Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a resource

Written by
Updated at August 26, 2025

To create a resource:

  1. In the management console, select the folder where you want to create a resource.

  2. Select Cloud CDN.

  3. Click Create resource.

  4. Configure the basic CDN resource settings:

    Tip

    You can set CDN resource parameters from a configuration of another CDN resource. To do this, in the Copy a configuration field, select an existing CDN resource. Keep in mind the following:

    • You can migrate the Domain name parameter from the CDN resource of one CDN provider to another. The name must be unique across the resources of a single provider.
    • Copying parameters between resources of different providers creates a copy of the origin group in the provider of the new resource.
    • If the original resource has an uploaded TLS certificate, it will be reused in the new resource. You do not need to upload it again.

    • Under Content:

      • Enable or disable Enable access to content.

      • In the Content query field, select From one origin or From origin group:

        • When requesting From one origin content, select the Origin type: Server, Bucket, or L7 load balancer, and specify the origin.
        • When requesting content From origin group, select an origin group or create a new one:
          1. Click Create.
          2. Specify Group name.
          3. Configure Origin:
            • Specify the Origin type: Server, Bucket, or L7 load balancer.
            • Specify an origin.
            • Select the Priority: Active or Backup.
          4. Add other origins if needed.
          5. Click Create. In the Origin group field, you will see the name of the created origin group.

        Note

        If the CDN resource is from one CDN provider and the selected existing origin group is from another, a duplicate origin group will be created for the CDN resource provider.

        For more information, see Origins and origin groups.

      • In the Origin request protocol field, select a protocol for the origins.

      • In the Domain name field, specify the primary domain name you will use in your website links to CDN-hosted content, e.g., cdn.example.com.

        You can add multiple Domain names. Names may include characters other than ASCII, e.g., Cyrillic or Punycode. The first name is considered the primary domain name.

        Alert

        You cannot change the primary domain name used for content distribution after creating a CDN resource.

      • Optionally, add labels:

        1. Click Add label.
        2. Enter a label in key: value format.
        3. Press Enter.

    • Under Additional settings:

      • In the Redirect clients field, select Don't use or HTTPS to HTTP.

        To enable redirecting clients from HTTP to HTTPS, create a CDN resource without a redirect and get a TLS certificate for your domain name. Next, in the CDN resource settings, select the HTTP to HTTPS client redirect method.

      • In the Certificate type field, select one of the options:

        • Don't use: Resource will only be available over HTTP.
        • Use from Certificate Manager: Select a certificate. The resource will be available over HTTP and HTTPS.

        Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.

        The certificate must be located in the same folder as your CDN resource.

        Learn more about configuring TLS certificates for HTTPS connections.

      • In the Host header field, select the value (Primary domain name or Match client) or opt for Custom and enter the Header value.

        Learn more about the Host header in CDN server requests to origins.

      • Optionally, to enable request redirection on a CDN resource, do the following:

        1. Enable Redirect requests.

        2. In the Rewrite rule field, set a rule, e.g., /(.*) /new-folder/$1.

          A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.

          You can use regular expressions in the rule.

          For more information, see Rewrite rule.

        3. In the Flag field, specify the required flag:

          • break: Terminates the processing of the current set of directives.
          • last: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.
          • redirect: Returns a temporary redirect with the 302 status code to the user. This flag is used if the replacement string does not start with http://, https://, or $scheme.
          • permanent: Returns a permanent redirect with the 301 status code to the user.

      • Optionally, to restrict access to resource content with secure tokens, enable Access via secure token:

        • Specify a Secret key that is a string of 6 to 32 characters. You will need a secret key to generate pre-signed URLs.

          You can view the secret key you saved in the management console or using the yc cdn resource list CLI command.

        • Use the Limit access by IP address field to restrict access to content by IP address:

          • Only trusted IP addresses: Access to files will be allowed only from a specific IP address of the content recipient. The IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL.
          • No restrictions: Access to files will be allowed from any IP address.

        Learn more about access via a secure token.

      • Optionally, to restrict access to resource content using an IP-based access policy, enable IP-based access:

        • Select the type of access policy:

          • Block all except: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified below.
          • Allow all except: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified below.

        • In the List of IP addresses field, specify the list of IP addresses excluded from the above access policy.

          You must specify IP addresses with a subnet prefix in CIDR notation separated by commas. For example, 192.168.3.2/32, 192.168.17.0/24.

      • Optionally, to set a CDN provider, enable Select provider and specify the one you need.

        The default provider is Yandex Cloud CDN.

        Warning

        When creating each CDN resource and each origin group, they get assigned a specific provider. You cannot change the assigned provider.

  5. Click Continue.

  6. Optionally, under Caching, do the following:

    Tip

    You can configure these settings later, if required.

    • Under CDN:

      • Enable CDN caching.
      • Select the setting type: Same as origin or Custom settings.
      • Select the cache lifetime from the list.
      • Optionally, for the Custom settings setting type, set the cache lifetime for the required HTTP response codes.

    • Under Browser:

      • Enable Browser caching.
      • Select the cache lifetime from the list.

    • Under Additional settings:

      • Select the option to ignore Cookies.
      • Select the option to ignore the Query parameters.

    • For CDN servers to compress content before sending it to clients, select GZip.

      The content will be sent in gzip format with the Content-Encoding HTTP header. From origins, only uncompressed content will be requested.

      Learn more about file compression.

    • If you want files larger than 10 MB to be requested and cached in parts, each part no larger than 10 MB, select Segmentation of large files.

      For segmentation to work, content origins must support partial GET requests with the Range header.

      Learn more about segmentation.

    Learn more about caching.

  7. Click Continue.

  8. Under HTTP headers and methods:

    Tip

    You can configure these settings later, if required.

    • Under Origin request headers:

      • In the Header field, click Add.
      • Enter names and values of the headers you need.

    • Under Client response headers:

      • In the Header field, click Add.
      • Enter names and values of the headers you need.

      Learn more about configuring HTTP headers for requests and responses.

    • Under CORS when responding to client requests:

      • In the Access-Control-Allow-Origin header field, specify whether to add this header to responses.
      • When adding a header, select the values of the Origin header that allow access to the content. To grant access only to specific origins, select Same as Origin if on the list, specify the origin domain names and click Add domain name.

      Learn more about configuring CORS for responses to clients.

    • Under Client request methods, select Allowed methods from the drop-down list.

      Learn more about configuring HTTP methods.

  9. Click Create and continue.

  10. Optionally, under Advanced, do the following:

    Tip

    You can configure these settings later, if required.

  11. Click Continue.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to create a resource:

    yc cdn resource create --help

  2. Get a list of origin groups in the folder:

    yc cdn origin-group list --format yaml

    Result:

    - id: "90209"
  folder_id: s0mefo1der7p********
  name: test-group-1
  use_next: true
  origins:
  - id: "561547"
    origin_group_id: "90209"
    source: www.example2.com
    enabled: true
    backup: true
  - id: "561546"
    origin_group_id: "90209"
    source: www.example1.com
    enabled: true
- id: "90208"
  folder_id: b1g86q4m5ve********
  name: test-group
  use_next: true
  origins:
  - id: "561545"
    origin_group_id: "90208"
    source: www.a2.com
    enabled: true
    backup: true
  - id: "561544"
    origin_group_id: "90208"
    source: www.a1.com
    enabled: true

  3. Create a resource:

    yc cdn resource create <resource_domain_name> \
  --origin-group-id <origin_group_ID> \
  --origin-protocol <origin_protocol>
    • Instead of --origin-group-id, you can specify the origin domain name using the --origin-custom-source flag.
    • The possible --origin-protocol values are HTTP, HTTPS, and MATCH (same as the client's).

    To configure a TLS certificate for a CDN resource, use these parameters:

    To enable request redirects on a CDN resource, use these parameters:

    • --rewrite-body: Rewrite rule, e.g., --rewrite-body '/(.*) /new-folder/$1'.

      A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.

      You can use regular expressions in the rule.

      For more information, see Rewrite rule.

    • --rewrite-flag: Flag. The possible values are:

      • break: Terminates the processing of the current set of directives.
      • last: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.
      • redirect: Returns a temporary redirect with the 302 status code to the user. This flag is used if the replacement string does not start with http://, https://, or $scheme.
      • permanent: Returns a permanent redirect with the 301 status code to the user.

    • To add labels, use the --add-labels parameter, e.g., --add-labels key1=value1.

    If you want to restrict access to resource content with secure tokens, use the following parameters:

    • --secure-key: Secret key, a string of 6 to 32 characters.
    • --enable-ip-url-signing: Optional parameter that restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address.

    See also Setting up access via a secure token.

    If you want to restrict access to resource content using an IP address access policy, use the following parameters:

    • --acl-excepted-values: IP address for which access to the content will be allowed or denied. For the address, specify the subnet prefix in CIDR notation, e.g., 192.168.3.2/32 or 2a03:d000:2980:7::8/128.

      You can only provide one IP address in the --acl-excepted-values parameter. To provide multiple addresses, set the --acl-excepted-values parameter for each address.

    • --policy-type: Policy type. The possible values are as follows:

      • allow: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in the --acl-excepted-values parameter.
      • deny: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in the --acl-excepted-values parameter.

    For more information about the yc cdn resource create command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the configuration file, describe the properties of the CDN resource to create:

    resource "yandex_cdn_resource" "my_resource" {
    cname               = "<domain_name>"
    active              = true
    origin_protocol     = "https"
    origin_group_id     = <origin_group_ID>
    secondary_hostnames = ["<additional_domain_name_1>", "additional_domain_name_2"]
    ssl_certificate {
      type = "certificate_manager"
      certificate_manager_id = "<certificate_ID>"
    }
    options {
      redirect_http_to_https = true
      secure_key = "<secret_key>"
      enable_ip_url_signing = true
      ip_address_acl {
        excepted_values = ["<IP_address_1>", "<IP_address_2>", ..., "<IP_address_n>"]
        policy_type = "<policy_type>"
      }
    }
}

    Where:

    • cname: Primary domain name used for content distribution. This is a required parameter.

    • active: Optional flag for content availability to end users, wheretrue means the CDN content is available to clients, and false means that the content not available. The default value is true.

    • origin_protocol: Optional origin protocol. The default value is http.

    • origin_group_id: Origin group ID. This is a required parameter. Use the ID from the description of the origin group in the yandex_cdn_origin_group resource.

    • secondary_hostnames: Optional additional domain names.

    • ssl_certificate: Optional SSL certificate parameters:

      • type: Certificate type. The possible values are:

      • certificate_manager_id: Custom certificate ID in Certificate Manager.

    • options: Optional additional parameters of the CDN resource:

      • redirect_http_to_https: Parameter to redirect clients from HTTP to HTTPS, true or false. This parameter is available if an SSL certificate is used.

      • secure_key: Secret key, that is a string of 6 to 32 characters, which is required to restrict access to a resource using secure tokens.

      • enable_ip_url_signing: Optional parameter that enables restricting access to a CDN resource by IP address using secure tokens. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address.

      • ip_address_acl: IP-based access policy parameters:

        • ip_address_acl: List of IP addresses for which access to the resource content will be allowed or denied. Separate IP addresses by commas. For each address, specify the subnet prefix in CIDR notation, e.g., 192.168.3.2/32 or 2a03:d000:2980:7::8/128.

        • policy_type: Policy type. The possible values are as follows:

          • allow: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in the ip_address_acl.excepted_values parameter.
          • deny: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in the ip_address_acl.excepted_values parameter.

      Note

      Deleting the secure_key and ip_address_acl parameters in the configuration file will not automatically disable them. You can delete secure_key and ip_address_acl using the CLI or API.

    For more information about the yandex_cdn_resource properties in Terraform, see the provider documentation.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new CDN resource using the management console or this CLI command:

    yc cdn resource list

Use the create REST API method for the Resource resource or the ResourceService/Create gRPC API call.

You can restrict access to the resource with secure tokens and an IP-based access policy.

Once the CDN resource is created, get the CDN provider's domain name and create a CNAME resource record for the specified name in your DNS hosting settings, e.g., in Yandex Cloud DNS. For more information, see Domain names for content distribution.

Sample resource record:

cdn.example.com. CNAME 328938ed********.a.yccdn.cloud.yandex.net

The new resource will start running properly after the CNAME record that you created on your DNS hosting (see Host names) is propagated across DNS servers. This may take several hours.

Note

Do not use an ANAME resource record with domain names for content distribution; otherwise, the end user will get a response from a CDN server not linked to the user geolocation. The response will always be the same for all users.

For a CDN resource with the EdgeCDN provider, you can configure advanced settings. For a complete description of its features, see the CDN provider's API documentation. To enable additional options, request access to them from technical support.

Examples

Create a resource with HTTP:

yc cdn resource create testexample.com \
  --origin-group-id 90209 \
  --origin-protocol HTTP

Result:

id: s0me1dkfjq********
...
cname: testexample.com
active: true
...
origin_group_id: "90209"
origin_group_name: test-group-1
origin_protocol: HTTP
ssl_certificate:
type: DONT_USE
status: READY
Previous
All guides
Next
Copying a configuration from one resource to another