Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring NAT routing from the management console

Written by
Improved by
Updated at August 14, 2025

To configure NAT routing from the Yandex Cloud management console:

  1. Get your cloud ready.
  2. Create a security group.
  3. Create a test VM.
  4. Create a NAT instance.
  5. Set up static routing in the cloud network.
  6. Test the NAT instance.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The cost of NAT instance support includes:

Prepare the infrastructure

  1. Create a cloud network, e.g., my-vpc.

  2. In the cloud network, create subnets, e.g.:

    • public-subnet to host the NAT instance.
    • private-subnet to host your test VM.

Create a security group

Security groups include rules that enable accessing your VMs over SSH. In this tutorial, you will create a security group named nat-instance-sg.

To create a security group:

  1. In the management console, select Virtual Private Cloud.

  2. Open the Security groups tab.

  3. Create a security group:

    1. Click Create security group.

    2. In the Name field, specify the name: nat-instance-sg.

    3. In the Network field, select my-vpc.

    4. Under Rules, create the following rules using the instructions below the table:

      Traffic
      direction      		 Description Port range Protocol Destination name /
      Source      		 CIDR blocks
      Outbound any All Any CIDR 0.0.0.0/0
      Inbound ssh 22 TCP CIDR 0.0.0.0/0
      Inbound ext-http 80 TCP CIDR 0.0.0.0/0
      Inbound ext-https 443 TCP CIDR 0.0.0.0/0

    5. Select the Egress or Ingress tab.

    6. Click Add.

    7. In the Port range field of the window that opens, specify a single port or a port range for traffic to come to or from. To open all ports, click Select entire range.

    8. In the Protocol field, specify the required protocol or leave Any to allow traffic over any protocol.

    9. In the Destination name or Source field, select CIDR for the rule to apply to a range of IP addresses. In the CIDR blocks field, specify 0.0.0.0/0.

    10. Click Save. Repeat these steps to create all rules from the table.

    11. Click Save.

Create a test VM

  1. In the management console, select the folder where you want to create your VM.

  2. From the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select an image and a Linux-based OS version.

  6. Under Location, select the availability zone where the private-subnet subnet is located.

  7. Under Network settings:

    • In the Subnet field, select a subnet for the test VM, e.g., private-subnet.
    • In the Public IP address field, select No address.
    • In the Security groups field, select nat-instance-sg, which you created earlier.
    • Expand the Additional section; in the Internal IPv4 address field, select Auto.

  8. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter a username, e.g., yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  9. Under General information, specify the VM name: test-vm.

  10. Click Create VM.

Save the username, private SSH key, and internal IP address for the test VM.

Create a NAT instance

  1. In the management console, select the folder where you want to create your VM.

  2. From the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, go to the Marketplace tab and select the NAT instance image.

  6. Under Location, select the availability zone where the public-subnet subnet is located.

  7. Under Network settings:

    • In the Subnet field, select a subnet for the NAT instance, e.g., public-subnet.
    • In the Public IP address field, select Auto.
    • In the Security groups field, select nat-instance-sg, which you created earlier.
    • Expand the Additional section; in the Internal IPv4 address field, select Auto.

  8. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter a username, e.g., yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  9. Under General information, specify the VM name: nat-instance.

  10. Click Create VM.

Save the username, private SSH key, and internal and public IP addresses for the NAT instance.

Set up static routing

Note

Creating a NAT instance automatically results in only one network interface configured. You can enable other interfaces manually. Assign each new interface an IP address and specify a route for it in the route table. In each subnet, the first IP address will represent the correct gateway. For example, for the 192.168.0.128/25 subnet, the first subnet address will be 192.168.0.129.

  1. Create a route table and add a static route to it:

    1. In the management console, select a folder where you want to create a static route.

    2. From the list of services, select Virtual Private Cloud.

    3. In the left-hand panel, select Routing tables.

    4. Click Create.

    5. In the Name field, enter a name for the route table, e.g., nat-instance-route. Follow these naming requirements:

      • It must be from 2 to 63 characters long.
      • It can only contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    6. In the Network field, select a network, e.g., my-vpc.

    7. Under Static routes, click Add.

    8. In the window that opens, enter 0.0.0.0/0 in the Destination prefix field.

    9. In the Next hop field, select IP address.

    10. In the IP address field, specify the internal IP address of the NAT instance. Click Add.

    11. Click Create routing table.

  2. Link the route table to the subnet where the test VM is located, e.g., private-subnet:

    1. In the left-hand panel, select Subnets.
    2. Click in the row of the test VM subnet and select Link routing table.
    3. In the window that opens, select the nat-instance-route table in the Link routing table field and click Link.

You can also use the route you created for other subnets in the same network, except for the NAT instance subnet.

Warning

Do not link the route table to the NAT instance subnet. Doing so will cause route loops whereby the NAT instance will direct packets to itself rather than to the local network.

Test the NAT instance

  1. Connect to the VM via a private IP address, using the NAT instance as a jump host:

    ssh -J <NAT_instance_username>@<NAT_instance_public_IP_address> \
  <VM_user_name>@<VM_internal_IP_address>

    You can also connect to the test VM using the standard input/output redirection (-W flag) to forward the connection through a NAT instance:

    ssh -o ProxyCommand="ssh -i <NAT_key_file_path/name> -W %h:%p <NAT_username>@<NAT_public_IP_address>" \
  -i <VM_key_file_path/name> <VM_user_name>@<VM_internal_IP_address>

    Use this command for connection in the following cases:

    • Your VM is running an OpenSSH version below 7.3.
    • Your SSH keys are stored outside the default directory or have non-standard names.

  2. Type yes to connect to the NAT instance and re-enter yes to connect to the test VM.

    Note

    When you type yes, the command may not be displayed in the terminal, but it will run anyway.

  3. Make sure the test VM is connected to the internet via the public IP address of the NAT instance. Run this command:

    curl ifconfig.co

    If it returns the public IP address of the NAT instance, the configuration is correct.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the test VM and NAT instance.
  2. Delete the security group.
  3. Delete the static public IP if you reserved one.

See also

Previous
Overview
Next
Terraform