Contact UsGet started

Connecting resources from different folders

Written by
Updated at May 7, 2025

In Yandex Cloud, you create network resources, e.g., cloud networks and subnets, in separate folders disconnected from each other and you often need to connect them. You can do it using the Multi-folder VPC method extending the scope of a VPC network to multiple folders.

Depending on the selected Yandex Cloud tools, you can extend your network scope to other folders by:

  • Moving subnets to other folders using the management console (UI) and YC CLI.
  • Creating subnets in target folders with YC CLI.
  • Creating subnets in target folders with Terraform.

Once you placed a subnet into the target folder, you can connect other folder resources to it, including VMs, Managed Service for Kubernetes clusters, database hosts, load balancers, load testing agents, etc. As a result, you will have a network connecting resources from different folders.

In this tutorial, we will set up three VMs residing in different folders and connected by a shared network. We will create a cloud network in one of these folders and then extend its scope to other folders, thus connecting the resources located there.

Warning

You can only move subnets between folders within a single cloud.

In our example, we have a dev environment, including the CI/CD module with its components located in the net-folder. These components should be able to connect to other components located in dev, stage, and prod folders.

You can see this configuration in the picture below.

We are going to connect VMs residing in different subnets into one network. The VMs will be able to address each other by IP or FQDN addresses.

Steps to follow

Depending on the selected tools, steps to create Multi-folder VPC may differ.

To create the test infrastructure and connect its resources:

  1. Get your cloud ready.
  2. Create folders.
  3. Create a VPC cloud network with subnets.
  4. Move the subnets.
  5. Create VM instances.
  6. Check the connectivity.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support costs include:

Configure access permissions

Configure access rights for the folder:

  • To create networks and manage subnets, assign the vpc.admin or the vpc.privateAdmin, vpc.publicAdmin, and vpc.securityGroups.admin roles to the service account or user.
  • To create and manage VMs, assign the vpc.user and compute.admin roles for the folder to the service account or user.

For granular network access management, use security groups.

Create folders

  1. Create the net-folder, dev-folder, and prod-folder folders:

    1. In the management console, select a cloud and click Create folder.
    2. Specify the folder name: net-folder.
    3. Disable Create a default network to create your network and subnets manually.
    4. Click Create.

    Similarly, create dev-folder and prod-folder.

    If you do not have the Yandex Cloud CLI yet, install and initialize it.

    Note

    To create resources with CLI, get authenticated under a service account with the admin role for the cloud.

    1. Read the create folder command description:

      yc resource-manager folder create --help

    2. Create the net-folder, dev-folder, and prod-folder cloud folders:

      yc resource-manager folder create --name net-folder
yc resource-manager folder create --name dev-folder
yc resource-manager folder create --name prod-folder

    1. If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

    2. Specify the Yandex Cloud Terraform provider configuration:

      # ==================================
# Terraform & Provider Configuration
# ==================================
terraform {
 required_providers {
     yandex = {
       source  = "yandex-cloud/yandex"
       version = "~> 0.92.0"
     }
 }
}

    3. Specify input variables:

      variable "cloud_id" {
  description = "YC cloud-id. Taken from environment variable."
}

    4. Specify your target cloud folders:

      # ========
# Folders
# ========
resource "yandex_resourcemanager_folder" "net_folder" {
  cloud_id = var.cloud_id
  name     = "net-folder"
}

resource "yandex_resourcemanager_folder" "dev_folder" {
  cloud_id = var.cloud_id
  name     = "dev-folder"
}

resource "yandex_resourcemanager_folder" "prod_folder" {
  cloud_id = var.cloud_id
  name     = "prod-folder"
}

    5. Create the required infrastructure:

      1. Run the following commands:

        export TF_VAR_cloud_id=$(yc config get cloud-id)
export YC_TOKEN=$(yc iam create-token)
terraform apply

      2. When asked to confirm the changes, enter yes and wait for the operation to complete.

    Use the create REST API method for the Folder resource or the FolderService/Create gRPC API call.

Create a VPC cloud network with subnets

In net-folder, create the shared-net network and three subnets with the following settings:

Subnet name Prefix Availability zone Target folder
subnet-a 10.1.11.0/24 ru-central1-a net-folder
subnet-b 10.1.12.0/24 ru-central1-b dev-folder
subnet-d 10.1.13.0/24 ru-central1-d prod-folder

  1. Create a cloud network:

    1. In the management console, navigate to net-folder.
    2. In the list of services, select Virtual Private Cloud.
    3. Click Create network.
    4. Specify the network name: shared-net.
    5. Disable Create subnets to create subnets manually.
    6. Click Create network.

    1. Read the description of the network create command:

      yc vpc network create --help

    2. Create the shared-net cloud network in net-folder.

      yc vpc network create --folder-name net-folder --name shared-net

    1. Specify your target network:

      # =============
# VPC Resources
# =============
resource "yandex_vpc_network" "shared_net" {
  folder_id = yandex_resourcemanager_folder.net_folder.id
  name      = "shared-net"
}

    2. Run the following commands:

      export TF_VAR_cloud_id=$(yc config get cloud-id)
export YC_TOKEN=$(yc iam create-token)
terraform apply

    3. Enter yes to confirm changes.

    4. Wait for the operation to complete.

    Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.

  2. Create subnets named subnet-a, subnet-b, and subnet-d in the ru-central1-a, ru-central1-b, and ru-central1-d availability zones, respectively:

    1. In the management console, navigate to net-folder.
    2. In the list of services, select Virtual Private Cloud.
    3. Click shared-net.
    4. Click Create subnet.
    5. Specify the subnet name: subnet-a, subnet-b, or subnet-d.
    6. Select the availability zone from the drop-down list: ru-central1-a, ru-central1-b, or ru-central1-d, respectively.
    7. Specify the subnet CIDR: 10.1.11.0 as IP address and 24 as subnet mask. For more information about IP address ranges, see Cloud networks and subnets.
    8. Click Create subnet.

    1. Read the subnet create command description:

      yc vpc subnet create --help

    2. Create subnets in the target folders:

      yc vpc subnet create --folder-name net-folder --name subnet-a \
  --network-name shared-net --zone ru-central1-a --range 10.1.11.0/24

yc vpc subnet create --folder-name dev-folder --name subnet-b \
  --network-name shared-net --zone ru-central1-b --range 10.1.12.0/24

yc vpc subnet create --folder-name prod-folder --name subnet-d \
  --network-name shared-net --zone ru-central1-d --range 10.1.13.0/24

    3. Check the new subnet status:

      yc vpc subnet list --folder-name net-folder
yc vpc subnet list --folder-name dev-folder
yc vpc subnet list --folder-name prod-folder

    1. Specify your target subnets:

      resource "yandex_vpc_subnet" "subnet_a" {
  folder_id      = yandex_resourcemanager_folder.net_folder.id
  name           = "subnet-a"
  description    = "NET folder subnet"
  v4_cidr_blocks = ["10.1.11.0/24"]
  zone           = "ru-central1-a"
  network_id     = yandex_vpc_network.shared_net.id
}

resource "yandex_vpc_subnet" "subnet_b" {
  folder_id      = yandex_resourcemanager_folder.dev_folder.id
  name           = "subnet-b"
  description    = "DEV folder subnet"
  v4_cidr_blocks = ["10.1.12.0/24"]
  zone           = "ru-central1-b"
  network_id     = yandex_vpc_network.shared_net.id
}

resource "yandex_vpc_subnet" "subnet_d" {
  folder_id      = yandex_resourcemanager_folder.prod_folder.id
  name           = "subnet-d"
  description    = "PROD folder subnet"
  v4_cidr_blocks = ["10.1.13.0/24"]
  zone           = "ru-central1-d"
  network_id     = yandex_vpc_network.shared_net.id
}

    2. Run the following commands:

      export TF_VAR_cloud_id=$(yc config get cloud-id)
export YC_TOKEN=$(yc iam create-token)
terraform apply

    3. When asked to confirm the changes, enter yes and wait for the operation to complete.

    Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Move the subnets

Move subnet-b to dev-folder:

  1. In the management console, navigate to net-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Click shared-net.
  4. Click next to subnet-b and select Move.
  5. Select dev-folder from the drop-sown list.
  6. Click Move.

  1. Read the subnet move command description:

    yc vpc subnet move --help

  2. Move the subnet:

    yc vpc subnet move subnet-b \
  --destination-folder-name dev-folder

Use the move REST API method for the Subnet resource or the SubnetService/Move gRPC API call.

Similarly, move subnet-d to prod-folder:

Create VMs

Create VMs with the following settings:

VM name Folder Availability zone Subnet
net-vm net-folder ru-central1-a subnet-a
dev-vm dev-folder ru-central1-b subnet-b
prod-vm prod-folder ru-central1-d subnet-d

Create the Linux-based net-vm VM in net-folder:

  1. In the management console, select net-folder.

  2. Click Create resource and select Virtual machine instance.

  3. Under Boot disk image, in the Product search field, type Ubuntu 22.04 LTS and select a public Ubuntu 22.04 LTS image.

  4. Under Location, select the ru-central1-a availability zone.

  5. Under Network settings:

    • In the Subnet field, select subnet-a.
    • Under Public IP address, leave Auto to assign your VM a random external IP address from the Yandex Cloud pool or if you reserved a static IP address, select it from the list.

  6. Under Access, select SSH key and specify your VM access credentials:

    • In the Login field, specify the username: ycuser.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  7. Under General information, specify the VM name: net-vm.

  8. Leave all other settings unchanged and click Create VM.

Similarly, create dev-vm and prod-vm in the respective folders.

Note

When you create a VM, the system will assign it a public and private IP addresses Save them so you will be able to access the VM and test its connectivity.

  1. Create the vm-init.tpl VM metadata template file:

    #cloud-config

datasource:
  Ec2:
    strict_id: false
ssh_pwauth: yes
users:
  - name: "${USER_NAME}"
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - "${USER_SSH_KEY}"

  2. Generate a VM metadata file:

    export USER_NAME=ycuser
export USER_SSH_KEY=$(cat ~/.ssh/id_rsa.pub)

envsubst < vm-init.tpl > vm-config.txt

  3. Create VMs:

    yc compute instance create --name=net-vm --hostname=net-vm \
  --zone=ru-central1-a \
  --platform=standard-v3 \
  --cores=2 --memory=4G --core-fraction=100 \
  --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2204-lts \
  --network-interface subnet-name=subnet-a,ipv4-address=auto,nat-ip-version=ipv4 \
  --metadata-from-file user-data=vm-config.txt

yc compute instance create --name=dev-vm --hostname=dev-vm \
  --zone=ru-central1-b \
  --platform=standard-v3 \
  --cores=2 --memory=4G --core-fraction=100 \
  --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2204-lts \
  --network-interface subnet-name=subnet-b,ipv4-address=auto,nat-ip-version=ipv4 \
  --metadata-from-file user-data=vm-config.txt

yc compute instance create --name=prod-vm --hostname=prod-vm \
  --zone=ru-central1-d \
  --platform=standard-v3 \
  --cores=2 --memory=4G --core-fraction=100 \
  --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2204-lts \
  --network-interface subnet-name=subnet-d,ipv4-address=auto,nat-ip-version=ipv4 \
  --metadata-from-file user-data=vm-config.txt

    Note

    The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

    To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

    For more information, see Specifics of providing environment variables in metadata via the CLI.

  4. Save the new VMs’ public IPs as you will need them later:

    NET_VM_IP=$(yc compute instance get net-vm --format=json | jq -r '.network_interfaces[0].primary_v4_address.one_to_one_nat.address')
DEV_VM_IP=$(yc compute instance get dev-vm --format=json | jq -r '.network_interfaces[0].primary_v4_address.one_to_one_nat.address')
PROD_VM_IP=$(yc compute instance get prod-vm --format=json | jq -r '.network_interfaces[0].primary_v4_address.one_to_one_nat.address')

  1. Specify input variables:

    variable "user_name" {
  description = "VM User Name"
  default     = "ycuser"
}

variable "user_ssh_key_path" {
  description = "User's SSH public key file"
  default     = "~/.ssh/id_rsa.pub"
}

  2. Create the vm-init.tpl VM metadata template file:

    #cloud-config

datasource:
  Ec2:
    strict_id: false
ssh_pwauth: yes
users:
  - name: "${USER_NAME}"
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - "${USER_SSH_KEY}"

  3. Describe your target VMs:

    # =================
# Compute Resources
# =================
data "yandex_compute_image" "vm_image" {
  family = "ubuntu-2204-lts"
}

resource "yandex_compute_disk" "boot-disk-1" {
  name     = "boot-disk-1"
  type     = "network-hdd"
  zone     = "ru-central1-a"
  size     = "20"
  image_id = yandex_compute_image.vm_image.id
}

resource "yandex_compute_disk" "boot-disk-2" {
  name     = "boot-disk-2"
  type     = "network-hdd"
  zone     = "ru-central1-b"
  size     = "20"
  image_id = yandex_compute_image.vm_image.id
}

resource "yandex_compute_disk" "boot-disk-3" {
  name     = "boot-disk-3"
  type     = "network-hdd"
  zone     = "ru-central1-d"
  size     = "20"
  image_id = yandex_compute_image.vm_image.id
}

resource "yandex_compute_instance" "net_vm" {
  folder_id   = yandex_resourcemanager_folder.net_folder.id
  name        = "net-vm"
  hostname    = "net-vm"
  platform_id = "standard-v3"
  zone        = "ru-central1-a"
  resources {
    cores  = 2
    memory = 4
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk-1.id
  }

  network_interface {
    subnet_id = yandex_vpc_subnet.subnet_a.id
    nat       = true
  }

  metadata = {
    user-data = templatefile("vm-init.tpl", {
      USER_NAME    = var.user_name
      USER_SSH_KEY = file(var.user_ssh_key_path)
    })
  }
}

resource "yandex_compute_instance" "dev_vm" {
  folder_id   = yandex_resourcemanager_folder.dev_folder.id
  name        = "dev-vm"
  hostname    = "dev-vm"
  platform_id = "standard-v3"
  zone        = "ru-central1-b"
  resources {
    cores  = 2
    memory = 4
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk-2.id
  }

  network_interface {
    subnet_id = yandex_vpc_subnet.subnet_b.id
    nat       = true
  }

  metadata = {
    user-data = templatefile("vm-init.tpl", {
      USER_NAME    = var.user_name
      USER_SSH_KEY = file(var.user_ssh_key_path)
    })
  }
}

resource "yandex_compute_instance" "prod_vm" {
  folder_id   = yandex_resourcemanager_folder.prod_folder.id
  name        = "prod-vm"
  hostname    = "prod-vm"
  platform_id = "standard-v3"
  zone        = "ru-central1-d"
  resources {
    cores  = 2
    memory = 4
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk-3.id
  }

  network_interface {
    subnet_id = yandex_vpc_subnet.subnet_d.id
    nat       = true
  }

  metadata = {
    user-data = templatefile("vm-init.tpl", {
      USER_NAME    = var.user_name
      USER_SSH_KEY = file(var.user_ssh_key_path)
    })
  }
}

# =======
# Outputs
# =======
output "NET-vm" {
  value = yandex_compute_instance.network_vm.network_interface.0.nat_ip_address
}

output "DEV-vm" {
  value = yandex_compute_instance.dev_vm.network_interface.0.nat_ip_address
}

output "PROD-vm" {
  value = yandex_compute_instance.prod_vm.network_interface.0.nat_ip_address
}

  4. Run the following commands:

    export TF_VAR_cloud_id=$(yc config get cloud-id)
export YC_TOKEN=$(yc iam create-token)
terraform apply

  5. When asked to confirm the changes, enter yes and wait for the operation to complete.

To create a VM, use the create REST API method for the Compute Instance resource or the InstanceService/Create gRPC API call.

Check your resources connectivity

  1. Connect to the net-vm VM over SSH:

    ssh ycuser@<net-vm_public_IP_address>

  2. Check whether you can connect to dev-vm:

    ping -c3 <net-vm_internal_IP_address>

    Result:

    PING 10.127.20.4 (10.127.20.4) 56(84) bytes of data.
64 bytes from 10.127.20.4: icmp_seq=1 ttl=61 time=7.45 ms
64 bytes from 10.127.20.4: icmp_seq=2 ttl=61 time=5.61 ms
64 bytes from 10.127.20.4: icmp_seq=3 ttl=61 time=5.65 ms
--- 10.127.20.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.613/6.235/7.446/0.855 ms

  3. Similarly, check the connection to prod-vm.

  4. Connect to dev-vm over SSH and use ping to check the IP connectivity between dev-vm, net-vm, and prod-vm.

  5. Connect to prod-vm over SSH and use ping to check the IP connectivity between prod-vm, net-vm, and dev-vm.

How to delete the resources you created

To stop paying for the resources you created, delete VMs: net-vm, dev-vm, and prod-vm.

Previous
All tutorials
Next
Creating a bastion host