Contact UsGet started

Configuring NAT routing from the management console

Written by
Improved by
Updated at May 7, 2025

To configure NAT routing from the Yandex Cloud management console:

  1. Get your cloud ready.
  2. Create a security group.
  3. Create a test VM.
  4. Create a NAT instance.
  5. Set up static routing in the cloud network.
  6. Test the NAT instance.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of NAT instance support includes:

Set up the infrastructure

  1. Create a cloud network, e.g., my-vpc.

  2. In the cloud network, create subnets, e.g.:

    • public-subnet to host the NAT instance.
    • private-subnet to host your test VM.

Create a security group

Security groups include rules that allow your VMs to be accessed via SSH. In this tutorial, you will create a security group named nat-instance-sg.

To create a security group:

  1. In the management console, select Virtual Private Cloud.

  2. Open the Security groups tab.

  3. Create a security group:

    1. Click Create security group.

    2. In the Name field, specify the name: nat-instance-sg.

    3. In the Network field, select my-vpc.

    4. Under Rules, create the following rules using the steps below:

      Traffic
      direction      		 Description Port range Protocol Destination name /
      Source      		 CIDR blocks
      Outbound any All Any CIDR 0.0.0.0/0
      Inbound ssh 22 TCP CIDR 0.0.0.0/0
      Inbound ext-http 80 TCP CIDR 0.0.0.0/0
      Inbound ext-https 443 TCP CIDR 0.0.0.0/0

    5. Select the Egress or Ingress tab to create an outbound or inbound rule, respectively.

    6. Click Add.

    7. In the Port range field of the window that opens, specify a single port or a range of ports that will be open for traffic. To open all ports, click Select entire range.

    8. In the Protocol field, specify the appropriate protocol or keep Any to allow traffic transmission over any protocol.

    9. In the Destination name or Source field, select CIDR. This way, the rule will apply to a range of IP addresses. In the CIDR blocks field, specify 0.0.0.0/0.

    10. Click Save. Repeat the steps to create all the rules from the table.

    11. Click Save.

Create a test VM

  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select an image and a Linux-based OS version.

  6. Under Location, select the availability zone where the private-subnet subnet is located.

  7. Under Network settings:

    • In the Subnet field, select a subnet for the test VM, e.g., private-subnet.
    • In the Public IP address field, select No address.
    • In the Security groups field, select the nat-instance-sg security group you created earlier.
    • Expand the Additional section; in the Internal IPv4 address field, select Auto.

  8. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, specify a username, e.g., yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  9. Under General information, specify the VM name: test-vm.

  10. Click Create VM.

Save the username, private SSH key, and internal IP address for the test VM.

Create a NAT instance

  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, go to the Marketplace tab and select the NAT instance image.

  6. Under Location, select the availability zone where public-subnet is located.

  7. Under Network settings:

    • In the Subnet field, select a subnet for the NAT instance, e.g., public-subnet.
    • In the Public IP address field, select Auto.
    • In the Security groups field, select the nat-instance-sg security group you created earlier.
    • Expand the Additional section; in the Internal IPv4 address field, select Auto.

  8. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, specify a username, e.g., yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  9. Under General information, specify the VM name: nat-instance.

  10. Click Create VM.

Save the username, private SSH key, and internal and public IP addresses for the NAT instance.

Set up static routing

Note

When creating a NAT instance, only one network interface is configured automatically. You can enable other interfaces manually. Assign an IP address to each new interface and specify a route for it in a route table. In each subnet, the first IP address will be the correct gateway. For example, for the 192.168.0.128/25 subnet, the first subnet address will be 192.168.0.129.

  1. Create a route table and add a static route to it:

    1. In the management console, select a folder where you want to create a static route.

    2. In the list of services, select Virtual Private Cloud.

    3. In the left-hand panel, select Routing tables.

    4. Click Create.

    5. In the Name field, enter a name for the route table, e.g., nat-instance-route. The naming requirements are as follows:

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    6. In the Network field, select a network, e.g., my-vpc.

    7. Under Static routes, click Add.

    8. In the window that opens, enter 0.0.0.0/0 in the Destination prefix field.

    9. In the Next hop field, select IP address.

    10. In the IP address field, specify the internal IP address of the NAT instance. Click Add.

    11. Click Create routing table.

  2. Associate the route table with the subnet where the test VM is located, e.g., private-subnet:

    1. In the left-hand panel, select Subnets.
    2. Click in the row of the subnet with the test VM and select Link routing table.
    3. In the window that opens, select the nat-instance-route table in the Link routing table field and click Link.

You can also use the created route for other subnets in the same network, except for the subnet where the NAT instance is located.

Warning

Do not associate the route table with the subnet where the NAT instance is located. Otherwise, route loops will occur, where the NAT instance will direct packets to itself rather than to the local network.

Test the NAT instance

  1. Connect to the VM via a private IP address, using the NAT instance as a jump host:

    ssh -J <NAT_instance_username>@<NAT_instance_public_IP_address> \
  <VM_user_name>@<VM_internal_IP_address>

    You can also connect to the test VM using the standard input/output redirection (-W flag) to forward the connection through a NAT instance:

    ssh -o ProxyCommand="ssh -i <NAT_key_file_path/name> -W %h:%p <NAT_username>@<NAT_public_IP_address>" \
  -i <VM_key_file_path/name> <VM_user_name>@<VM_internal_IP_address>

    Use this command for connection in the following cases:

    • Your VM is running an OpenSSH version below 7.3.
    • Your SSH keys are stored outside the default directory or have non-standard names.

  2. Type yes to connect to the NAT instance and re-enter yes to connect to the test VM.

    Note

    When you type yes, the command may not be displayed in the terminal, but it will run anyway.

  3. Make sure the test VM is connected to the internet via the public IP address of the NAT instance. Run this command:

    curl ifconfig.co

    If it returns the public IP address of the NAT instance, the configuration is correct.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the test VM and NAT instance.
  2. Delete the security group.
  3. Delete the static public IP address if you reserved one.

See also

Previous
Overview
Next
Terraform