Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing serial console access

Written by
Improved by
Updated at June 18, 2026

The serial console allows you to access a VM instance no matter what the network or OS state currently is.

Managing serial console access requires the compute.admin or editor role.

By default, access to the Compute Cloud VM serial console is disabled.

Warning

When assessing the risks associated with enabling VM access via the serial console, keep in mind the following:

  • The VM will remain manageable over the internet even without an external IP address.

    A user who has successfully authenticated in the Yandex Cloud management console and has the required access permissions for the VM will be able to access the serial console.

    One can also access the VM serial console via SSH client applications, such as PuTTY, or through the CLI by authenticating with an SSH key. Therefore, make sure to prevent any unauthorized access to your SSH key and always end the web session to reduce interception risks.

  • Your serial console session will simultaneously be shared by all users who have access to the serial console. Users will be able to see each other's actions if concurrently viewing the serial console output.

  • A valid serial console session can be accessed by another user.

We recommend enabling serial console access only when absolutely necessary, granting access permissions to a limited group of trusted users, and using strong VM passwords.

When you are done using the management console, do not forget to ban access to it.

Enabling access to the serial console

You can enable access to the serial console either when creating a new VM instance or by updating the existing one.

Creating a new VM with serial console access enabled

To enable access to the serial console when creating a new VM instance based on a public image from Yandex Cloud Marketplace:

  1. In the management console, select the folder where you want to create your VM.

  2. Navigate to Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select one of the Yandex Cloud Marketplace images.

  6. Under Location, select an availability zone where your VM will reside.

  7. Under Computing resources, select one of the preset configurations or create a custom one.

  8. Under Network settings:

    • In the Subnet field, enter the ID of a subnet in the new VM’s availability zone. Alternatively, select a cloud network from the list.

      • Each network must have at least one subnet. If your network has no subnets, create one by selecting Create subnet.
      • If there is no network, click Create network to create one:

    • In the Public IP address field, select the Auto address assignment method to assign a random IP address from the Yandex Cloud address pool.

    • Select the relevant security groups. If you leave this field empty, the default security group will be assigned to the VM.

  9. Under Access:

    • Select Access by OS Login to connect and manage access to the new VM using OS Login in Yandex Identity Hub.

      With OS Login, you can connect to VMs using SSH keys and SSH certificates via a standard SSH client or the Yandex Cloud CLI. OS Login enables rotating the SSH keys used to access VMs, providing the most secure access option.

    • If you prefer not to use OS Login, select SSH key and specify the following VM access data:

      • In the Login field, enter the username.

        Alert

        Do not use root or other OS-reserved usernames. To perform operations requiring root privileges, use the sudo command.

      • In the SSH key field, select the SSH key saved in your organization user profile.

        If there are no SSH keys in your profile or you want to add a new key:

        1. Click Add key.

        2. Enter a name for the SSH key.

        3. Select one of the following:

          • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

          • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

          • Generate key: Automatically create an SSH key pair.

            When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

        4. Click Add.

        The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

    If you want to add multiple users with SSH keys to the VM at the same time, specify these users' data under Metadata. You can also use metadata to install additional software on a VM when creating it.

    In public Linux images provided by Yandex Cloud, the functionality of connecting over SSH using login and password is disabled by default.

  10. Under General information, enter a name for your VM:

    • Length: between 3 and 63 characters.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

    Note

    The VM name is used to generate an internal FQDN, which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.

  11. Expand the Additional section, and enable Enable in the Serial console access field.

  12. Click Create VM.

The VM will appear in the list. The new VM will get an IP address and a host name (FQDN).

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Create a key pair (public and private keys) for SSH access to the VM.

  2. Create a VM in the default folder. The example below creates a VM based on a public image from Yandex Cloud Marketplace running Ubuntu 24.04 LTS:

    yc compute instance create \
  --name sample-instance \
  --zone ru-central1-a \
  --network-interface subnet-id=<subnet_ID>,nat-ip-version=ipv4 \
  --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2404-lts-oslogin,auto-delete=true \
  --metadata enable-oslogin=false,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'

    Where:

    • --name: VM name. The naming requirements are as follows:

      • Length: between 3 and 63 characters.
      • It can only contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

      Note

      The VM name is used to generate an internal FQDN, which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.

    • --zone: Availability zone to create the VM in.

    • --network-interface: Network settings of the new VM:

    • --metadata: VM metadata:

      • enable-oslogin: Parameter responsible for access to the VM instance via OS Login. The possible values are:

        • true: To enable access to the VM via OS Login. This will block access to the VM with the SSH key set via the metadata.
        • false: To disable access to the VM via OS Login. Access the VM will only be possible with the SSH key set via the metadata.

      • serial-port-enable=1: Parameter enabling access to the VM via the serial console.

      • ssh-keys: Name of the local VM user and the contents of the public SSH key that will allow this user to connect to the VM over SSH.

    For more information about the yc compute instance create command, see the CLI reference.

Enabling access to the serial console for an existing VM

To enable access to the serial console for an existing VM:

  1. In the management console, select the folder the VM instance resides in.

  2. Navigate to Compute Cloud.

  3. In the left-hand panel, select  Virtual machines.

  4. Find the VM row in the VM list, click , and select Edit. In the window that opens:

    1. Expand the Additional section, and enable Enable in the Serial console access field.
    2. Click Save changes.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Update the VM by specifying its name or ID in the command below:

    yc compute instance update <VM_name_or_ID> \
  --metadata enable-oslogin=<true|false>,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'

    Where --metadata is the VM metadata:

    • enable-oslogin: Parameter responsible for access to the VM instance via OS Login. The possible values are:

      • true: To enable access to the VM via OS Login. This will block access to the VM with the SSH key set via the metadata.
      • false: To disable access to the VM via OS Login. Access the VM will only be possible with the SSH key set via the metadata.

    • serial-port-enable=1: Parameter enabling access to the VM via the serial console.

    • ssh-keys: Name of the local VM user and the contents of the public SSH key that will allow this user to connect to the VM over SSH.

    For more information about the yc compute instance update command, see the CLI reference.

Disabling access to the serial console

Access to the serial console for all newly created Compute Cloud VMs is disabled by default.

To disable serial console access for an existing VM:

  1. In the management console, select the folder the VM instance resides in.

  2. Navigate to Compute Cloud.

  3. In the left-hand panel, select  Virtual machines.

  4. Find the VM row in the VM list, click , and select Edit. In the window that opens:

    1. Expand the Additional section, and enable Enable in the Serial console access field.
    2. Click Save changes.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Update the VM by specifying its name or ID in the command below:

    yc compute instance update <VM_name_or_ID> \
  --metadata enable-oslogin=<true|false>,serial-port-enable=0,ssh-keys='<username>:<public_SSH_key>'

    Where --metadata is the VM metadata:

    • enable-oslogin: Parameter responsible for access to the VM instance via OS Login. The possible values are:

      • true: To enable access to the VM via OS Login. This will block access to the VM with the SSH key set via the metadata.
      • false: To disable access to the VM via OS Login. Access the VM will only be possible with the SSH key set via the metadata.

    • serial-port-enable=1: Parameter disabling access to the VM via the serial console.

    • ssh-keys: Name of the local VM user and the contents of the public SSH key that will allow this user to connect to the VM over SSH.

    For more information about the yc compute instance update command, see the CLI reference.

See also

Previous
Deleting a file storage
Next
Connecting to a Linux VM serial console