Private connection

A private connection is a logical connection to your cloud network, which is set up within a trunk. You can have multiple private connections to different cloud networks in a single trunk.

A private connection is set up inside a trunk and has its own unique VLAN-ID.

Maximum IP MTU for a private connection is 8,910 bytes. Changing IP MTU on the Yandex Cloud equipment is not allowed.

Point-to-point subnetPoint-to-point subnet

To set up a private connection, you need a point-to-point subnet. It is used to configure IP connectivity between the Yandex Cloud equipment and the client or telecom provider equipment.

The point-to-point subnet size may be either /30 or /31. Other subnet sizes are not allowed.

You can use the following IP address ranges in point-to-point subnets:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• 169.254.0.0/16

IP addressing in other ranges is not allowed.

BGP connectivityBGP connectivity

BGP connectivity is configured within each private or public connection between the client equipment and Yandex Cloud equipment at the point of presence for exchanging subnet (prefix) data. After exchanging this routing data, the sides can distribute IPv4 traffic across the subnets they communicated to each other.

BGP ASNBGP ASN

To set up BGP connectivity, each side must specify the BGP autonomous system number (ASN) in ASPlain format. The BGP ASN value for Yandex Cloud is fixed at 200350.

On client equipment, you are allowed to use the public BGP ASN (if available). On client equipment, you are allowed to use any value from the following RFC 6996 ranges of private BGP ASNs:

• 64512 - 65534: For two-byte BGP ASNs.
• 4200000000 - 4294967294: For four-byte BGP ASNs.

On client equipment, you are not allowed to use the following RFC 5398 ranges of BGP ASNs:

• 64496 – 64511: For two-byte BGP ASNs.
• 65536 – 65551: For four-byte BGP ASNs.

On client equipment, you are not allowed to include any BGP ASN from the above ranges in the BGP AS_Path attribute.

BGP authentication (optional)BGP authentication (optional)

To increase security of a BGP connection, you can use BGP authentication based on BGP MD5 password. If you enable this feature, use a string of more than 20 characters as a password, which may include Latin letters, numbers, and special characters.

BFD protocolBFD protocol

If a client cannot connect their router directly to the Yandex Cloud equipment, they can use intermediate network devices (switches). For fast fault detection on the intermediate network devices, use the BFD protocol.

The BFD protocol is always enabled on the Yandex Cloud equipment side and has the following parameter values:

• timer: 300ms
• multiplier: 3

These values are fixed and cannot be changed manually.

The client can configure the timer value on their equipment as needed. When establishing a BFD session, these parameters will be aligned over BFD between the client and Yandex Cloud equipment.

We do not recommend setting multiplier to anything other than 3, as this may cause BFD performance issues.

Private connection topologiesPrivate connection topologies

The following private connection setup options are supported:

• Private connection through a direct client connection
• Private connection through a telecom provider connection (L2 transit)
• Private connection through a telecom provider connection (L3VPN)

Private connection through a direct client connectionPrivate connection through a direct client connection

This scenario implies setting up L3 and BGP connectivity between the client equipment at the point of presence and the Yandex Cloud equipment. In this case:

• It is your responsibility to ensure L3 connectivity from the equipment in your data center to your own equipment at the point of presence.
• You set up BGP connectivity between your equipment at the point of presence and the Yandex Cloud equipment.
• All route announcements over BGP from your equipment at the point of presence enter all Yandex Cloud availability zones.

Private connection via a telecom provider connection (L2 transit)Private connection via a telecom provider connection (L2 transit)

This scenario assumes you do not have your own equipment at the point of presence and you use the services of a telecom provider that ensures connectivity between Yandex Cloud and your own equipment. In this case:

• The telecom provider sets up L2 connectivity between its equipment at the point of presence and the Yandex Cloud equipment.
• L3 and BGP connectivity is set up between your equipment in your data center and the Yandex Cloud equipment at the point of presence.
• All route announcements over BGP from your equipment in your data center reach all Yandex Cloud availability zones.

Private connection through a telecom provider connection (L3VPN)Private connection through a telecom provider connection (L3VPN)

This scenario also assumes you do not have your own equipment at the point of presence and you use the services of a telecom provider that ensures connectivity between Yandex Cloud and your own equipment. You cannot set up BGP connectivity to the Yandex Cloud equipment on your own, technically. In this case:

• The telecom provider sets up L2 connectivity between its equipment at the point of presence and the Yandex Cloud equipment.
• L3 and BGP connectivity to Yandex Cloud is set up between the telecom provider's equipment and the Yandex Cloud equipment at the point of presence. This connection becomes a part of the client L3VPN, which ensures direct connectivity between your equipment in their data center and Yandex Cloud.
• All route announcements over BGP from the telecom provider's equipment at the point of presence enter all Yandex Cloud availability zones.
• While providing the L3VPN service, the telecom provider can use both static and dynamic routing protocols.

Cloud subnet announcements and communication with VPCCloud subnet announcements and communication with VPC

To connect one or more cloud subnets to a private connection, you need to have the following:

• ID of the virtual network (vpc_net_id) to connect to a trunk.
• List of announced IPv4 prefixes of virtual network subnets distributed across availability zones. Typically, prefixes refer to the subnets configured in your cloud. In this case, the announced prefixes and the actual subnet address ranges match.

New subnets that will be created in the virtual network later will not be announced to the Cloud Interconnect private connection automatically.

To add a new subnet to the existing private connection, contact support with a request to add a new announcement to the respective Cloud Interconnect private connection.

Your equipment announces IPv4 prefixes from your infrastructure over BGP to the Yandex Cloud equipment. You can use the following types of prefixes in the announcements:

• Private IP subnets from RFC-1918
• Default route: 0.0.0.0/0
• Public IP subnets

These prefixes get to VPC subnets through redistribution of routing information on the Yandex Cloud equipment.

After the Yandex Cloud equipment receives the client prefixes, they become available to all VMs and internal load balancers within the VPC subnets.

No changes to the VM route tables are required to ensure IP connectivity between cloud resources and your infrastructure resources.

Aggregated prefixes (aggregates)Aggregated prefixes (aggregates)

To automatically announce new subnets in Cloud Interconnect, you can use aggregated prefixes (aggregates) of subnets. This allows you to set up prefix announcements once and then just add new subnets to an existing VPC without contacting support.

For example, when setting up a private connection, you can specify an announcement of the following aggregated IPv4 prefixes:

ru-central1-a [10.128.0.0/16]
ru-central1-b [10.130.0.0/16]
ru-central1-d [10.140.0.0/16]

If you then create a subnet with the 10.128.15.0/24 prefix in this network in the ru-central1-a availability zone, it will automatically be available via Cloud Interconnect because the 10.128.15.0/24 subnet belongs to the already announced address space, 10.128.0.0/16.