Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Virtual Private Cloud
  • Getting started
    • Resource relationships
    • Yandex Cloud network overview
    • Cloud networks and subnets
    • Cloud resource addresses
    • Routing
    • Security groups
    • Gateways
    • Service connections
    • Monitoring network connections
    • Public IP address ranges
    • MTU and MSS
    • DHCP settings
    • Software-accelerated network
    • Quotas and limits
  • DDoS Protection
  • Access management
  • Terraform reference
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • Service connection structure
  • Service connection types
  • Object Storage. Access from VPC
  1. Concepts
  2. Service connections

Service connections in Yandex Virtual Private Cloud

Written by
Yandex Cloud
Updated at May 5, 2025
  • Service connection structure
  • Service connection types
    • Object Storage. Access from VPC

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

A service connection (Private Endpoint) provides direct IP connectivity between resources within VPC and Yandex Cloud services that are hosted outside VPC.

In this case, direct IP connectivity refers to availability of such services via VPC internal IP addresses without using public IP addresses.

An example is the Object Storage service.

Service connection structureService connection structure

A service connection can be divided into two parts:

  • The client part (Private Endpoint, PE) is responsible for presenting the service in VPC. It is implemented within VPC. This is a common part for all types of service connections.
  • The service part (Provider) is responsible for interaction with the client part and is implemented on the service side. This part is unique for each service and service connection type.

A service connection has the following specifications:

  • An IP address of a connection in VPC from subnet CIDR ranges in the network you want to create a service connection for.
  • Connection type: service to which the connection is made. For a list of available service connection types, see below.

When creating a service connection in VPC, the following objects are created:

  1. Internal IP address to which the created connection is bound.
  2. A type DNS record with a special FQDN for the service connection being created, e.g., storage.pe.yandexcloud.net which will specify the internal IP address allocated for the service connection.
  3. Optional. If required, an additional A type DNS record can be created for the public FQDN service. It will also include the internal IP address allocated for the service connection.

Once you create a service connection, all cloud resources that will be added to subnets on the network with this connection will be linked to it through the internal IP address (1). To use the services, you can use either a fully qualified domain name (FQDN) (2) or its part (3). A type DNS records will be created in the internal service zone.

To use service connections outside the cloud infrastructure, you need to provide IP connectivity between your infrastructure and Yandex Cloud using VPN technologies (IPsec, Wireguard, etc.) or Cloud Interconnect services.

Note

If you need to access the service connection via FQDN from outside Yandex Cloud, you must configure the appropriate A records on the corporate DNS server so that the FQDN of the service points to the IP address of the connection.

Service connection typesService connection types

Service name (Connection type) API service FQDN
Object Storage storage.yandexcloud.net

Object Storage. Access from VPCObject Storage. Access from VPC

To allow access to Object Storage only from VPC via a service connection, you must apply the following access policy to the bucket:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

Where:

  • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
  • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

Was the article helpful?

Previous
Gateways
Next
Monitoring network connections
Yandex project
© 2025 Yandex.Cloud LLC