[Yandex Cloud documentation](../../../index.md) > [Yandex Managed Service for PostgreSQL](../../index.md) > [Step-by-step guides](../index.md) > Connection > Pre-configuration

# Pre-configuring a PostgreSQL cluster connection

You can connect to Managed Service for PostgreSQL cluster hosts:

* Via the internet, if you [configured](../hosts.md#update) public access for the host. You can connect over the internet in the following ways:
  * Use an SSL connection.
  * Use IAM authentication.

* From Yandex Cloud virtual machines located in the same [cloud network](../../../vpc/concepts/network.md). For hosts without public access, SSL is not required to connect to them from these virtual machines.

* From the [Serverless Containers](../../../serverless-containers/concepts/index.md) container. For hosts without public access, the container must reside in the same cloud network.


{% note warning %}

If only some cluster hosts have public access, an [automatic master failover](../../concepts/replication.md#replication-auto) can make the master host unreachable from the internet.

{% endnote %}

## Configuring security groups {#configuring-security-groups}

To connect to a cluster, [security groups](../../../vpc/concepts/security-groups.md) must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the chosen connection method:

{% list tabs group=connection_method %}

- Over the internet {#internet}

  [Configure all cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic on port 6432 from any IP address. To do this, create the following inbound rule:

  * **Port range**: `6432`.
  * **Protocol**: `TCP`.
  * **Source**: `CIDR`.
  * **CIDR blocks**: `0.0.0.0/0`.

- From a Yandex Cloud VM {#cloud}

  1. [Configure all cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic on port 6432 from the target VM’s security group. To do this, create the following ingress rule in these groups:

     * **Port range**: `6432`.
     * **Protocol**: `TCP`.
     * **Source**: `Security group`.
     * **Security group**: If your cluster and VM share the same security group, select `Current`. Otherwise, specify the VM security group.

  1. [Configure the VM’s security group](../../../vpc/operations/security-group-add-rule.md) to enable connections to the VM and traffic between the VM and the cluster hosts.

     VM rule examples:

     * For incoming traffic:
       * **Port range**: `22`.
       * **Protocol**: `TCP`.
       * **Source**: `CIDR`.
       * **CIDR blocks**: `0.0.0.0/0`.

       This rule allows inbound VM [connections](../../../compute/operations/vm-connect/ssh.md#vm-connect) over SSH.

     * For outgoing traffic:
        * **Port range**: `0-65535`.
        * **Protocol**: `Any`.
        * **Destination name**: `CIDR`.
        * **CIDR blocks**: `0.0.0.0/0`.

       This rule permits all outbound traffic, allowing you to install any necessary certificates and tools on your VM.

{% endlist %}

{% note info %}

You can specify more granular security group rules, such as allowing traffic only in specific subnets.

Make sure to properly configure security groups for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster if a [manual](../hosts.md#update) or [automatic](../../concepts/replication.md#replication-auto) master failover occurs.

{% endnote %}

For more information about security groups, see [Security groups](../../concepts/network.md#security-groups).


## Obtaining an SSL certificate {#get-ssl-cert}

Publicly accessible PostgreSQL hosts support only encrypted connections. To use them, get an SSL certificate:

{% list tabs group=operating_system %}

- Linux (Bash)/macOS (Zsh) {#linux-macos}

   ```bash
   mkdir -p ~/.postgresql && \
   wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
        --output-document ~/.postgresql/root.crt && \
   chmod 0655 ~/.postgresql/root.crt
   ```

   The certificate will be saved to the `~/.postgresql/root.crt` file.

- Windows (PowerShell) {#windows}

   ```powershell
   mkdir $HOME\.postgresql; curl.exe -o $HOME\.postgresql\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
   ```

   The certificate will be saved to the `$HOME\.postgresql\root.crt` file.
   
   Your corporate security policies and antivirus software may block the certificate download. For more information, see [FAQ](../../qa/connection.md#get-ssl-error).

{% endlist %}

To use graphical IDEs, [save a certificate](https://storage.yandexcloud.net/cloud-certs/RootCA.pem) to a local folder and specify the path to it in the connection settings.

## What's next {#whats-next}

* [Get the FQDN of the host](fqdn.md) you want to connect to.
* [Connect](clients.md) to the cluster using the command-line tools, graphical IDEs, Yandex WebSQL, pgAdmin 4, Looker Studio, and a Docker container.
* [Integrate](code-examples.md) the cluster connection into your application code.