Creating a VM from a public Linux image

Written by

Yandex Cloud

Improved by

Updated at November 27, 2025

Note

To create, modify, and edit a VM, you need the compute.editor minimum role for the folder. To create a VM with a licensed image, you will additionally need the license-manager.viewer role.

To create a VM with a public IP address, you will additionally need the vpc.publicAdmin role.

Management console

CLI

Terraform

API

In the management console, select the folder where you want to create your VM.
In the list of services, select Compute Cloud.
In the left-hand panel, select Virtual machines.
Click Create virtual machine.
Select Advanced setup.

Note

The management console retains the VM configuration method you select. In the future, this method will be preselected.
Under Boot disk image, select an image and a Linux-based OS version.

To create a VM from an existing boot disk, go to the Custom tab and select the boot disk you need. To update disk settings, click next to the disk name.
Under Location, select the availability zone where your VM will reside.
Optionally, configure the boot disk under Disks and file storages:
- Select the disk type.
- Specify the required disk size.
- Optionally, to encrypt a boot disk or a secondary disk, under Disks and file storages, click to the right of the disk name and configure encryption parameters for the disk:
  - Select Encrypted disk.
  - In the KMS key field, select the key you want to use to encrypt the disk. To create a new key, click Create.
  To create an encrypted disk, you need the kms.keys.user role or higher.
  
  Warning
  
  You can specify encryption settings only when creating a disk. You cannot disable or change disk encryption. You also cannot enable encryption for an existing disk.
  
  If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.
  
  Alert
  
  If you destroy the key or its version used to encrypt a disk, image, or snapshot, you will irrevocably lose access to the data. For details, see Destroying key versions.
  
  If you are creating a VM instance from an existing boot disk, update the settings of that disk in the Custom tab under Boot disk image at the top of the form.
Optionally, add a secondary disk:
- Under Disks and file storages, click Add.
- In the window that opens, select Disk. You can select an existing disk or create a new one, either empty or from a snapshot or image.
  
  For example, to create a new empty disk:
  - Select Create new.
  - In the Contents field, select Empty.
  - Enter a name for the disk.
  - Select the disk type.
  - Specify the required disk and block size.
  - Optionally, enable Additional in the Delete along with the virtual machine field if you need this disk automatically deleted when deleting the VM.
  - Click Add disk.
Optionally, connect a file storage:
- Under Disks and file storages, click Add.
  - In the window that opens, select File storage and choose the storage you want to connect from the list.
  - Click Add file storage.
Under Computing resources, select one of the preset configurations or create a custom one. To create a custom configuration:
- Go to the Custom tab.
- Select a platform.
- Specify the guaranteed performance and required number of vCPUs, as well as RAM size.
- Optionally, enable a software-accelerated network.
- Make your VM preemptible, if required.
Under Network settings:
- In the Subnet field, enter the ID of a subnet in the new VM’s availability zone. Alternatively, select a cloud network from the list.
  - Each network must have at least one subnet. If your network has no subnets, create one by selecting Create subnet.
  - If you do not have a network, click Create network to create one:
    - In the window that opens, specify the network name and select the folder to host the network.
    - Optionally, enable the Create subnets setting to automatically create subnets in all availability zones.
    - Click Create network.
- In the Public IP address field, select an IP address assignment method:
  - Auto: To assign a random IP address from the Yandex Cloud IP address pool. In this case, you can enable DDoS protection using the option below.
  - List: To select a public IP address from the list of previously reserved static addresses. For more information, see Converting a dynamic public IP address to static.
  - No address: Not to assign a public IP address.
- Select the relevant security groups. If you leave this field empty, the default security group will be assigned to the VM.
- Expand Additional and select a method for assigning internal addresses in the Internal IPv4 address field:
  - Auto: To assign a random IP address from the pool of IP addresses available in the selected subnet.
  - Manual: To manually assign a private IP address to the VM.
  - Enable DDoS protection, if required. The option is available if you previously selected the automatic IP assignment method in the public address settings.
- Optionally, create records for your VM in the DNS zone:
  - Expand DNS settings for internal addresses and click Add record.
  - Specify a zone, FQDN, and TTL for the record. When setting the FQDN, you can enable Detect automatically for the zone.
    You can add multiple records to internal DNS zones. For more information, see Cloud DNS integration with Compute Cloud.
  - To create another record, click Add record.
If you want to add another network interface to your VM, click Add network interface and repeat the settings from this step for the new interface. You can add up to eight network interfaces to a single VM.
Under Access:
- Select Access by OS Login to connect and manage access to the new VM using OS Login in Yandex Identity Hub.
  
  With OS Login, you can connect to VMs using SSH keys and SSH certificates via a standard SSH client or the Yandex Cloud CLI. OS Login enables rotating the SSH keys used to access VMs, providing the most secure access option.
- If you prefer not to use OS Login, select SSH key and specify the following VM access data:
  - Under Login, enter a username.
    
    Alert
    
    Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.
  - In the SSH key field, select the SSH key saved in your organization user profile.
    
    If there are no SSH keys in your profile or you want to add a new key:
    1. Click Add key.
    2. Enter a name for the SSH key.
    3. Select one of the following:
      - Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.
      - Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
      - Generate key: Automatically create an SSH key pair.
        
        When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.
    4. Click Add.
    The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.
If you want to add multiple users with SSH keys to the VM at the same time, specify these users' data under Metadata. You can also use metadata to install additional software on a VM when creating it.

In public Linux images provided by Yandex Cloud, the functionality of connecting over SSH using login and password is disabled by default.
Under General information, enter a name for your VM:
- It must be from 2 to 63 characters long.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Note

The VM name is used to generate an internal FQDN, which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
Under Additional:
- Optionally, select or create a service account. With a service account, you can flexibly configure access permissions for your resources.
- Optionally, enable access to the serial console.
- Optionally, under Backup, enable Connect and select or create a backup policy to make automatic backups of your VMs using Cloud Backup.
  
  For more information, see Connecting Compute Cloud VMs and Yandex BareMetal servers to Cloud Backup.
- Optionally, to configure delivering Linux metrics and any additional metrics from your apps, enable Monitoring under Agent for delivering metrics and select:
  - Yandex Monitoring: Install an agent to collect additional metrics from VM instances and apps.
  - Yandex Managed Service for Prometheus®: Install and configure an agent to collect additional metrics from VM instances and apps in Prometheus format:
    - Select or create a workspace to store your metrics.
    - Optionally, describe the delivery parameters for your custom metrics, in JSON format.
- Optionally, under Placement, select a VM placement group.
Click Create VM.

The VM will appear in the list. Every new VM gets an IP address and host name (FQDN).

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

See the description of the CLI command for creating a VM:
```
yc compute instance create --help
```
Prepare a key pair (public and private keys) for SSH access to the VM.

Select a public Linux-based image from Yandex Cloud Marketplace, e.g., CentOS 7.

To get a list of available images using the CLI, run this command:

yc compute image list --folder-id standard-images

Result:

+----------------------+-------------------------------------+--------------------------+----------------------+--------+
|          ID          |                NAME                 |          FAMILY          |     PRODUCT IDS      | STATUS |
+----------------------+-------------------------------------+--------------------------+----------------------+--------+
...
| fdvk34al8k5n******** | centos-7-1549279494                 | centos-7                 | dqni65lfhvv2******** | READY  |
| fdv7ooobjfl3******** | windows-2016-gvlk-1548913814        | windows-2016-gvlk        | dqnnc72gj2is******** | READY  |
| fdv4f5kv5cvf******** | ubuntu-1604-lts-1549457823          | ubuntu-1604-lts          | dqnnb6dc7640******** | READY  |
...
+----------------------+-------------------------------------+--------------------------+----------------------+--------+

Where:

ID: Image ID.
NAME: Image name.
FAMILY: ID of the image family the image belongs to.
PRODUCT IDS: IDs of Yandex Cloud Marketplace products associated with the image.
STATUS: Current status of the image. It may take one of the following values:
- STATUS_UNSPECIFIED: Image status is not defined.
- CREATING: Image is being created.
- READY: Image is ready to use.
- ERROR: You cannot use the image due to an issue.
- DELETING: Image is being deleted.

Select a subnet:

yc vpc subnet list

Result:

+----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+
|          ID          |           NAME            |      NETWORK ID      | ROUTE TABLE ID |       ZONE        |      RANGE      |
+----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+
| e9bnlm18l70a******** |   default-ru-central1-a   | enpe3m3fa00u******** |                |   ru-central1-a   | [10.128.0.0/24] |
+----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+

Create a VM in the default folder:
```
yc compute instance create \
  --name first-instance \
  --zone ru-central1-a \
  --network-interface subnet-name=default-ru-central1-a,nat-ip-version=ipv4 \
  --create-boot-disk image-folder-id=standard-images,image-family=centos-7,kms-key-id=<key_ID>,auto-delete=true \
  --ssh-key ~/.ssh/id_ed25519.pub
```
Where:
- --name: VM name. The naming requirements are as follows:
  - It must be from 2 to 63 characters long.
  - It can only contain lowercase Latin letters, numbers, and hyphens.
  - It must start with a letter and cannot end with a hyphen.
  Note
  
  The VM name is used to generate an internal FQDN, which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
- --zone: Availability zone matching the selected subnet.
- --network-interface: VM network interface settings:
  - subnet-name: Name of the selected subnet.
  - nat-ip-version=ipv4: Public IP address. To create a VM without a public IP address, omit this parameter.
  If you want to add multiple network interfaces to your VM, specify the --network-interface parameter as many times as you need. You can add up to eight network interfaces to a single VM.
- --create-boot-disk: VM boot disk settings:
  - auto-delete: Auto-delete the boot disk together with the VM. See Disk auto-deletion.
  - image-family: Image family, e.g., centos-7. This option allows you to install the latest version of the OS from the specified family.
  - kms-key-id: ID of the KMS symmetric key to create an encrypted boot disk. This is an optional parameter.
    
    To create an encrypted disk, you need the kms.keys.user role or higher.
    
    Warning
    
    You can specify encryption settings only when creating a disk. You cannot disable or change disk encryption. You also cannot enable encryption for an existing disk.
    
    If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.
    
    Alert
    
    If you destroy the key or its version used to encrypt a disk, image, or snapshot, you will irrevocably lose access to the data. For details, see Destroying key versions.
- --ssh-key: Path to the file with the public SSH key. The VM will automatically create a user named yc-user for this key.
  
  When creating a VM from a Yandex Cloud Marketplace public image, make sure to provide an SSH key, as SSH access with a username and password is disabled by default for such images.
  
  If you want to add multiple users with SSH keys to your VM at the same time, specify these users' data in the --metadata-from-file parameter. You can also use metadata to install additional software on a VM when creating it.

When a VM is created, it is assigned an IP address and hostname (FQDN). This data can be used for SSH access.

You can make a public IP address static. For more information, see Making a VM public IP address static.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

In the configuration file, describe the properties of resources you want to create:
```
resource "yandex_compute_disk" "boot-disk" {
  name     = "<disk_name>"
  type     = "<disk_type>"
  zone     = "<availability_zone>"
  size     = "<disk_size>"
  image_id = "<image_ID>"
}

resource "yandex_compute_instance" "vm-1" {
  name                      = "linux-vm"
  allow_stopping_for_update = true
  platform_id               = "standard-v3"
  zone                      = "<availability_zone>"

  resources {
    cores  = "<number_of_vCPUs>"
    memory = "<RAM_in_GB>"
  }

  boot_disk {
    auto_delete = true
    disk_id = yandex_compute_disk.boot-disk.id
  }

  network_interface {
    subnet_id = "${yandex_vpc_subnet.subnet-1.id}"
    nat       = true
  }

  metadata = {
    ssh-keys = "<username>:<SSH_key_contents>"
  }
}

resource "yandex_vpc_network" "network-1" {
  name = "network1"
}

resource "yandex_vpc_subnet" "subnet-1" {
  name           = "subnet1"
  zone           = "<availability_zone>"
  v4_cidr_blocks = ["192.168.10.0/24"]
  network_id     = "${yandex_vpc_network.network-1.id}"
}
```
Where:
- yandex_compute_disk: Boot disk description:
  - name: Disk name.
  - type: Disk type.
  - zone: Availability zone the disk will reside in.
  - size: Disk size in GB.
  - image_id: ID of the image to create the VM from. You can get the image ID from the list of public images.
    
    You can also view image IDs in the management console when creating a VM or in Cloud Marketplace on the image page under Product IDs.
- yandex_compute_instance: VM description:
  - name: VM name.
  - allow_stopping_for_update: Permission to stop the VM for updates. Set to true if you plan to change your VM's network settings or computing resources using Terraform. The default value is false.
  - platform_id: Platform.
  - zone: Availability zone the VM will reside in.
  - resources: Number of vCPUs and amount of RAM available to the VM. The values must match the selected platform.
  - boot_disk: Boot disk settings. Specify the disk ID.
  - auto_delete: Auto-delete the boot disk together with the VM. See Disk auto-deletion.
  - network_interface: VM network interface settings. Specify the ID of the selected subnet. To automatically assign a public IP address to the VM, set nat = true.
    
    If you want to add multiple network interfaces to your VM, specify the network_interface section as many times as you need. You can add up to eight network interfaces to a single VM.
  - metadata: In the metadata, provide the public SSH key for VM access. For more information, see VM metadata.
    
    If you want to add multiple users with SSH keys to the VM at the same time, specify these users' data in a file and provide it under metadata. You can also use metadata to install additional software on a VM when creating it.
- yandex_vpc_network: Cloud network description.
- yandex_vpc_subnet: Description of the subnet to connect your VM to.
Note

If you already have suitable resources, such as a cloud network and subnet, you do not need to redefine them. Specify their names and IDs in the appropriate parameters.

For more information about the resources you can create with Terraform, see the relevant provider documentation.
Create the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

When a VM is created, it is assigned an IP address and hostname (FQDN). This data can be used for SSH access.

You can make a public IP address static. For more information, see Making a VM public IP address static.

Create a VM using the create REST API method for the Instance resource:

Create a key pair (public and private keys) for SSH access to the VM.
Get a IAM token used for authentication in the examples:
- Guide for a Yandex account user.
- Guide for a service account.
- Guide for a federated account.
- Guide for a local account.
Get the ID of the folder.

Get info on the image to create your VM from, such as image ID and minimum disk size:

If you know the image family, get info on the latest image in that family:

export IAM_TOKEN=CggaATEVAgA...
export FAMILY=ubuntu-1804
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://compute.api.cloud.yandex.net/compute/v1/images:latestByFamily?folderId=standard-images&family=${FAMILY}"

You can get information on the image from the list of public images.

Get the subnet and availability zone IDs. In your request, specify the ID of the folder where the subnet was created:

export IAM_TOKEN=CggaATEVAgA...
export FOLDER_ID=b1gvmob95yys********
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://vpc.api.cloud.yandex.net/vpc/v1/subnets?folderId=${FOLDER_ID}"

Result:

{
  "subnets": [
   {
     "v4CidrBlocks": [
       "10.130.0.0/24"
     ],
     "id": "b0c6n43ftldh********",
     "folderId": "b1gvmob95yys********",
     "createdAt": "2018-09-23T12:15:00Z",
     "name": "default-ru-central1-a",
     "description": "Auto-created default subnet for zone ru-central1-a",
     "networkId": "enpe3m3faglu********",
     "zoneId": "ru-central1-a"
   },
   ...
  ]
}

Create a file, e.g., body.json, with the body of the request to create a VM:
```
{
  "folderId": "b1gvmob95yys********",
  "name": "instance-demo-no-pwauth",
  "zoneId": "ru-central1-a",
  "platformId": "standard-v3",
  "resourcesSpec": {
    "memory": "2147483648",
    "cores": "2"
  },
  "metadata": {
    "user-data": "#cloud-config\nusers:\n  - name: user\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh_authorized_keys:\n      - ssh-ed25519 AAAAB3N... user@example.com"
  },
  "bootDiskSpec": {
    "autoDelete": true,
    "diskSpec": {
      "size": "8589934592",
      "imageId": "fd8rc75pn12f********"
    }
  },
  "networkInterfaceSpecs": [
    {
      "subnetId": "b0c6n43ftldh********",
      "primaryV4AddressSpec": {
        "oneToOneNatSpec": {
          "ipVersion": "IPV4"
        }
      }
    }
  ]
}
```
Where:
- folderId: Folder ID.
- name: Name the VM will get when created.
- zoneId: Availability zone matching the selected subnet.
- platformId: Platform.
- resourceSpec: Resources available to the VM. The values must match the selected platform.
- metadata: In metadata, provide the public key for accessing the VM via SSH. Learn more in VM metadata.
- bootDiskSpec: Boot disk settings. Specify the selected image ID and disk size.
- autoDelete: Auto-delete the boot disk together with the VM. See Disk auto-deletion.
  
  You can also view image IDs in the management console when creating a VM or in Cloud Marketplace on the image page under Product IDs.
  
  The disk size must not be less than the minimum value specified in the image info.
- networkInterfaceSpecs: VM network interface settings:
  - subnetId: ID of the selected subnet.
  - primaryV4AddressSpec: IP address to assign to the VM. To add a public IP address to your VM, specify the following:
```
"primaryV4AddressSpec": {
  "oneToOneNatSpec": {
    "ipVersion": "IPV4"
  }
}
```
  To add multiple network interfaces to your VM, provide an array with the required number of objects containing network interface settings in the networkInterfaceSpecs parameter. You can add up to eight network interfaces to a single VM.
For more information about the request body format, see the API reference.

Create a VM:

export IAM_TOKEN=CggaATEVAgA...
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  https://compute.api.cloud.yandex.net/compute/v1/instances

When a VM is created, it is assigned an IP address and hostname (FQDN). This data can be used for SSH access.

You can make a public IP address static. For more information, see Making a VM public IP address static.

Creating a VM from a public Linux image

See also

Was the article helpful?

Creating a VM from a public Linux image

See alsoSee also

Was the article helpful?

See also