `22`, `443`, `9200`
         * **Protocol**: `TCP`
         * **Source**: `CIDR`
         * **CIDR blocks**: `0.0.0.0/0`

         Create a separate rule for each port.

      * For outgoing traffic:

         * **Port range**: `0-65535`
         * **Protocol**: `Any` (`Any`)
         * **Destination name**: `CIDR`
         * **CIDR blocks**: `0.0.0.0/0`

         This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for connection.

{% endlist %}

{% note info %}

You can specify more granular rules for your security groups, e.g., to allow traffic only in specific subnets.

Make sure to configure the security groups correctly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster.

{% endnote %}

For more information about security groups, see [Security groups](concepts/network.md#security-groups).


## Connect to the cluster {#connect}

Follow all the steps below on your Linux-based machine.

To connect to your cluster:

1. Install an SSL certificate:

   {% list tabs group=operating_system %}
   
   - Linux (Bash)/macOS (Zsh) {#linux-macos}
   
      ```bash
      mkdir -p ~/.opensearch && \
      wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
           --output-document ~/.opensearch/root.crt && \
      chmod 0600 ~/.opensearch/root.crt
      ```
   
      The certificate will be saved to the `~/.opensearch/root.crt` file.
   
   - Windows (PowerShell) {#windows}
   
      ```powershell
      mkdir $HOME\.opensearch; curl.exe -o $HOME\.opensearch\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
      ```
   
      The certificate will be saved to the `$HOME\.opensearch\root.crt` file.
   
      Your corporate security policies and antivirus software may block the certificate download. For more information, see [FAQ](qa/index.md#get-ssl-error).
   
   {% endlist %}

1. Connect to the cluster using [cURL](https://curl.haxx.se/):

   ```bash
   curl \
       --user admin:<password> \
       --cacert ~/.opensearch/root.crt \
       --request GET 'https://<FQDN_of_OpenSearch_host_with_public_access>:9200/'
   ```

   To connect, enter `admin` for the username and the password you set when [creating the cluster](#create-cluster).

   If the connection is successful, you will see a message like this:

   ```bash
   {
     "name" : "....mdb.yandexcloud.net",
     "cluster_name" : "...",
     "cluster_uuid" : "...",
     "version" : {
     "distribution" : "opensearch",
     ...
     },
     "tagline" : "The OpenSearch Project: https://opensearch.org/"
   }
   ```

## Connect to OpenSearch Dashboards {#dashboards-connect}

1. In your browser, connect to the [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/) web interface:

   
   1. Make sure hosts with the `DASHBOARDS` role are publicly accessible.


   1. Install the [SSL certificate](https://storage.yandexcloud.net/cloud-certs/CA.pem) in your browser's store of trusted root certificates (see the instructions for Mozilla Firefox [here](https://wiki.mozilla.org/PSM:Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate)).
   1. On the cluster page in the management console, click **OpenSearch Dashboards** or go to `https://c-<OpenSearch_cluster_ID>.rw.mdb.yandexcloud.net>` in your browser.
   1. Enter `admin` for the username and the password you set when [creating the cluster](#create-cluster).

1. Explore a set of sample data:

   1. On the OpenSearch Dashboards welcome screen, click **Add sample data**.
   1. Next, click **View data** for the dataset in question.

Learn more about using OpenSearch Dashboards in [this OpenSearch guide](https://opensearch.org/docs/latest/dashboards/index/).

## What's next {#whats-next}

* Read about the [service concepts](concepts/index.md).
* Learn more about [creating a cluster](operations/cluster-create.md) and [connecting to a cluster](operations/connect/index.md).