Creating a resource

Written by

Yandex Cloud

Updated at May 5, 2025

To create a resource:

Management console

CLI

Terraform

API

In the management console, select the folder where you want to create a resource.
Select Cloud CDN.
If the CDN provider is not activated yet, click Activate provider. A connection will be established automatically.

If you do not see the Activate provider button and you can create resources and origin groups, it means that the provider is already activated. Proceed to the next step.
Click Create resource.
Under Content, select the Content query: From one origin or From origin group:
- When requesting content From one origin, select an Origin type: Server, Bucket, or L7 load balancer. Specify an origin.
- When requesting content from an From origin group, select an origin group or create a new one:
  - Click Create.
  - Enter Group name.
  - Configure Origin:
    - Specify the Origin type: Server, Bucket, or L7 load balancer.
    - Specify an origin.
    - Select the Priority: Active or Backup.
  - Add other origins if needed.
  - Click Create. In the Origin group field, you will see the name of the created origin group.
For more information, see Origins and origin groups.
Add labels, if required:
1. Click Add label.
2. Enter a label in key: value format.
3. Press Enter.
Under Domain names for content distribution, enter Domain name. You can add multiple Domain names. Names may include characters other than ASCII, e.g., Cyrillic, or Punycode. The first name is considered the primary domain name.

Warning

After you create a resource, you cannot change the primary domain name.

In the settings of your DNS hosting, create CNAME records for the specified domain names using the value displayed at the bottom of the Domain names for content distribution section. For more information, see Domain names for content distribution.
Under Additional settings:
1. Select Origin request protocol.
2. Select a client redirect method: Don't use or HTTPS to HTTP.
  
  To enable redirecting clients from HTTP to HTTPS, create a CDN resource without a redirect and get a TLS certificate for your domain name. Next, in the CDN resource settings, select the HTTP to HTTPS client redirect method.
3. Enable or disable Enable access to content.
4. In the Certificate type field, select one of the options:
  - Don't use: Resource will only be available over HTTP.
  - Use from Certificate Manager: Select a certificate. The resource will be available over HTTP and HTTPS.
    
    Note
    
    We no longer support the automatic issue of Let's Encrypt® certificates for CDN resources.
    
    Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.
    
    The certificate must be located in the same folder as your CDN resource.
  For more information, see Configuring TLS certificates for HTTPS connections between clients and the CDN.
5. Select the Host header value (Primary domain name or Match client) or choose Custom and enter the Header value. For more information, see Host header in CDN server requests to origins.
6. To enable request redirection on a CDN resource:
  1. Enable Redirect requests.
  2. In the Rewrite rule field, set a rule, e.g., /(.*) /new-folder/$1.
    
    A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.
    
    You can use regular expressions in the rule. For more information, see Rewrite rule.
  3. In the Flag field, specify the required flag:
    - break: Terminates the processing of the current set of directives.
    - last: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.
    - redirect: Returns a temporary redirect with the 302 status code to the user. This flag is used if the replacement string does not start with http://, https://, or $scheme.
    - permanent: Returns a permanent redirect with the 301 status code to the user.
7. To restrict access to resource content with secure tokens, enable Access via secure token:
  - Specify a Secret key that is a string of 6 to 32 characters. You will need a secret key to generate pre-signed URLs.
    
    You can view the secret key you saved in the management console or using the yc cdn resource list CLI command.
  - Use the Limit access by IP address field to restrict access to content by IP address:
    - Only trusted IP addresses: Access to files will be allowed only from a specific IP address of the content recipient. The IP address is specified as a parameter outside a CDN resource when generating an MD5 hash for a pre-signed URL.
    - No restrictions: Access to files will be allowed from any IP address.
  For more information, see Setting up access via a secure token.
8. To restrict access to resource content using an IP-based access policy, enable IP-based access:
  - Select the type of access policy:
    - Block all except: Allowing policy. Access to the resource content will be allowed for any IP addresses other than those specified below.
    - Allow all except: Blocking policy. Access to the resource content will be denied for any IP addresses other than those specified below.
  - In the List of IP addresses field, specify the list of IP addresses excluded from the above access policy.
    
    You must specify IP addresses with a subnet prefix in CIDR notation separated by commas. For example: 192.168.3.2/32, 192.168.17.0/24.
Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

If you have not created resources before, connect to the provider first:
```
yc cdn provider activate --type gcore
```
View the description of the CLI create resource command:
```
yc cdn resource create --help
```

Get a list of origin groups in the folder:

yc cdn origin-group list --format yaml

Result:

- id: "90209"
  folder_id: s0mefo1der7p********
  name: test-group-1
  use_next: true
  origins:
  - id: "561547"
    origin_group_id: "90209"
    source: www.example2.com
    enabled: true
    backup: true
  - id: "561546"
    origin_group_id: "90209"
    source: www.example1.com
    enabled: true
- id: "90208"
  folder_id: b1g86q4m5ve********
  name: test-group
  use_next: true
  origins:
  - id: "561545"
    origin_group_id: "90208"
    source: www.a2.com
    enabled: true
    backup: true
  - id: "561544"
    origin_group_id: "90208"
    source: www.a1.com
    enabled: true

Create a resource:
```
yc cdn resource create <resource_domain_name> \
  --origin-group-id <origin_group_ID> \
  --origin-protocol <origin_protocol>
```
- Instead of --origin-group-id, you can specify the origin domain name using the --origin-custom-source flag.
- Possible --origin-protocol values are HTTP, HTTPS, and MATCH (same as the client's).
To configure a TLS certificate for a CDN resource, use these parameters:
- --dont-use-ssl-cert: Do not use a certificate. The resource will be only available over HTTP.
- --cert-manager-ssl-cert-id: Certificate ID. The resource will be available over HTTP and HTTPS.
  
  Note
  
  We no longer support the automatic issue of Let's Encrypt® certificates for CDN resources.
  
  Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.
  
  The certificate must be located in the same folder as your CDN resource.
To enable request redirection on a CDN resource, use these parameters:
- --rewrite-body: Rewrite rule, e.g., --rewrite-body '/(.*) /new-folder/$1'.
  
  A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.
  
  You can use regular expressions in the rule. For more information, see Rewrite rule.
- --rewrite-flag: Flag. The possible values are:
  - break: Terminates the processing of the current set of directives.
  - last: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.
  - redirect: Returns a temporary redirect with the 302 status code to the user. This flag is used if the replacement string does not start with http://, https://, or $scheme.
  - permanent: Returns a permanent redirect with the 301 status code to the user.
- To add labels, use the --add-labels parameter, e.g., --add-labels key1=value1.
If you want to restrict access to resource content with secure tokens, use the following parameters:
- --secure-key: Secret key that is a string of 6 to 32 characters.
- --enable-ip-url-signing: Optional parameter that restricts access to a CDN resource based on IP. A trusted IP address is specified as a parameter outside a CDN resource when generating an MD5 hash for a signed link. If the parameter is not set, file access will be allowed from any IP.
See also Setting up access via a secure token.

If you want to restrict access to resource content using an IP address access policy, use the following parameters:
- --acl-excepted-values: IP address for which access to the content will be allowed or denied. For an address, specify the subnet prefix in CIDR notation, e.g., 192.168.3.2/32 or 2a03:d000:2980:7::8/128.
  
  You can only provide one IP address in the --acl-excepted-values parameter. To provide more addresses, set the --acl-excepted-values parameter multiple times.
- --policy-type: Policy type. The possible values include:
  - allow: Allowing policy. Access to the resource content will be allowed for any IP addresses other than those specified in the --acl-excepted-values parameter.
  - deny: Blocking policy. Access to the resource content will be denied for any IP addresses other than those specified in the --acl-excepted-values parameter.
For more information about the yc cdn resource create command, see the CLI reference.

Get the CNAME record value for the CDN resource:

yc cdn resource get-provider-cname

Result:

cname: cl-ms6*****90.edgecdn.ru
folder_id: b1gt6g8ht345********

In Yandex Cloud DNS, create a resource record with the obtained value.

Make sure to activate the CDN provider before creating a resource. You can activate it in the management console or using this CLI command:

yc cdn provider activate \
  --folder-id <folder_ID> \
  --type gcore

Where:

--folder-id: ID of the folder where you want to activate the CDN provider.
--type: Provider type. The only possible value is gcore.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

In the configuration file, describe the parameters of the CDN resource to create:
```
resource "yandex_cdn_resource" "my_resource" {
    cname               = "<domain_name>"
    active              = true
    origin_protocol     = "https"
    origin_group_id     = <origin_group_ID>
    secondary_hostnames = ["<additional_domain_name_1>", "additional_domain_name_2"]
    ssl_certificate {
      type = "certificate_manager"
      certificate_manager_id = "<certificate_ID>"
    }
    options {
      redirect_http_to_https = true
      secure_key = "<secret_key>"
      enable_ip_url_signing = true
      ip_address_acl {
        excepted_values = ["<IP_address_1>", "<IP_address_2>", ..., "<IP_address_n>"]
        policy_type = "<policy_type>"
      }
    }
}
```
Where:
- cname: Primary domain name used for content distribution. This is a required parameter.
- active: (Optional) Flag for content availability to end users (true: CDN content is available to clients; false: content not available). The default value is true.
- origin_protocol: (Optional) Origin protocol. The default value is HTTP.
- origin_group_id: ID of the origin group. This is a required parameter. Use the ID from the description of the origin group in the yandex_cdn_origin_group resource.
- secondary_hostnames: (Optional) Additional domain names.
- ssl_certificate: (Optional) SSL certificate parameters:
  
  Note
  
  We no longer support the automatic issue of Let's Encrypt® certificates for CDN resources.
  - type: Certificate type. The possible values are:
    - not_used: No certificate is used. This is a default value.
    - certificate_manager: Custom certificate. Specify the certificate ID in the certificate_manager_id parameter.
      
      Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.
      
      The certificate must be located in the same folder as your CDN resource.
  - certificate_manager_id: User certificate ID in Certificate Manager.
- options: (Optional) Additional parameters of the CDN resource:
  - redirect_http_to_https: Parameter to redirect clients from HTTP to HTTPS, true or false. Available if an SSL certificate is used.
  - secure_key: Secret key that is a string of 6 to 32 characters. It is required to restrict access to a resource using secure tokens.
  - enable_ip_url_signing: Optional parameter that enables restricting access to a CDN resource by IP address using secure tokens. A trusted IP address is specified as a parameter outside a CDN resource when generating an MD5 hash for a signed link. If the parameter is not set, file access will be allowed from any IP address.
  - ip_address_acl: IP-based access policy parameters:
    - excepted_values: List of IP addresses for which access to the resource content will be allowed or denied. Separate IP addresses by commas. For each address, specify the subnet prefix in CIDR notation, e.g., 192.168.3.2/32 or 2a03:d000:2980:7::8/128.
    - policy_type: Policy type. The possible values include:
      - allow: Allowing policy. Access to the resource content will be allowed for any IP addresses other than those specified in the ip_address_acl.excepted_values parameter.
      - deny: Blocking policy. Access to the resource content will be denied for any IP addresses other than those specified in the ip_address_acl.excepted_values parameter.
  Note
  
  If you delete the secure_key and ip_address_acl parameters in the configuration file, these options will not be automatically disabled. To disable the secure_key and ip_address_acl options, use the CLI or API.
For more information about yandex_cdn_resource parameters in Terraform, see the provider documentation.
Create the resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.
Terraform will create all the required resources. You can check the new CDN resource using the management console or this CLI command:
```
yc cdn resource list
```

Get the CNAME record value for the CDN resource:

yc cdn resource get-provider-cname

Result:

cname: cl-ms6*****90.edgecdn.ru
folder_id: b1gt6g8ht345********

In Yandex Cloud DNS, create a resource record with the obtained value.

If you have not created any resources before, connect to the CDN provider. To do this, use the activate REST API method for the Provider resource or the ProviderService/Activate gRPC API call.

Use the create REST API method for the Resource resource or the ResourceService/Create gRPC API call.

You can restrict access to the resource with secure tokens and an IP-based access policy.
Create a CNAME record for the CDN resource in Yandex Cloud DNS:
- To get the CNAME record value for a CDN resource, use the getProviderCName REST API method for the Resource resource or the ResourceService/GetProviderCName gRPC API call.
- To create a resource record in a DNS zone, use the updateRecordSets REST API method for the DnsZone resource or the DnsZoneService/UpdateRecordSets gRPC API call.

The new resource will start running properly after the CNAME record that you created on your DNS hosting (see the section about domain names used for content distribution) is propagated across DNS servers. This might take a few hours.

Note

Do not use an ANAME resource record with domain names for content distribution; otherwise, the end user will get a response from a CDN server not linked to the user's geolocation. The response will always be the same for all users.

For a resource in Cloud CDN, you can specify additional settings provided by EdgeCenter, a CDN provider. For a complete description of its features, see the CDN provider's API documentation. To enable additional options, request access to them from technical support.

Examples

CLI

Create a resource with HTTP:

yc cdn resource create testexample.com \
  --origin-group-id 90209 \
  --origin-protocol HTTP

Result:

id: s0me1dkfjq********
...
cname: testexample.com
active: true
...
origin_group_id: "90209"
origin_group_name: test-group-1
origin_protocol: HTTP
ssl_certificate:
type: DONT_USE
status: READY

Creating a resource

ExamplesExamples

Was the article helpful?

Examples