[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for PostgreSQL](../index.md) > [Concepts](index.md) > Networking in Managed Service for PostgreSQL

# Networking in Managed Service for PostgreSQL


When creating a PostgreSQL cluster, you can:

* Specify a network for the cluster.

* Specify subnets for each host in the cluster.

* Request public access to connect to the cluster from outside Yandex Cloud.

You can create a cluster without specifying any subnets for hosts if the availability zone for each host contains only one subnet of the cluster network.


## Host name and FQDN {#hostname}

Managed Service for PostgreSQL generates a name for each cluster host when it is created. This name will be the host's fully qualified domain name (FQDN). You cannot change the host name and, consequently, FQDN.

To learn how to get a host FQDN, see [this guide](../operations/connect/fqdn.md).


To access a host within a single cloud network, use its FQDN. For more information, see [this Yandex Virtual Private Cloud guide](../../vpc/index.md).

## Public access to a host {#public-access-to-a-host}

Any cluster host can be accessible from outside Yandex Cloud if you requested public access when creating or editing a host.

When deleting a publicly accessible host, the allocated IP address is revoked.

## Security groups {#security-groups}

[Security groups](../../vpc/concepts/security-groups.md) follow the rule that all traffic is denied unless you explicitly allow it. To connect to a cluster, configure security group rules. These rules allow traffic from certain ports, IP addresses, or other security groups. For example, a VM will not be able to connect to a cluster in the following cases:

* The VM is in the `10.128.0.0/16` subnet, whereas the inbound rules only allow `10.133.0.0/24`.
* The VM is in the `10.133.0.0/24` subnet but attempts to access a port not exposed in the security group rules.

For information on how to configure security groups, see [Configuring security groups](../operations/connect/index.md#configuring-security-groups).

{% note tip %}

When connecting to a cluster from the same cloud network it resides in, configure security groups not just for the cluster but also for the host you are connecting from.

{% endnote %}

Features of using security groups:

- Even if the cluster and host share the same security group, you still need rules allowing traffic between them to be able to connect to the cluster from the host. By default, such rules are included in the security group created along with the cloud network. These are the `Self` rules that allow unlimited traffic within the security group.

- Security group settings only determine whether connecting to the cluster is possible. They do not affect cluster features, such as replication, sharding, and backups.

For more information, see [this Virtual Private Cloud article](../../vpc/concepts/security-groups.md).


## Use cases {#examples}

* [Delivering data to Yandex Managed Service for Apache Kafka® using Yandex Data Transfer](../tutorials/cdc-data-transfer.md)
* [Delivering data to Yandex Managed Service for Apache Kafka® using Debezium](../tutorials/cdc-debezium.md)
* [Migrating a database from Managed Service for PostgreSQL](../tutorials/outbound-replication.md)