Connecting to Scylla

Connection types

To ensure Scylla connections are secure, there are a number of ways to access the database; specifcally, SSL and SSH portals. The SSL portals are ideal for general use and use Let's Encrypt backed certificates for validation where needed. Most applications and the cqlsh command will use the SSL portals. The SSH portal comes into use for administration tools such as nodetool.

Tool Guides

If you wish to use a particular tool, you can go directly to its dedicated page:

Language Guides

If you want to use a particular language, you can go directly to its dedicated page:

Connection Overview and Credentials

In the Compose Console for a Scylla deployment, on the Overview page, you will find the Connection Info pane. This includes all the known formulations of connection information that a user may need.


At the top is the Credentials control. This holds the password for the "scylla" user for the database. Clicking Show will reveal the password and also insert it into all the following connection information.

Connection String

The Connection Strings panel contains three HTTPS endpoints – the Compose portals – to which applications can connect. Each endpoint has a one to one mapping to a Scylla node. This information can be used to connect a simple application to one of the Scylla nodes which will then transparently interact with the other nodes. For applications which need to discover and connect to all the Scylla nodes, see the Address Translation Map below.

Cqlsh Command Line

The Cqlsh Command Line panel contains three cqlsh commands, each of which connect to the three Compose portals. Full details on obtaining cqlsh and configuring it are available in Scylla and cqlsh.

The displayed command include required flags (--ssl and --cqlversion). If the command is preceded by setting the environment variable SSL_VALIDATE=false, then no further configuration is needed.

Address Translation Map

When an application requires high-availability from the Scylla cluster, it can auto-discover the nodes in the cluster so it can maintain a connection with all of them. But, where the cluster is behind a portal, firewall or some other IP address obscuring mechanism, that autodiscovery can have problems. This is where the Address Translation Map comes in. It has the details on how to convert from an "internal" address to an "external" address. Consult the Address Translation Maps section for examples of how applications can consume these maps.

Socks Proxy Configuration

While most commands and applications that work with Scylla are happy enough to use the SSL connections, some need a more tunneled approach as they don't know about encryption. One of these commands is nodetool, used for administering Scylla clusters. For commands like that, the SSH Portal is configured by default. The Socks Proxy Configuration is a command that you can then run locally or on a trusted host to create a connection through the SSH portal. The command must be run from a user who is registered, with their public SSH key, in the Users view.

Nodetool Administration

With the Socks Proxy configured, it is then possible to run nodetool. In the Nodetool Administration panel, there are three nodetool commands which are configured so they will use the previously mentioned Socks Proxy to connect to Scylla. nodetool can connect to any node, so each command reflects connecting to a different node. For details on how to obtain and configure nodetool and what the command supports, see Scylla and nodetool.

Still Need Help?

If this article didn't solve things, summon a human and get some help!