Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Running a containerized app in Yandex Serverless Containers

Written by
Updated at May 7, 2025

Follow this guide to deploy a containerized app in Serverless Containers to administer a MongoDB DBMS.

The DBMS is deployed on a Yandex Compute Cloud VM. A Yandex Container Registry registry is used to host the container with the app. Yandex Lockbox is used to encrypt sensitive data. Secure access to the application is enabled over the Yandex API Gateway API gateway. The entire infrastructure of the containerized app resides in a single folder.

To deploy your containerized app:

  1. Prepare your cloud environment.
  2. Create a service account.
  3. Create a network and configure the security group.
  4. Create a Compute Cloud VM with MongoDB.
  5. Create a Yandex Lockbox secret and version.
  6. Create a registry in Container Registry.
  7. Push the Docker image to Container Registry.
  8. Create a Serverless Containers container.
  9. Create an API Gateway API gateway.
  10. Test the application.

If you no longer need the resources you created, delete them.

Prepare your cloud environment

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The application support cost includes:

Create a service account

Create a service account and assign it the roles for the folder to host the containerized app infrastructure.

  1. In the management console, go to the folder that will host the containerized app infrastructure.
  2. In the services list, select Identity and Access Management.
  3. Click Create service account.
  4. Enter the service account name: mongo-express.
  5. Click Add role and select the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles.
  6. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a service account named mongo-express:

    yc iam service-account create --name mongo-express

  2. Assign the service account the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles for the folder that will host your container:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role container-registry.images.puller, lockbox.payloadViewer, serverless-containers.containerInvoker \
  --subject serviceAccount:<service_account_ID>

    Where:

    • <folder_name_or_ID>: Name or ID of the folder to host the container.
    • --subject serviceAccount: mongo-express service account ID.

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the service account a role for the folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.

Create a network and configure the security group

  1. In the management console, select the folder to host the network.

  2. In the services list, select Virtual Private Cloud.

  3. At the top right, click Create network.

  4. In the Name field, specify mongo-express-network.

  5. In the Advanced field, select Create subnets.

  6. Click Create network.

  7. In the left-hand panel, select Security groups.

  8. Click the icon next to the default security group created for mongo-express-network.

  9. In the menu that opens, click Edit.

  10. Configure the security group:

    1. Click Create security group.

    2. Under Rules, add a rule using the instructions below the table:

      Traffic
      direction      		 Description Port range Protocol Destination name /
      Source      		 CIDR blocks
      Incoming any 27017 Any CIDR 0.0.0.0/0
      1. Select the Egress tab for an outbound rule or Ingress tab for an inbound rule.
      2. Click Add.
      3. In the Port range field of the window that opens, specify a single port or a range of ports that will be open for inbound or outbound traffic. To open all ports, click Select entire range.
      4. In the Protocol field, specify the required protocol or specify Any to allow traffic over any protocol.
      5. In the Destination name / Source field, select CIDR. This way, the rule will apply to a range of IP addresses. In the CIDR blocks field, specify 0.0.0.0/0.
      6. Click Save.

    3. Click Save.

    4. Click Save once again.

  1. Create a cloud network:

    yc vpc network create \
  --name mongo-express-network

  2. Get the name or ID of the group to edit:

    yc vpc security-groups list

    Result:

    +----------------------+---------------------------------+------------------------------------+----------------------+
|          ID          |              NAME               |          DESCRIPTION               |      NETWORK-ID      |
+----------------------+---------------------------------+------------------------------------+----------------------+
| enp9bmjge93b******** | default-sg-enp509crtquf******** | Default security group for network | enp509crtquf******** |
+----------------------+---------------------------------+------------------------------------+----------------------+

  3. Add a rule using the update-rules command and the --add-rule parameter:

    yc vpc security-group update-rules <group_name_or_ID> \
  --add-rule "direction=ingress,port=27017,protocol=any,v4-cidrs=[0.0.0.0/0,0.0.0.0/0]"

    Where <group_name_or_ID> is the value obtained at the previous step.

  1. To create a cloud network, use the create REST API method for the Network resource or the NetworkService/Create gRPC API call, and provide the following in the request:

    • ID of the folder to host the network.
    • Name of the new network,mongo-express-network, in the name parameter.

  2. To add a rule to a security group, use the updateRules REST API method for the SecurityGroup resource or the SecurityGroupService/UpdateRules gRPC API call, and provide the following in your request:

    • ID of the security group you want to add rules to, in the securityGroupId parameter.

      To get the security group ID, use the list REST API method for the SecurityGroup resource or the SecurityGroupService/List gRPC API call and provide the folder ID in the folderId request parameter.

    • New security group rules, in the additionRuleSpecs[] array:

      • Traffic direction: ingress.
      • Name of the traffic transmission protocol, in the additionRuleSpecs[].protocolName parameter: any.
      • List of CIDRs and subnet masks, in the additionRuleSpecs[].cidrBlocks.v4CidrBlocks[] parameter: [0.0.0.0/0,0.0.0.0/0].
      • First port in the traffic ports range, in the additionRuleSpecs[].ports.fromPort parameter: 0.
      • Last port in the traffic ports range, in the additionRuleSpecs[].ports.toPort parameter: 65535.

Create a VM with MongoDB

We recommend using a VM with basic configuration.

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image:

    1. Go to the Container Solution tab and click Configure.

    2. In the window that opens, go to the Docker Compose tab and enter the VM specification:

      version: '3.1'

services:
  mongo:
    image: mongo
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: mongo_db_user
      MONGO_INITDB_ROOT_PASSWORD: <password>
    ports:
      - 27017:27017

      In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use the password generator. Save the password as you will need it in the next steps.

    3. Click Apply.

  3. Under Location, select an availability zone to create your VM in. If you do not know which availability zone you need, leave the default one.

  4. Under Network settings:

    • In the Subnet field, select a subnet in the mongo-express-network network you created earlier.
    • In the Public IP address field, select Auto.

  5. Under Access, select the SSH key option, and specify the data for access to the VM:

    • Under Login, enter the username. Do not use root or other names reserved by the OS. To perform actions requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  6. Under General information, specify the VM name: mongo-vm.

  7. Click Create VM.

Wait for the VM status to change to Running and save its public IP address: you will need it for connecting to the database.

  1. Prepare a key pair (public and private keys) for SSH access to the VM.

  2. Create docker-spec.yaml, a Docker container specification file:

    version: '3.1'

services:
  mongo:
    image: mongo
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: mongo_db_user
      MONGO_INITDB_ROOT_PASSWORD: <password>
    ports:
      - 27017:27017

    In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use the password generator. Save the password as you will need it in the next steps.

  3. Run the following command:

    yc compute instance create-with-container \
  --coi-spec-file docker-spec.yaml \
  --name mongo-vm \
  --zone ru-central1-b \
  --ssh-key ssh-key.pub \
  --create-boot-disk size=30

    Where:

    • --coi-spec-file: Path to the Docker container specification file.
    • --name: VM name.
    • --zone: Availability zone.
    • --ssh-key: Contents of the public key file. You need to create a key pair for the SSH connection yourself.
    • --create-boot-disk size: Boot disk size. It must be at least 30 GB.

    Result:

    done (1m40s)
 id: epde18u4mahl********
 folder_id: b1g7gvsi89m3********
 created_at: "2023-02-08T10:34:06.601Z"
 name: mongo-vm
 ...

Create a Yandex Lockbox secret

A Yandex Lockbox secret will store the encrypted authentication credentials.

  1. In the management console, select the folder where you want to create a secret.
  2. In the services list, select Lockbox.
  3. Click Create secret.
  4. In the Name field, enter a name for the secret: mongodb-creds.
  5. Under Version:
    • In the Key field, enter login.
    • In the Value field, enter mongo_db_user as your DB user login.
  6. Click Add key/value and specify the second secret:
    • In the Key field, enter password.
    • In the Value field, enter the password to access the database: the MONGO_INITDB_ROOT_PASSWORD value from the VM specification.
  7. Click Create.

  1. Use the following command to create the mongodb-creds secret:

    yc lockbox secret create \
  --name mongodb-creds \
  --payload "[{'key': 'login', 'text_value': 'mongo_db_user'},{'key': 'password', 'text_value': '<password>'}]"

    Where:

    • --name: Secret name.
    • --payload: Contents of the secret as a YAML or JSON array.
    • <password>: MONGO_INITDB_ROOT_PASSWORD value from the VM specification.

    Result:

    id: e6q6nbjfu9m2********
folder_id: b1qt6g8ht345********
created_at: "2023-02-08T10:34:06.601Z"
name: mongodb-creds
status: ACTIVE
current_version:
  id: e6q0s9airqca********
  secret_id: e6q6nbjfu9m2********
  created_at: "2023-02-08T10:34:06.601Z"
  status: ACTIVE
  payload_entry_keys:
    - login
    - password

To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.

Create a registry in Container Registry

The registry in Container Registry will house the Docker image of the mongo-express application.

  1. In the management console, select the folder to create a registry in.
  2. In the services list, select Container Registry.
  3. Click Create registry.
  4. Specify a name for the registry: app-registry.
  5. Click Create registry.

Create the app-registry registry:

yc container registry create --name app-registry

Result:

done
id: crpd50616s9a********
folder_id: b1g88tflru0e********
name: app-registry
status: ACTIVE
created_at: "2023-02-08T10:34:06.601Z"

To create a registry, use the create REST API method for the Registry resource or the RegistryService/CreateRegistryRequest gRPC API call.

Push the Docker image to the registry

  1. Create a Docker Hub account.

  2. Install Docker:

  3. Download the mongo-express image:

    docker pull mongo-express

    The result will be as follows:

    Using default tag: latest
latest: Pulling from library/mongo-express
6a428f9f83b0: Pull complete
f2b1fb32259e: Pull complete
40888f2a0a1f: Pull complete
4e3cc9ce09be: Pull complete
eaa1898f3899: Pull complete
ab4078090382: Pull complete
ae780a42c79e: Pull complete
e60224d64a04: Pull complete
Digest: sha256:dcfcf89bf91238ff129469a5a94523b3025913dcc41597d72d4d5f4a********
Status: Downloaded newer image for mongo-express:latest
docker.io/library/mongo-express:latest

  4. Authenticate in Container Registry using the Docker credential helper:

    1. Configure Docker to use docker-credential-yc:

      yc container registry configure-docker

      Result:

      Credential helper is configured in '/home/<user>/.docker/config.json'

      Settings are saved in the current user's profile.

    2. Check that the ${HOME}/.docker/config.json configuration file includes the following line:

      "cr.yandex": "yc"

    Docker is ready to use.

  5. Push the Docker image to the registry:

    1. Assign a URL to the pushed mongo-express image using the following format: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>:

      docker tag mongo-express \
cr.yandex/<registry_ID>/mongo-express:mongo-tag

    2. Push the mongo-express image to the registry:

      docker push cr.yandex/<registry_ID>/mongo-express:mongo-tag

Create a Serverless Containers container

To run your application in Yandex Cloud, create a container and its revision:

  1. In the management console, select the folder where you want to create a container.
  2. Select Serverless Containers.
  3. Click Create container.
  4. Enter the container name: mongo-express-container.
  5. Click Create.
  6. Go to the Editor tab.
    1. Under Resources, enter the amount of RAM: 1024 MB.
    2. Under Image settings:
      1. In the Image URL field, specify the Docker image you pushed previously.
      2. In the Environment variables field, add the following variables:
        • ME_CONFIG_BASICAUTH_USERNAME: Leave empty.
        • ME_CONFIG_BASICAUTH_PASSWORD: Leave empty.
        • VCAP_APP_PORT: Set the port to 8080.
        • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained previously.
      3. In the Lockbox secrets field, specify these secrets:
        • ME_CONFIG_MONGODB_AUTH_USERNAME: Secret with the login key.
        • ME_CONFIG_MONGODB_AUTH_PASSWORD: Secret with the password key.
    3. Under Settings:
      1. In the Service account field, specify mongo-express.
      2. In the Timeout field, specify 15.
  7. Click Create revision.

  1. Create a container:

    yc serverless container create --name mongo-express-container

    Result:

    id: bba3fva6ka5g********
folder_id: b1gqvft7kjk3********
created_at: "2023-02-08T10:34:06.601Z"
name: mongo-express-container
url: https://bba3fva6ka5g********.containers.yandexcloud.net/
status: ACTIVE

  2. Create a container revision:

    yc serverless container revision deploy \
  --container-name mongo-express-container \
  --image <Docker_image_URL> \
  --cores 1 \
  --memory 1GB \
  --concurrency 1 \
  --execution-timeout 15s \
  --service-account-id <mongo_express_service_account_ID> \
  --environment ME_CONFIG_BASICAUTH_USERNAME="", ME_CONFIG_BASICAUTH_PASSWORD="", VCAP_APP_PORT=8080, ME_CONFIG_MONGODB_SERVER=<VM_public_address> \
  --secret environment-variable=ME_CONFIG_MONGODB_AUTH_USERNAME,key=login \
  --secret environment-variable=ME_CONFIG_MONGODB_AUTH_PASSWORD,key=password

    Where:

    • --image: URL of the mongo-express Docker image you pushed earlier.

    • --service-account-id: ID of the mongo-express service account you created earlier.

    • --environment: Environment variables:

      • ME_CONFIG_BASICAUTH_USERNAME: Leave empty.
      • ME_CONFIG_BASICAUTH_PASSWORD: Leave empty.
      • VCAP_APP_PORT: Set the port to 8080.
      • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained previously.

    • --secret environment-variable: ME_CONFIG_MONGODB_AUTH_USERNAME and ME_CONFIG_MONGODB_AUTH_PASSWORD secrets you created earlier.

    Result:

    id: bbajn5q2d74c********
container_id: bba3fva6ka5g********
created_at: "2023-02-08T10:34:06.601Z"
image:
  image_url: cr.yandex/crpd3cicopk7********/mongo-express-container:latest
  image_digest: sha256:de8e1dce7ceceeafaae122f7670084a1119c961cd9ea1795eae92bd********
resources:
  memory: "1073741824"
  cores: "1"
execution_timeout: 15s
service_account_id: ajeqnasj95o7********
status: ACTIVE

To create a container, use the create REST API method for the Container resource or the ContainerService/Create gRPC API call.

To create a container revision, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.

Create an API Gateway

Create an API gateway with the x-yc-apigateway-integration:serverless_containers extension.

  1. In the management console, select the folder where you want to create an API gateway.

  2. In the services list, select API Gateway.

  3. Click Create API gateway.

  4. In the Name field, enter a name for the API gateway: mongo-express-gw.

  5. In the Specification section, add the specification:

    openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
servers:
  - url: https://mongo-express-container.apigw.yandexcloud.net
paths:
  /{proxy+}:
    x-yc-apigateway-any-method:
      x-yc-apigateway-integration:
        type: serverless_containers
        container_id: <container_ID>
        service_account_id: <service_account_ID>
      parameters:
      - explode: false
        in: path
        name: proxy
        required: false
        schema:
          default: '-'
          type: string
        style: simple

    Where:

    • container_id: Container ID for mongo-express-container.
    • service_account_id: mongo-express service account ID.

  6. Click Create.

  1. Prepare an OpenAPI 3.0 API specification file.

    Specification
    openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
servers:
  - url: https://mongo-express-container.apigw.yandexcloud.net
paths:
  /{proxy+}:
    x-yc-apigateway-any-method:
      x-yc-apigateway-integration:
        type: serverless_containers
        container_id: <container_ID>
        service_account_id: <service_account_ID>
      parameters:
      - explode: false
        in: path
        name: proxy
        required: false
        schema:
          default: '-'
          type: string
        style: simple

    Where:

    • container_id: Container ID for mongo-express-container.
    • service_account_id: mongo-express service account ID.

  2. Specify the parameters and create an API gateway using this command:

    yc serverless api-gateway create \
    --name mongo-express-gw \
    --spec=<specification_file_path>

To create an API gateway, use the create REST API method for the ApiGateway resource or the ApiGatewayService/Create gRPC API call.

Test the application

Click https://mongo-express-container.apigw.yandexcloud.net. The MongoDB admin panel will open.

How to delete the resources you created

To stop paying for the created resources:

  1. Delete the mongo-express-gw API gateway.
  2. Delete the mongo-express-container container.
  3. Delete the image from app-registry.
  4. Delete the app-registry registry.
  5. Delete mongodb-creds.
  6. Delete mongo-vm.
  7. Delete the mongo-express service account.
Previous
Running external agents for load testing
Next
Deploying a gRPC service based on a Docker image