Public connection
A public connection provides access to Yandex Cloud services. A public connection is set up inside a trunk and has its own unique VLAN-ID. A trunk can have one or more public connections that provide access to any combination of services.
Maximum IP MTU size for a public connection is 1,500 bytes. Changing IP MTU on the Yandex Cloud equipment is not allowed.
List of services
Each Yandex Cloud service has its own entry point: API Endpoint. You can see the list of entry points for Yandex Cloud services here. Each entry point has its own ID and address that consists of the API Endpoint FQDN and the number of the port to which this service gets requests.
Below, you can see the list of Yandex Cloud services you can access through a public connection:
| Service name | API Endpoint (FQDN) |
|---|---|
| Object Storage | storage.yandexcloud.net |
| Cloud Functions | serverless-functions.api.cloud.yandex.net |
| Container Registry | container-registry.api.cloud.yandex.net, cr.yandex |
| Yandex SpeechKit | transcribe.api.cloud.yandex.net |
| Yandex Vision OCR | vision.api.cloud.yandex.net |
| Yandex Translate | translate.api.cloud.yandex.net |
| Management console | api.cloud.yandex.net |
| Yandex Monitoring | monitoring.api.cloud.yandex.net |
| YandexGPT API of the Foundation Models service | llm.api.cloud.yandex.net |
| All-Services | All Yandex Cloud services listed above |
Technically, a public connection ensures connectivity between your infrastructure and the IP address to which the respective service's API Endpoint FQDN is converted. FQDN is converted to an IP address through DNS.
For example, if you want to get access from your infrastructure to Object Storage through a service connection, the Yandex Cloud equipment will announce the 213.180.193.243/32 prefix to your router over BGP. This prefix refers to the storage.yandexcloud.net API Endpoint FQDN of Object Storage.
You need to set up traffic routing in your infrastructure so that the traffic directed to Yandex Cloud services is routed to devices that perform NAT functions for your public connection.
Point-to-point subnet
A public connection is set up using public IPv4 addresses owned by the customer. In some cases, one may use IPv4 addresses from the Yandex Cloud address pool. When setting up a public connection with addresses from the Yandex Cloud address pool, you are allocated a /31 point-to-point subnet.
Alert
Services that can be accessed via a public connection are hosted in your own data centers. Traffic within a public connection between your infrastructure and the services stays within Yandex Cloud.
BGP connectivity
BGP connectivity is configured within each private or public connection between the client equipment and Yandex Cloud equipment at the point of presence for exchanging subnet (prefix) data. After exchanging this routing data, the sides can distribute IPv4 traffic across the subnets they communicated to each other.
Warning
On the Yandex Cloud equipment side, there is a limit on the number of prefixes received from the client router over BGP.
Once this limit is exceeded, the BGP session will be terminated for 30 minutes.
To maintain continuous BGP connectivity, we recommend setting up policies for routing information aggregation on the client router that will keep the number of prefixes announced over BGP towards the Yandex Cloud equipment at a reasonable and required level.
BGP ASN
To set up BGP connectivity, each side must specify the BGP autonomous system number (ASN) in ASPlain format. The BGP ASN value for Yandex Cloud is fixed at 200350.
On client equipment, you are allowed to use the public BGP ASN (if available). On client equipment, you are allowed to use any value from the following RFC 6996 ranges of private BGP ASNs:
64512 - 65534: For two-byte BGP ASNs.4200000000 - 4294967294: For four-byte BGP ASNs.
On client equipment, you are not allowed to use the following RFC 5398 ranges of BGP ASNs:
64496 – 64511: For two-byte BGP ASNs.65536 – 65551: For four-byte BGP ASNs.
On client equipment, you are not allowed to include any BGP ASN from the above ranges in the BGP AS_Path attribute.
Warning
On the Yandex Cloud side, a 4-byte BGP ASN value, 200350, is used. When using network equipment from different vendors, 2-byte BGP ASNs are often preferred as the most common option.
When setting up BGP connectivity on the client router side, make sure to explicitly allow 4-byte BGP ASNs in its configuration.
When setting up BGP interaction on the client router, for public connections on public IPv4 addresses owned by the client, make sure to specify the client's public BGP ASN.
BGP authentication (optional)
To increase security of a BGP connection, you can use BGP authentication based on BGP MD5 password. If you enable this feature, use a string of more than 20 characters as a password, which may include Latin letters, numbers, and special characters.
BFD protocol
If a client cannot connect their router directly to the Yandex Cloud equipment, they can use intermediate network devices (switches). For fast fault detection on the intermediate network devices, use the BFD protocol.
The BFD protocol is always enabled on the Yandex Cloud equipment side and has the following parameter values:
timer: 300msmultiplier: 3
These values are fixed and cannot be changed manually.
The client can configure the timer value on their equipment as needed. When establishing a BFD session, these parameters will be aligned over BFD between the client and Yandex Cloud equipment.
We do not recommend setting multiplier to anything other than 3, as this may cause BFD performance issues.
NAT functions
When setting up a public connection with IPv4 addresses provided by Yandex Cloud, you need to use the NAT technology on your equipment side to route your traffic correctly across Yandex Cloud services. You can implement NAT in the following ways:
-
Running a NAT function on your equipment or router your public connection is linked to. All public connection traffic is routed from the IPv4 address to the router interface in the point-to-point subnet. In this case, your router where the public connection terminates must announce a prefix of a point-to-point subnet to the Yandex Cloud equipment over BGP.
-
Running a NAT function on your equipment that is not used for a public connection, e.g., on a server or firewall. In this case, Yandex Cloud additionally allocates an auxiliary IPv4 address (prefix /32), and your router to which the public connection goes will announce this prefix over BGP towards the Yandex Cloud equipment.