Private connection
A private connection is a logical link to your cloud network, set up within a trunk. You can have multiple private connections to different cloud networks in a single trunk.
Warning
However, you cannot set up multiple private connections to a single cloud network at the same point of presence. For redundancy purposes, you can set up multiple private connections per cloud network in different points of presence.
A private connection is set up inside a trunk and has its own unique VLAN-ID.
The maximum IP MTU for a private connection is 8,910 bytes. Yandex Cloud equipment does not support changing the IP MTU.
Point-to-point subnet
To set up a private connection, you need a point-to-point subnet. It is used to configure IP connectivity between the Yandex Cloud equipment and the customer or telecom provider equipment.
A point-to-point subnet can be either /30 or /31 in size. You cannot use subnets of other sizes.
You can use the following IP address ranges in your point-to-point subnet:
10.0.0.0/8172.16.0.0/12192.168.0.0/16169.254.0.0/16
IP addressing in other ranges is not allowed.
Note
When setting up a private connection, you can only use IPv4 addresses.
Currently, you cannot use IPv6 addresses.
BGP connectivity
BGP connectivity is configured within each private or public connection between the client equipment and Yandex Cloud equipment at the point of presence for exchanging subnet (prefix) data. After exchanging this routing data, the sides can distribute IPv4 traffic across the subnets they communicated to each other.
Warning
On the Yandex Cloud equipment side, there is a limit on the number of prefixes received from the client router over BGP.
Once this limit is exceeded, the BGP session will be terminated for 30 minutes.
To maintain continuous BGP connectivity, we recommend setting up policies for routing information aggregation on the client router that will keep the number of prefixes announced over BGP towards the Yandex Cloud equipment at a reasonable and required level.
BGP ASN
To set up BGP connectivity, each side must specify the BGP autonomous system number (ASN) in ASPlain format. The BGP ASN value for Yandex Cloud is fixed at 200350.
On client equipment, you are allowed to use the public BGP ASN (if available). On client equipment, you are allowed to use any value from the following RFC 6996 ranges of private BGP ASNs:
64512 - 65534: For two-byte BGP ASNs.4200000000 - 4294967294: For four-byte BGP ASNs.
On client equipment, you are not allowed to use the following RFC 5398 ranges of BGP ASNs:
64496 – 64511: For two-byte BGP ASNs.65536 – 65551: For four-byte BGP ASNs.
On client equipment, you are not allowed to include any BGP ASN from the above ranges in the BGP AS_Path attribute.
Warning
On the Yandex Cloud side, a 4-byte BGP ASN value, 200350, is used. When using network equipment from different vendors, 2-byte BGP ASNs are often preferred as the most common option.
When setting up BGP connectivity on the client router side, make sure to explicitly allow 4-byte BGP ASNs in its configuration.
When setting up BGP interaction on the client router, for public connections on public IPv4 addresses owned by the client, make sure to specify the client's public BGP ASN.
BGP authentication (optional)
To increase security of a BGP connection, you can use BGP authentication based on BGP MD5 password. If you enable this feature, use a string of more than 20 characters as a password, which may include Latin letters, numbers, and special characters.
BFD protocol
If a client cannot connect their router directly to the Yandex Cloud equipment, they can use intermediate network devices (switches). For fast fault detection on the intermediate network devices, use the BFD protocol.
The BFD protocol is always enabled on the Yandex Cloud equipment side and has the following parameter values:
timer: 300msmultiplier: 3
These values are fixed and cannot be changed manually.
The client can configure the timer value on their equipment as needed. When establishing a BFD session, these parameters will be aligned over BFD between the client and Yandex Cloud equipment.
We do not recommend setting multiplier to anything other than 3, as this may cause BFD performance issues.
BGP timers
Below you can see the values (in seconds) of timers configured on the Yandex Cloud equipment by default:
minimum-hold-time=90
Using values below the specified ones on the client equipment side will cause issues with establishing a BGP adjacency.
Private connection topologies
The following options for setting up private connections are supported:
- Private connection through a direct customer connection.
- Private connection through a telecom provider connection (L2 transit).
- Private connection through a telecom provider connection (L3VPN).
Private connection through a direct customer connection
This scenario implies setting up L3 and BGP connectivity between the customer equipment at the point of presence and the Yandex Cloud equipment. In this case, the following applies:
- You independently provide L3 connectivity between your equipment in your data center and your equipment at the point of presence.
- Your equipment at the point of presence establishes BGP peering with the Yandex Cloud equipment.
- All BGP route announcements from your equipment at the point of presence enter all Yandex Cloud availability zones.
Private connection through a telecom provider connection (L2 transit)
This scenario assumes you do not have your own equipment at the point of presence and you use the services of a telecom provider that ensures connectivity between Yandex Cloud and your own equipment. In this case, the following applies:
- The telecom provider sets up L2 connectivity between its equipment at the point of presence and the Yandex Cloud equipment.
- Your equipment in your data center establishes L3 connectivity and BGP peering with the Yandex Cloud equipment at the point of presence.
- All BGP route announcements from your equipment in your data center enter all Yandex Cloud availability zones.
Private connection through a telecom provider connection (L3VPN)
This scenario also assumes you do not have your own equipment at the point of presence and you use the services of a telecom provider that ensures connectivity between Yandex Cloud and your own equipment. You cannot technically set up BGP peering with the Yandex Cloud equipment on your own. In this case, the following applies:
- The telecom provider sets up L2 connectivity between its equipment at the point of presence and the Yandex Cloud equipment.
- The telecom provider equipment establishes L3 connectivity and BGP peering with the Yandex Cloud equipment at the point of presence. This connection integrates into the customer L3VPN, which ensures direct connectivity between your equipment in your data center and Yandex Cloud.
- All BGP route announcements from the telecom provider equipment at the point of presence enter all Yandex Cloud availability zones.
- While providing L3VPN, the telecom provider can use both static and dynamic routing protocols.
Cloud subnet announcements and communication with VPC
To connect one or more cloud subnets to a private connection, you need to know the following:
- ID of the virtual network (
vpc_net_id) to connect to the trunk. - List of announced IPv4 prefixes of virtual network subnets, distributed by availability zones. Typically, prefixes refer to the subnets configured in your cloud. In this case, the announced prefixes and the actual subnet address ranges match.
Note
Please keep in mind that the first IP address (default gateway) and the second IP address (default DNS server) in each subnet will not be available outside the cloud, regardless of the subnet announcement. Network traffic to these IP addresses can only be delivered from within a Yandex Cloud VM.
New subnets created in the virtual network after the initial setup will not be automatically announced to the Cloud Interconnect private connection.
To add a new subnet to an existing private connection, file a request to support to have a new announcement added to the Cloud Interconnect private connection.
Warning
When using Yandex Cloud load balancers, specifically:
- Network Load Balancer (NLB)
- Application Load Balancer (ALB)
LB listener addresses are announced as /32 IPv4 prefixes.
This enables you to use load balancers to distribute traffic coming from your infrastructure via Cloud Interconnect across cloud resources in different Yandex Cloud availability zones.
Your equipment announces IPv4 prefixes from your infrastructure over BGP towards the Yandex Cloud equipment. You can use the following types of prefixes in the announcements:
- Private IP subnets from RFC-1918.
- Default route:
0.0.0.0/0. - Public IP subnets.
Yandex Cloud equipment uses route redistribution to send these prefixes to VPC subnets.
Once the Yandex Cloud equipment receives customer prefixes, they become available to all VMs and internal load balancers within the VPC subnets.
No changes to the VM route tables are required to ensure IP connectivity between cloud resources and your infrastructure resources.
Aggregated prefixes (aggregates)
To automatically announce new subnets to Cloud Interconnect, you can use aggregated subnet prefixes (aggregates). This way, you only need to set up prefix announcements once, and then you can add new subnets to your VPC without needing to contact support.
For example, when setting up a private connection, you can specify an announcement of the following aggregated IPv4 prefixes:
ru-central1-a [10.128.0.0/16] ru-central1-b [10.130.0.0/16] ru-central1-d [10.140.0.0/16]If later you create a subnet with the
10.128.15.0/24prefix in this network in theru-central1-aavailability zone, it will automatically be available via Cloud Interconnect because the10.128.15.0/24subnet belongs to the already announced address space,10.128.0.0/16.