Creating a service connection

Written by

Updated at May 5, 2025

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

To create a service connection, you need one of the following roles:

vpc.privateEndpoints.editor
vpc.privateEndpoints.admin
vpc.privateAdmin
vpc.admin
admin

To create a service connection:

CLI

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

View the description of the CLI command to create a service connection:
```
yc vpc private-endpoint create --help
```

Create a service connection to Object Storage in the default folder:

yc vpc private-endpoint create \
  --name s3-vpc-link \
  --description "Private Endpoint to the Object Storage" \
  --network-name default-net \
  --object-storage

Where:

--name: (Optional) Service connection name.
--description: (Optional) Service connection description.
--network-name: Name of the cloud network the service connection will be created in. You can also use the network ID in the --network-id parameter.
--object-storage: Service connection to Object Storage. Other service connection types are not available yet.

When creating a service connection, you can use the following additional parameters:

--address-spec: (Optional) Parameters in the key=value format for the internal IP address which will be assigned to the service connection:
- address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet’s range.
- subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network.
  
  Note
  
  To create a service connection, you should have at least one subnet in your network.

--private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

The parameter is not used:

Name Type Value

storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

*.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

The parameter is used:

Name	Type	Value
storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>

Make sure the service connection is created:

yc vpc private-endpoint list

The command result will be as follows:

+----------------------+-------------+--------------------------------+
|          ID          |    NAME     |          DESCRIPTION           |
+----------------------+-------------+--------------------------------+
| enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
|                      |             | Storage                        |
+----------------------+-------------+--------------------------------+

Learn how to get the parameters of the service connection you created in Getting information about a service connection.

Creating a service connection

Was the article helpful?