Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up network connectivity between Yandex BareMetal and Yandex Virtual Private Cloud subnets using Yandex Cloud Interconnect

Written by
Updated at May 7, 2025

Yandex Cloud Interconnect-based network connectivity in Yandex BareMetal enables access to CIDRs of private Virtual Private Cloud subnets in a cloud infrastructure and/or CIDRs of private subnets in an on-prem infrastructure.

In this tutorial, you will set up network connectivity between a BareMetal server located in a private Yandex BareMetal subnet and a Yandex Compute Cloud VM instance located in a subnet of a Yandex Virtual Private Cloud cloud network.

Similarly, you can set up network connectivity with your on-prem resources located in private subnets in your own network infrastructure.

You can use Yandex Cloud Interconnect free of charge as part of integration with Yandex BareMetal.

Solution diagram:

To set up network connectivity between Yandex BareMetal and Yandex Virtual Private Cloud subnets using Yandex Cloud Interconnect:

  1. Get your cloud ready.
  2. Create a cloud infrastructure.
  3. Request a routing instance.
  4. Create a private connection.
  5. Check network connectivity.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of supporting an infrastructure for network connectivity between BareMetal and VPC subnets includes:

Create a cloud infrastructure

Create the Yandex Cloud infrastructure you are going to set up for network connectivity.

To configure Cloud Interconnect in BareMetal, you will need a private routable subnet and a VRF segment in BareMetal, a cloud network with one or more Virtual Private Cloud subnets, as well as a routing instance with one or more announced prefixes of private VPC subnets.

To check network connectivity, you will need a BareMetal server and a Compute Cloud VM instance.

Create a VRF segment and a private BareMetal subnet

Create a virtual network segment (VRF) and a private subnet in the ru-central1-m3 server pool:

  1. In the management console, select the folder to create your infrastructure in.
  2. From the list of services, select BareMetal.
  3. Create a virtual routing and forwarding segment:
    1. In the left-hand panel, select VRF and click Create VRF.
    2. In the Name field, enter a name for the VRF segment: my-vrf.
    3. Click Create VRF.
  4. Create a private subnet:
    1. In the left-hand panel, select Private subnets and click Create subnet.
    2. In the Pool field, select the ru-central1-m3 server pool.
    3. In the Name field, enter a name for the subnet: subnet-m3.
    4. Enable IP addressing and routing.
    5. In the Virtual network segment (VRF) field, select the previously created segment, my-vrf.
    6. In the CIDR field, specify 192.168.1.0/24.
    7. In the Default gateway field, keep the default value, 192.168.1.1.
    8. Enable the Assigning IP addresses via DHCP option and in the IP address range field that appears, leave the default values, 192.168.1.1192.168.1.254.
    9. Click Create subnet.

Lease a BareMetal server

  1. In the management console, select the folder to create your infrastructure in.

  2. In the list of services, select BareMetal and click Lease server.

  3. In the Pool field, select the ru-central1-m3 server pool.

  4. Under Configuration, select the appropriate server configuration.

  5. (Optionally) Under Disk, configure disk partitioning:

    1. Click Configure disk layout.

    2. Specify the partitioning parameters. To create a new partition, click Add partition.

      Note

      To build RAID arrays and configure disk partitions yourself, click Remove RAID.

    3. Click Save.

  6. Under Image, select an image. For example: Ubuntu 24.04.

  7. Under Lease conditions, select the period you want to lease the server for. When this period expires, server lease will be automatically renewed for the same period.

  8. Under Network settings:

    1. In the Private subnet field, select the subnet-m3 subnet you created earlier.
    2. In the Public address field, select No address.

  9. Under Access:

    1. In the Password field, use one of these options to create a password for the root user:

      • To generate a password for the root users, select New password and click Generate.

        Warning

        This option assumes that the user is responsible for password security. Save the password in a safe place. Yandex Cloud does not store this password, and you will not be able to view it once you lease the server.

      • To use the root user password saved in a Yandex Lockbox secret, select Lockbox secret.

        In the Name, Version, and Key fields, select the secret, its version, and the key your password is saved in, respectively.

        If you do not have a Yandex Lockbox secret, click Create to create it.

        This option allows you either to set your own password (the Custom secret type) or to use an automatically generated one (the Generated secret type).

    2. In the Public SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a server yourself.
      • Click Add.

      The system will add the SSH key to your organization user profile.

      If adding SSH keys by users to their profiles is disabled in the organization, the public SSH key will be saved only to the new BareMetal server's user profile.

  10. Under Server information in the Name field, enter a name for the server: server-m3.

  11. Click Lease server.

Note

Getting the server ready and installing an operating system on it may take up to 45 minutes. The server will have the Provisioning status during this time. After OS installation is complete, the server status will change to Ready.

Create a cloud network with a subnet

Create a cloud network and subnet to connect the Compute Cloud VM to.

  1. In the management console, select the folder to create your infrastructure in.

  2. From the list of services, select Virtual Private Cloud.

  3. Create a cloud network:

    1. At the top right, click Create network.

    2. In the Name field, specify sample-network.

    3. In the Advanced field, disable the Create subnets option.

    4. Click Create network.

  4. Create a subnet:

    1. In the left-hand panel, select Subnets.

    2. At the top right, click Create subnet.

    3. In the Name field, specify subnet-ru-central1-b.

    4. In the Zone field, select the ru-central1-b availability zone.

    5. In the Network field, select sample-network.

    6. In the CIDR field, specify 192.168.11.0/24.

      Warning

      To successfully configure network connectivity between BareMetal subnets and on-premise or VPC subnets, their CIDR address ranges must not match or overlap.

    7. Click Create subnet.

Create a VM

  1. In the management console, select the folder to create the infrastructure in.

  2. From the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines and click Create virtual machine.

  4. Under Boot disk image, select the VM image you need. For example: Ubuntu 24.04.

  5. Under Location, select the ru-central1-b availability zone.

  6. Under Network settings:

    • In the Subnet field, select the subnet-ru-central1-b subnet you created earlier.
    • In the Public IP address field, select Auto.

  7. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, specify the username: yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  8. Under General information, specify the VM name: sample-vm.

  9. Click Create VM.

Request a routing instance

To set up network connectivity between BareMetal subnets, Virtual Private Cloud subnets, and/or on-prem subnets, you will need a routing instance. You can create a routing instance by contacting support.

If your folder already has Cloud Interconnect network connectivity (VPC-to-On-Prem) configured, you can either use the existing routing instance or request an additional routing instance for standalone network connectivity.

Make sure you have a routing instance in your folder

  1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  2. Make sure you have a routing instance in your default folder:

    Run this command:

    yc cloudrouter routing-instance list

    If your default folder already has a routing instance, the command will output the following:

    +----------------------+------------------+--------+-----------------------+
|          ID          |       NAME       | STATUS | PRIVATE CONNECTION ID |
+----------------------+------------------+--------+-----------------------+
| cf35oot8f0eu******** | routing-instance | ACTIVE | cf395uf8dg7h********  |
+----------------------+------------------+--------+-----------------------+

  3. If you already have a routing instance, you may skip the next step and proceed creating a private connection.

    If you do not have a routing instance or you want to build additional standalone network connectivity, request a new routing instance.

Request a new routing instance

Contact support to create a routing instance in your folder.

Fill out your request as follows:

Subject: [CIC for BareMetal] Adding a routing instance.

Request text:
Please, add a routing instance.

Connection settings:
folder_id: <folder_ID>
region_id: ru-central1

vpc:
  vpc_net_id: <network_ID>
    vpc_subnets: 
      ru-central1-a: [CIDR_a1, CIDR_a2, ..., CIDR_an]
      ru-central1-b: [CIDR_b1, CIDR_b2, ..., CIDR_bn]
      ru-central1-d: [CIDR_d1, CIDR_d2, ..., CIDR_dn]

Where:

  • folder_id: Folder ID.

  • region_id: Region ID.

  • vpc_net_id: Cloud network ID.

  • vpc_subnets: List of announced address prefixes for each availability zone. For example, for the VPC subnet you created earlier, you will specify ru-central1-b: [192.168.11.0/24].

    It is allowed to announce address prefixes with aggregation.

Note

It may take up to 24 hours for the support to create a routing instance. As the result, you will be able to get the ID of the new routing instance by running the yc cloudrouter routing-instance list Yandex Cloud CLI command.

Create a private connection

Once the routing instance has been created in your folder, create a private Cloud Interconnect connection in BareMetal:

  1. In the management console, select the folder where you want to create your private connection.

  2. From the list of services, select BareMetal.

  3. In the left-hand panel, select VRF and select the virtual network segment you need.

  4. Under Private connection to cloud networks, click Set up connection and in the window that opens:

    1. In the Setup method field, select Specify ID and paste the routing instance private connection ID to the Connection ID field.

      You can also go for Select from the folder. In which case select a routing instance from the list that appears.

      You will see the CIDRs of BareMetal and Virtual Private Cloud subnets which will be announced in Cloud Interconnect.

      Warning

      To successfully configure network connectivity between BareMetal subnets and on-premise or VPC subnets, their CIDR address ranges must not match or overlap.

    2. To create a private connection with the specified subnet CIDRs, click Save.

The VRF information page will now display the new connection's ID and status under Private connection to cloud networks.

Note

Creating a private connection may take up to two business days. During this time, the connection status will be Creating. After it is created, the connection status will change to Ready.

A private connection to cloud networks can have one of the following statuses:

  • CREATING: Connection is being created.
  • READY: Connection is up and ready for use.
  • ERROR: There is an issue with the private connection. To fix it, contact support.
  • DELETING: Connection is being deleted.
  • UPDATING: Private connection settings are being updated.

Check network connectivity

As soon as the status of the new private connection changes to Ready, network connectivity will be established between the BareMetal and VPC subnets, and you will be able to start checking it.

A network connectivity check assumes that:

  • The process of setting up a private connection to cloud networks has been successfully completed (the connection status is Ready).
  • ICMP traffic is allowed by the local firewall on the BareMetal server.
  • The routing table in the BareMetal server OS contains a route to the CIRD of the subnet the VM resides in.
  • The security group assigned to the VM network interface allows ICMP traffic.

Check network connectivity from the private BareMetal subnet to the private VPC subnet

  1. In the management console, select the folder where you created the infrastructure.

  2. From the list of services, select BareMetal.

  3. In the row with the server-m3 server, click and select KVM console.

    You will see an authentication line in the KVM console terminal window that opens:

    server-m3 login:

    If you do not see this line, try restarting the server.

  4. In the KVM console terminal, specify root for the username and press ENTER.

  5. Paste the password generated when leasing the server in the password input line and press ENTER. Note that when typing or pasting a password in Linux, the characters you enter are not displayed on the screen.

    Tip

    To paste text from the clipboard to the KVM console, use the Paste text here field in the upper right corner.

    Result:

    Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-53-generic x86_64)
...
root@server-m3:~# _

    If you did not save the server administrator password, you can create a new password following this guide or reinstall the server OS.

  6. In the KVM console terminal, run the ping command to make sure you can access sample-vm by its internal IP address:

    ping <VM_internal_IP_address> -c 5

    You can find out the VM's internal IP address in the management console under Network interface on the VM information page.

    Result:

    PING 192.168.11.2 (192.168.11.2) 56(84) bytes of data.
64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=3.90 ms
64 bytes from 192.168.11.2: icmp_seq=2 ttl=64 time=0.235 ms
64 bytes from 192.168.11.2: icmp_seq=3 ttl=64 time=0.222 ms
64 bytes from 192.168.11.2: icmp_seq=4 ttl=64 time=0.231 ms
64 bytes from 192.168.11.2: icmp_seq=5 ttl=64 time=0.235 ms

--- 192.168.11.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4086ms
rtt min/avg/max/mdev = 0.222/0.964/3.899/1.467 ms

    Network connectivity between the BareMetal server and the VM has been established with zero packet loss.

Check network connectivity from the private VPC subnet to the private BareMetal subnet

  1. Connect to the virtual machine over SSH.

  2. In the terminal, run the ping command to make sure you can access server-m3 by its private IP address:

    ping <server_private_IP_address> -c 5

    You can find out the private IP address of the BareMetal server in the management console under Network settings on the server information page.

    Result:

    PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.271 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.262 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.223 ms
64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.208 ms

--- 192.168.1.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4106ms
rtt min/avg/max/mdev = 0.208/0.235/0.271/0.025 ms

    Network connectivity between the VM and the BareMetal server has been established with zero packet loss.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM.

  2. You cannot delete a BareMetal server. Instead, cancel the server lease renewal.

  3. Delete the private connection if you need to:

    1. In the management console, select the folder where you created the infrastructure.
    2. From the list of services, select BareMetal.
    3. In the left-hand panel, select VRF and select the my-vrf VRF segment.
    4. Under Private connection to cloud networks, click and select Disable connection.
    5. In the window that opens, confirm the deletion.

    As the result, the connection status will change to Deleting. Once all links are deleted, the connection will disappear from the list.

Previous
Creating an external table from a Object Storage bucket table using a configuration file
Next
Working with snapshots in Managed Service for Kubernetes