Private connection
A private connection is a logical connection to your cloud network, which is set up within a trunk. You can have multiple private connections to different cloud networks in a single trunk.
Warning
You cannot set up multiple private connections to a single cloud network in one point of presence. For redundancy purposes, you can set up multiple private connections in a cloud network at different points of presence, but no more than one such private connection per point of presence.
A private connection is set up inside a trunk and has its own unique VLAN-ID.
Maximum IP MTU for a private connection is 8,910 bytes. Changing IP MTU on the Yandex Cloud equipment is not allowed.
Point-to-point subnet
To set up a private connection, you need a point-to-point subnet. It is used to configure IP connectivity between the Yandex Cloud equipment and the client or telecom provider equipment.
The point-to-point subnet size may be either /30
or /31
. Other subnet sizes are not allowed.
You can use the following IP address ranges in point-to-point subnets:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
IP addressing in other ranges is not allowed.
Note
When setting up a private connection, you can only use IPv4 addresses.
Currently, you cannot use IPv6 addresses.
BGP connectivity
BGP connectivity is configured within each private or public connection between the client equipment and Yandex Cloud equipment at the point of presence for exchanging subnet (prefix) data. After exchanging this routing data, the sides can distribute IPv4 traffic across the subnets they communicated to each other.
Warning
On the Yandex Cloud equipment side, there is a limit on the number of prefixes received from the client router over BGP.
Once this limit is exceeded, the BGP session will be terminated for 30 minutes.
To maintain continuous BGP connectivity, we recommend setting up policies for routing information aggregation on the client router that will keep the number of prefixes announced over BGP towards the Yandex Cloud equipment at a reasonable and required level.
BGP ASN
To set up BGP connectivity, each side must specify the BGP autonomous system number (ASN) in ASPlain format. The BGP ASN value for Yandex Cloud is fixed at 200350.
On client equipment, you are allowed to use the public BGP ASN (if available). On client equipment, you are allowed to use any value from the following RFC 6996
64512 - 65534
: For two-byte BGP ASNs.4200000000 - 4294967294
: For four-byte BGP ASNs.
On client equipment, you are not allowed to use the following RFC 5398
64496 – 64511
: For two-byte BGP ASNs.65536 – 65551
: For four-byte BGP ASNs.
On client equipment, you are not allowed to include any BGP ASN from the above ranges in the BGP AS_Path
attribute.
Warning
On the Yandex Cloud side, a 4-byte BGP ASN value, 200350, is used. When using network equipment from different vendors, 2-byte BGP ASNs are often preferred as the most common option.
When setting up BGP connectivity on the client router side, make sure to explicitly allow 4-byte BGP ASNs in its configuration.
When setting up BGP interaction on the client router, for public connections on public IPv4 addresses owned by the client, make sure to specify the client's public BGP ASN.
BGP authentication (optional)
To increase security of a BGP connection, you can use BGP authentication based on BGP MD5 password
. If you enable this feature, use a string of more than 20 characters as a password, which may include Latin letters, numbers, and special characters.
BFD protocol
If a client cannot connect their router directly to the Yandex Cloud equipment, they can use intermediate network devices (switches). For fast fault detection on the intermediate network devices, use the BFD protocol
The BFD protocol is always enabled on the Yandex Cloud equipment side and has the following parameter values:
timer
: 300msmultiplier
: 3
These values are fixed and cannot be changed manually.
The client can configure the timer
value on their equipment as needed. When establishing a BFD session, these parameters will be aligned over BFD between the client and Yandex Cloud equipment.
We do not recommend setting multiplier
to anything other than 3, as this may cause BFD performance issues.
Private connection topologies
The following private connection setup options are supported:
- Private connection through a direct client connection
- Private connection through a telecom provider connection (L2 transit)
- Private connection through a telecom provider connection (L3VPN)
Private connection through a direct client connection
This scenario implies setting up L3 and BGP connectivity between the client equipment at the point of presence and the Yandex Cloud equipment. In this case:
- It is your responsibility to ensure L3 connectivity from the equipment in your data center to your own equipment at the point of presence.
- You set up BGP connectivity between your equipment at the point of presence and the Yandex Cloud equipment.
- All route announcements over BGP from your equipment at the point of presence enter all Yandex Cloud availability zones.
Private connection via a telecom provider connection (L2 transit)
This scenario assumes you do not have your own equipment at the point of presence and you use the services of a telecom provider that ensures connectivity between Yandex Cloud and your own equipment. In this case:
- The telecom provider sets up L2 connectivity between its equipment at the point of presence and the Yandex Cloud equipment.
- L3 and BGP connectivity is set up between your equipment in your data center and the Yandex Cloud equipment at the point of presence.
- All route announcements over BGP from your equipment in your data center reach all Yandex Cloud availability zones.
Private connection through a telecom provider connection (L3VPN)
This scenario also assumes you do not have your own equipment at the point of presence and you use the services of a telecom provider that ensures connectivity between Yandex Cloud and your own equipment. You cannot set up BGP connectivity to the Yandex Cloud equipment on your own, technically. In this case:
- The telecom provider sets up L2 connectivity between its equipment at the point of presence and the Yandex Cloud equipment.
- L3 and BGP connectivity to Yandex Cloud is set up between the telecom provider's equipment and the Yandex Cloud equipment at the point of presence. This connection becomes a part of the client L3VPN, which ensures direct connectivity between your equipment in their data center and Yandex Cloud.
- All route announcements over BGP from the telecom provider's equipment at the point of presence enter all Yandex Cloud availability zones.
- While providing the L3VPN service, the telecom provider can use both static and dynamic routing protocols.
Cloud subnet announcements and communication with VPC
To connect one or more cloud subnets to a private connection, you need to have the following:
- ID of the virtual network (
vpc_net_id
) to connect to a trunk. - List of announced IPv4 prefixes of virtual network subnets distributed across availability zones. Typically, prefixes refer to the subnets configured in your cloud. In this case, the announced prefixes and the actual subnet address ranges match.
New subnets that will be created in the virtual network later will not be announced to the Cloud Interconnect private connection automatically.
To add a new subnet to the existing private connection, contact support
Warning
When using Yandex Cloud load balancers:
- Network Load Balancer (NLB)
- Application Load Balancer (ALB)
their listener addresses are announced as IPv4 prefixes with the length of /32
.
This enables you to use load balancers to distribute traffic coming from your infrastructure via Cloud Interconnect between cloud resources in different Yandex Cloud availability zones.
Your equipment announces IPv4 prefixes from your infrastructure over BGP to the Yandex Cloud equipment. You can use the following types of prefixes in the announcements:
- Private IP subnets from RFC-1918
- Default route:
0.0.0.0/0
- Public IP subnets
These prefixes get to VPC subnets through redistribution of routing information on the Yandex Cloud equipment.
After the Yandex Cloud equipment receives the client prefixes, they become available to all VMs and internal load balancers within the VPC subnets.
No changes to the VM route tables are required to ensure IP connectivity between cloud resources and your infrastructure resources.
Aggregated prefixes (aggregates)
To automatically announce new subnets in Cloud Interconnect, you can use aggregated prefixes (aggregates) of subnets. This allows you to set up prefix announcements once and then just add new subnets to an existing VPC without contacting support.
For example, when setting up a private connection, you can specify an announcement of the following aggregated IPv4 prefixes:
ru-central1-a [10.128.0.0/16] ru-central1-b [10.130.0.0/16] ru-central1-d [10.140.0.0/16]
If you then create a subnet with the
10.128.15.0/24
prefix in this network in theru-central1-a
availability zone, it will automatically be available via Cloud Interconnect because the10.128.15.0/24
subnet belongs to the already announced address space,10.128.0.0/16
.