Connecting to a DB Instance from a Linux ECS
You can connect to your DB instance using a Linux ECS installed with a PostgreSQL client over a public network.
You can use the PostgreSQL client psql to connect to your DB instance over a Secure Sockets Layer (SSL) connection. SSL encrypts connections to your DB instance, making in-transit data more secure.
SSL is enabled by default when you create an RDS for PostgreSQL DB instance and cannot be disabled after the instance is created.
Enabling SSL reduces the read-only and read/write performance of your instance by about 20%.
You can also access your DB instance through Network Address Translation (NAT). If you have configured both NAT and EIP, the EIP is preferentially used.
Step 1: Buy an ECS
- Log in to the management console and check whether there is an ECS available.
Figure 1 ECS
- Buy an ECS and select Linux (for example, CentOS) as its OS.
To download a PostgreSQL client to the ECS, bind an EIP to the ECS.
For details about how to purchase a Linux ECS, see Purchasing a Custom ECS in Elastic Cloud Server User Guide.
- On the ECS Information page, view the region and VPC of the ECS.
Figure 2 ECS information
- On the Overview page of the RDS for PostgreSQL instance, view the region and VPC of the DB instance.
Figure 3 Overview
Step 2: Test Connectivity and Install the PostgreSQL Client
- Log in to the ECS. For details, see Login Using VNC in the Elastic Cloud Server User Guide.
- On the Instances page of the RDS console, click the DB instance name.
- Choose Connectivity & Security from the navigation pane. In the Connection Information area, obtain the EIP and database port of the DB instance.
- On the ECS, check whether the EIP and database port of the DB instance can be connected.
curl -kv EIP:5432
- If yes, network connectivity is normal.
- If no, check the security group rules.
- If in the security group of the ECS, there is no outbound rule with Destination set to 0.0.0.0/0 and Protocol & Port set to All, add an outbound rule for the EIP and port of the DB instance.
Figure 4 ECS security group
- If in the security group of the DB instance, there is no inbound rule allowing the access from the private IP address and port of the ECS, add an inbound rule for the private IP address and port of the ECS.
- If in the security group of the ECS, there is no outbound rule with Destination set to 0.0.0.0/0 and Protocol & Port set to All, add an outbound rule for the EIP and port of the DB instance.
- Install the PostgreSQL client.
The PostgreSQL community provides client installation methods for different OSs. You can download and install the client using the installation tool of the OS. This installation method is simple but has requirements on the ECS OS. It is only available to the OSs supported by the PostgreSQL community.
In this example, CentOS 7 is used. Use the default installation tool of the OS to install the client (PostgreSQL 15 or earlier).
Figure 5 Obtaining the installation tool
Run the following commands:
sudo yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm sudo yum install -y postgresql15-server
Check whether the installation is successful.
psql -V
Figure 6 Successful installation
- Log in to the ECS. For details, see Login Using VNC in the Elastic Cloud Server User Guide.
- On the Instances page of the RDS console, click the DB instance name.
- Choose Connectivity & Security from the navigation pane. In the Connection Information area, obtain the EIP and database port of the DB instance.
- On the ECS, check whether the EIP and database port of the DB instance can be connected.
curl -kv EIP:5432
- If yes, network connectivity is normal.
- If no, check the security group rules.
- If in the security group of the ECS, there is no outbound rule with Destination set to 0.0.0.0/0 and Protocol & Port set to All, add an outbound rule for the EIP and port of the DB instance.
Figure 7 ECS security group
- If in the security group of the DB instance, there is no inbound rule allowing the access from the private IP address and port of the ECS, add an inbound rule for the private IP address and port of the ECS.
- If in the security group of the ECS, there is no outbound rule with Destination set to 0.0.0.0/0 and Protocol & Port set to All, add an outbound rule for the EIP and port of the DB instance.
- Install the PostgreSQL client.
Installation from source code: This installation method has no restrictions on the RDS PostgreSQL instance version and ECS OS.
The following uses an ECS using the Huawei Cloud EulerOS 2.0 image as an example to describe how to install a PostgreSQL 16.4 client.
Figure 8 Checking the ECS image
- To use SSL connection, download OpenSSL on the ECS in advance.
sudo yum install -y openssl-devel
- Obtain the code download link, run wget to download the installation package to the ECS, or download the installation package to the local PC and upload it to the ECS.
wget https://ftp.postgresql.org/pub/source/v16.4/postgresql-16.4.tar.gz
- Decompress the installation package.
tar xf postgresql-16.4.tar.gz
- Compile and install the client.
cd postgresql-16.4 ./configure --without-icu --without-readline --without-zlib --with-openssl make -j 8 && make install
If --prefix is not specified, the default path is /usr/local/pgsql. The client can be installed in the simplest way.
Figure 9 Compilation and installation
- Add the following code to the /etc/profile file to configure environment variables:
export PATH=/usr/local/pgsql/bin:$PATH export LD_LIBRARY_PATH=/usr/local/pgsql/lib:$LD_LIBRARY_PATH source /etc/profile
- Test whether the psql is available.
psql -V
Figure 10 Testing psql
- To use SSL connection, download OpenSSL on the ECS in advance.
Step 3: Connect to the DB Instance Using Commands (SSL Connection)
- On the Instances page, click the DB instance name.
- In the navigation pane, choose Connectivity & Security.
- In the Connection Information area, click
next to the SSL field to download Certificate Download.zip, and extract the root certificate ca.pem and bundle ca-bundle.pem from the package.
Figure 11 Downloading a certificate
- Upload ca.pem to the ECS.
- TLS v1.2 or later is recommended. Versions earlier than TLS v1.2 have security risks.
- The recommended protocol algorithm is EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EDH+aRSA+AESGCM:EDH+aDSS+AESGCM:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!SRP:!RC4. Using other options have security risks.
- ca-bundle.pem contains both the new certificate provided as of April 2017 and the old certificate.
- Both ca.pem and ca-bundle.pem can be used for SSL connections because ca-bundle.pem contains ca.pem.
- Run the following command on the ECS to connect to the DB instance:
psql --no-readline -h <host> -p <port> "dbname=<database> user=<user> sslmode=verify-ca sslrootcert=<ca-file-directory>"
Example:
psql --no-readline -h 192.168.0.44 -p 5432 "dbname=postgres user=root sslmode=verify-ca sslrootcert=/root/ca.pem"
Table 1 Parameter description Parameter
Description
<host>
EIP obtained in 3.
<port>
Database port obtained in 3. The default value is 5432.
<database>
Name of the database to be connected. The default database name is postgres.
<user>
Administrator account root.
<ca-file-directory>
Directory of the CA certificate used for the SSL connection. This certificate should be stored in the directory where the command is executed.
sslmode
SSL connection mode. Set it to verify-ca to use a CA to check whether the service is trusted.
- Enter the password of the database account as prompted.
Password:
If the following information is displayed, the connection is successful.SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Follow-up Operations
After logging in to the DB instance, you can create or migrate databases.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
