Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Establishing network connectivity between Yandex BareMetal subnets and on-premise environment with Cloud Interconnect

Written by
Updated at July 29, 2025

In this tutorial, you will set up network connectivity between a BareMetal server located in a private Yandex BareMetal subnet and your on-premise resources. Network connectivity will be established using Cloud Interconnect and Cloud Router.

The diagram above shows network connectivity between the Yandex BareMetal segment resources and customer’s remote on-premise resources connected to Yandex Cloud via Cloud Interconnect.

To establish network connectivity between these resources and the customer's virtual network, you need to add the relevant Virtual Private Cloud subnet IP prefixes to the routing instance. For more on configuring this type of network connectivity, see the relevant documentation.

Note

It is assumed that the connectivity between on-premise and the VPC network via Cloud Interconnect has already been established and is operational.

To set up network connectivity between BareMetal private subnets and on-premise resources using Cloud Interconnect, do the following:

  1. Get your cloud ready.
  2. Create a cloud infrastructure.
  3. Create a routing instance.
  4. Create a private connection.
  5. Check network connectivity.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a linked billing account with an ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of supporting an infrastructure for network connectivity between BareMetal and VPC subnets includes:

Create a cloud infrastructure

Create the Yandex Cloud infrastructure you will use to set up network connectivity.

To configure Cloud Interconnect in BareMetal, you will need a private routable subnet and a VRF segment in BareMetal, a cloud network with one or more Virtual Private Cloud subnets, as well as a routing instance with one or more announced prefixes of VPC private subnets.

To check network connectivity, you will need a BareMetal server and a Compute Cloud VM.

Create a VRF segment and a BareMetal private subnet

Create a virtual network segment (VRF) and a private subnet in the ru-central1-m3 server pool:

  1. In the management console, select the folder where you are going to create your infrastructure.
  2. In the list of services, select BareMetal.
  3. Create a virtual routing and forwarding segment:
    1. In the left-hand panel, select VRF and click Create VRF.
    2. In the Name field, name your VRF segment: my-vrf.
    3. Click Create VRF.
  4. Create a private subnet:
    1. In the left-hand panel, select Private subnets and click Create subnet.
    2. In the Pool field, select the ru-central1-m3 server pool.
    3. In the Name field, enter a name for the subnet: subnet-m3.
    4. Enable IP addressing and routing.
    5. In the Virtual network segment (VRF) field, select the previously created segment, my-vrf.
    6. In the CIDR field, specify 192.168.1.0/24.
    7. In the Default gateway field, keep the default value, 192.168.1.1.
    8. Enable the Assigning IP addresses via DHCP option and in the IP address range field that appears, leave the default values, 192.168.1.1-192.168.1.254.
    9. Click Create subnet.

Lease a BareMetal server

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select BareMetal and click Lease server.

  3. Under Configuration, click the Pool filter and select the ru-central1-m3 server pool.

  4. Under Configuration, select the appropriate server configuration.

  5. (Optional) Under Disk, configure disk partitioning:

    1. Click Configure disk layout.

    2. Specify the partitioning parameters. To create a new partition, click Add partition.

      To build RAID arrays and configure disk partitions yourself, click Remove RAID.

    3. Click Save.

  6. Under Image, select an image, e.g., Ubuntu 24.04.

  7. In the Lease duration field, select a lease period: 1 day, 1 month, 3 months, 6 months, or 1 year.

    When this period expires, server lease will automatically be renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.

  8. Under Private network, in the Private subnet field, select the subnet-m3 subnet you created earlier.

  9. Under Public network, select No address in the Public address field.

  10. Under Access:

    1. In the Password field, select one of the following options to create a root password:

      • To generate a new root password, select New password and click Generate.

        Warning

        This option requires you to maintain password security. Save the password you generated in a secure location. Yandex Cloud does not store it, and you will not be able to retrieve it once the server is deployed.

      • To use the root password saved in a Yandex Lockbox secret, select Lockbox secret.

        In the Name, Version, and Key fields, select the secret containing your password, its version, and its key, respectively.

        If you do not have a Yandex Lockbox secret, click Create to create it.

        Choose the Custom secret type to specify a custom password or Generated to generate password automatically.

    2. In the Public SSH key field, select the SSH key saved in your organization user profile.

      If your profile has no SSH keys or you need to add a new one:

      • Click Add key.
      • Specify the SSH key name.
      • Upload your public key file or paste its contents in the field below. You will need to create your own SSH key pair to establish a secure server connection.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If adding SSH keys by users to their profiles is disabled in the organization, the public SSH key you add will be saved only to the OS user profile of the new BareMetal server.

  11. Under Server information, in the Name field, enter the server name: server-m3.

  12. Click Lease server.

Note

Server setup and OS installation may take up to 45 minutes. The server will have the Provisioning status during this time. After OS installation is complete, the server status will change to Ready.

Create a routing instance

To set up network connectivity between BareMetal subnets and on-premise subnets, you need to create a Routing Instance resource. To create a Routing Instance, contact support.

If your folder already has Cloud Interconnect network connectivity (VPC-to-On-Prem) configured, you can either use the existing Routing Instance or request a new additional Routing Instance to be created for standalone network connectivity.

Make sure you have a routing instance in your folder

  1. If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  2. Make sure you have a routing instance in your default folder:

    Run this command:

    yc cloudrouter routing-instance list

    If your folder already contains a routing instance, the command will output something like this:

    +----------------------+-------------------------------------------+--------+-----------------------+
|          ID          |                    NAME                   | STATUS | PRIVATE CONNECTION ID |
+----------------------+-------------------------------------------+--------+-----------------------+
| cf35oot8f0eu******** | ajeol2afu1js********-enpcfncr6uld******** | ACTIVE | cf395uf8dg7h********  |
+----------------------+-------------------------------------------+--------+-----------------------+

  3. If you already have a routing instance, you may skip the next step and proceed to creating a private connection.

    If you do not have a routing instance or you want to build additional dedicated network connectivity, request a new routing instance.

Request a new routing instance

Contact support to create a routing instance in your folder.

Fill out your request as follows:

Subject: [CIC for BareMetal] Creating a routing instance.

Request text:
Please create a routing instance in the specified cloud folder with the following parameters:

folder_id: <folder_ID>

vpc:
  vpc_net_id: <network_ID>
    vpc_subnets:
      ru-central1-a: [CIDR_a1, CIDR_a2, ..., CIDR_an]
      ru-central1-b: [CIDR_b1, CIDR_b2, ..., CIDR_bn]
      ru-central1-d: [CIDR_d1, CIDR_d2, ..., CIDR_dn]

Where:

  • folder_id: Folder ID.

  • vpc_net_id: Cloud network ID.

  • vpc_subnets: List of announced address prefixes for each availability zone. For example, for the VPC subnet you created earlier, you will specify ru-central1-b: [192.168.11.0/24].

    You may announce aggregated address prefixes.

Note

It may take up to 24 hours for the support to create a routing instance. With that done, you will be able to get the ID of the new routing instance by running the yc cloudrouter routing-instance list Yandex Cloud CLI command.

Create a private connection

Once the routing instance has been created in your folder, create a private Cloud Interconnect connection in BareMetal:

  1. In the management console, select the folder where you want to create your private connection.

  2. In the list of services, select BareMetal.

  3. In the left-hand panel, select VRF and then select the virtual network segment you need.

  4. Under Private connection to cloud networks, click Configure connection, and in the window that opens:

    1. In the Setup method field, select Enter ID and paste the Routing Instance private connection ID to the Connection ID field.

      You can also select the Choose from folder option. In this case, select the Routing Instance you need from the list that opens.

      As a result, you will see the CIDR blocks of Virtual Private Cloud subnets that will be advertised over Cloud Interconnect.

      Warning

      To successfully configure network connectivity between BareMetal subnets and on-premise or VPC subnets, their CIDR address ranges must not match or overlap.

    2. To create a private connection for the specified CIDR subnets, click Save.

As a result, the VRF information page will display the newly created connection ID and its status under Private connection to cloud networks.

Note

Setting up a private connection may take up to two business days. During this period, the connection status will display as Creating. Once the connection is created, its status will change to Ready.

Private cloud netweork connections may show one of the following statuses:

  • CREATING: Connection creation in progress.
  • READY: Connection is up and ready to use.
  • ERROR: Connection failure. Contact support.
  • DELETING: Connection deletion in progress.
  • UPDATING: Connection settings update in progress.

Test network connectivity

As soon as the status of the new private connection changes to Ready, network connectivity between the BareMetal and VPC subnets will be established, and you can start checking it.

A network connectivity check assumes that:

  • The process of setting up a private connection to cloud networks has been successfully completed (the connection status is Ready).
  • The local firewall on the BareMetal server allows ICMP traffic.
  • The routing table in the BareMetal server OS contains a route to the CIRD of the subnet the VM resides in.
  • The security group assigned to the VM network interface allows ICMP traffic.

Test network connectivity from the private BareMetal subnet to on-premise resources

  1. In the management console, select the folder where you created the infrastructure.

  2. In the list of services, select BareMetal.

  3. Next to server-m3, click and select KVM console.

    The KVM console terminal window will open, showing a login prompt:

    server-m3 login:

    If you do not see this prompt, try restarting the server.

  4. In the KVM console terminal, specify root for the username and press ENTER.

  5. Paste the password generated when leasing the server in the password input line and press ENTER. Note that when typing or pasting a password in Linux, the characters you enter will not appear on the screen.

    Tip

    To paste clipboard text to the KVM console, use the Paste text here field in the upper right corner.

    Result:

    Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-53-generic x86_64)
...
root@server-m3:~# _

    If you did not save the server administrator password, you can create a new password following this guide or reinstall the server OS.

  6. In the KVM console terminal, run the ping command to make sure you can access sample-vm by its internal IP address:

    ping <VM_internal_IP_address> -c 5

    You can find the VM internal IP address in the management console under Network interface on the VM information page.

    Result:

    PING 192.168.11.2 (192.168.11.2) 56(84) bytes of data.
64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=3.90 ms
64 bytes from 192.168.11.2: icmp_seq=2 ttl=64 time=0.235 ms
64 bytes from 192.168.11.2: icmp_seq=3 ttl=64 time=0.222 ms
64 bytes from 192.168.11.2: icmp_seq=4 ttl=64 time=0.231 ms
64 bytes from 192.168.11.2: icmp_seq=5 ttl=64 time=0.235 ms

--- 192.168.11.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4086ms
rtt min/avg/max/mdev = 0.222/0.964/3.899/1.467 ms

    Network connectivity between the BareMetal server and the VM has been established with zero packet loss.

Test network connectivity from an on-premise resource to the private BareMetal subnet

  1. Connect to the virtual machine over SSH.

  2. In the terminal, run the ping command to make sure you can access server-m3 by its private IP address:

    ping <server_private_IP_address> -c 5

    You can learn the BareMetal server's private IP address in the management console under Network settings on the server information page.

    Result:

    PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.271 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.262 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.223 ms
64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.208 ms

--- 192.168.1.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4106ms
rtt min/avg/max/mdev = 0.208/0.235/0.271/0.025 ms

    Network connectivity between the VM and the BareMetal server has been established with zero packet loss.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM.

  2. You cannot delete a BareMetal server. Instead, cancel the server lease renewal.

  3. Delete the private connection if you no longer need it:

    1. In the management console, select the folder where you created the infrastructure.
    2. In the list of services, select BareMetal.
    3. In the left-hand panel, click VRF and select my-vrf.
    4. Under Private connection to cloud networks, click and select Disable connection.
    5. In the window that opens, confirm the deletion.

    The connection status will change to Deleting. Once all links are deleted, the connection will disappear from the list.

Previous
Establishing network connectivity between BareMetal and Virtual Private Cloud private subnets
Next
Delivering USB devices to a BareMetal server or virtual machine