Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Container Registry
  • Getting started
  • Yandex Container Solution
    • All tutorials
    • Signing and verifying Docker images in Managed Service for Kubernetes
    • Scanning vulnerabilities during continuous deployment of Managed Service for Kubernetes applications using GitLab
    • Continuous deployment of containerized applications using GitLab
    • Building a CI/CD pipeline in GitLab with serverless products
    • Storing Docker images created in Yandex Managed Service for GitLab projects
    • Connecting to Container Registry from VPC
    • Configuring a fault-tolerant architecture in Yandex Cloud
    • Running external agents for load testing
    • Running a containerized app in Yandex Serverless Containers
    • Deploying a gRPC service based on a Docker image
    • Deploying a service in DataSphere from a Docker image
    • Deploying a service in DataSphere from a Docker image with FastAPI
    • Setting up a Managed Service for PostgreSQL connection from a container in Serverless Containers
    • Integration with Container Registry
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Troubleshooting
  • FAQ

In this article:

  • Prepare your cloud environment
  • Required paid resources
  • Create a service account
  • Create a network and configure the security group
  • Create a VM with MongoDB
  • Create a Yandex Lockbox secret
  • Create a registry in Container Registry
  • Push the Docker image to the registry
  • Create a Serverless Containers container
  • Create an API Gateway
  • Test the application
  • How to delete the resources you created
  1. Tutorials
  2. Running a containerized app in Yandex Serverless Containers

Running a containerized app in Yandex Serverless Containers

Written by
Yandex Cloud
Updated at May 7, 2025
  • Prepare your cloud environment
    • Required paid resources
  • Create a service account
  • Create a network and configure the security group
  • Create a VM with MongoDB
  • Create a Yandex Lockbox secret
  • Create a registry in Container Registry
  • Push the Docker image to the registry
  • Create a Serverless Containers container
  • Create an API Gateway
  • Test the application
  • How to delete the resources you created

Follow this guide to deploy a containerized app in Serverless Containers to administer a MongoDB DBMS.

The DBMS is deployed on a Yandex Compute Cloud VM. A Yandex Container Registry registry is used to host the container with the app. Yandex Lockbox is used to encrypt sensitive data. Secure access to the application is enabled over the Yandex API Gateway API gateway. The entire infrastructure of the containerized app resides in a single folder.

To deploy your containerized app:

  1. Prepare your cloud environment.
  2. Create a service account.
  3. Create a network and configure the security group.
  4. Create a Compute Cloud VM with MongoDB.
  5. Create a Yandex Lockbox secret and version.
  6. Create a registry in Container Registry.
  7. Push the Docker image to Container Registry.
  8. Create a Serverless Containers container.
  9. Create an API Gateway API gateway.
  10. Test the application.

If you no longer need the resources you created, delete them.

Prepare your cloud environmentPrepare your cloud environment

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The application support cost includes:

  • Fee for a continuously running VM (see Yandex Compute Cloud pricing).
  • Secret storage fees (see Yandex Lockbox pricing).
  • Fee for storing a Docker image (see Yandex Container Registry pricing).
  • Fee for the number of container calls, computing resources allocated to execute the application, and outgoing traffic (see Serverless Containers pricing).
  • Fee for requests to the API gateway (see Yandex API Gateway pricing).

Create a service accountCreate a service account

Create a service account and assign it the roles for the folder to host the containerized app infrastructure.

Management console
CLI
API
  1. In the management console, go to the folder that will host the containerized app infrastructure.
  2. In the services list, select Identity and Access Management.
  3. Click Create service account.
  4. Enter the service account name: mongo-express.
  5. Click Add role and select the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles.
  6. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a service account named mongo-express:

    yc iam service-account create --name mongo-express
    
  2. Assign the service account the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles for the folder that will host your container:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
      --role container-registry.images.puller, lockbox.payloadViewer, serverless-containers.containerInvoker \
      --subject serviceAccount:<service_account_ID>
    

    Where:

    • <folder_name_or_ID>: Name or ID of the folder to host the container.
    • --subject serviceAccount: mongo-express service account ID.

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the service account a role for the folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.

Create a network and configure the security groupCreate a network and configure the security group

Management console
CLI
API
  1. In the management console, select the folder to host the network.

  2. In the services list, select Virtual Private Cloud.

  3. At the top right, click Create network.

  4. In the Name field, specify mongo-express-network.

  5. In the Advanced field, select Create subnets.

  6. Click Create network.

  7. In the left-hand panel, select Security groups.

  8. Click the icon next to the default security group created for mongo-express-network.

  9. In the menu that opens, click Edit.

  10. Configure the security group:

    1. Click Create security group.

    2. Under Rules, add a rule using the instructions below the table:

      Traffic
      direction
      Description Port range Protocol Destination name /
      Source
      CIDR blocks
      Incoming any 27017 Any CIDR 0.0.0.0/0
      1. Select the Egress tab for an outbound rule or Ingress tab for an inbound rule.
      2. Click Add.
      3. In the Port range field of the window that opens, specify a single port or a range of ports that will be open for inbound or outbound traffic. To open all ports, click Select entire range.
      4. In the Protocol field, specify the required protocol or specify Any to allow traffic over any protocol.
      5. In the Destination name / Source field, select CIDR. This way, the rule will apply to a range of IP addresses. In the CIDR blocks field, specify 0.0.0.0/0.
      6. Click Save.
    3. Click Save.

    4. Click Save once again.

  1. Create a cloud network:

    yc vpc network create \
      --name mongo-express-network
    
  2. Get the name or ID of the group to edit:

    yc vpc security-groups list
    

    Result:

    +----------------------+---------------------------------+------------------------------------+----------------------+
    |          ID          |              NAME               |          DESCRIPTION               |      NETWORK-ID      |
    +----------------------+---------------------------------+------------------------------------+----------------------+
    | enp9bmjge93b******** | default-sg-enp509crtquf******** | Default security group for network | enp509crtquf******** |
    +----------------------+---------------------------------+------------------------------------+----------------------+
    
  3. Add a rule using the update-rules command and the --add-rule parameter:

    yc vpc security-group update-rules <group_name_or_ID> \
      --add-rule "direction=ingress,port=27017,protocol=any,v4-cidrs=[0.0.0.0/0,0.0.0.0/0]"
    

    Where <group_name_or_ID> is the value obtained at the previous step.

  1. To create a cloud network, use the create REST API method for the Network resource or the NetworkService/Create gRPC API call, and provide the following in the request:

    • ID of the folder to host the network.
    • Name of the new network,mongo-express-network, in the name parameter.
  2. To add a rule to a security group, use the updateRules REST API method for the SecurityGroup resource or the SecurityGroupService/UpdateRules gRPC API call, and provide the following in your request:

    • ID of the security group you want to add rules to, in the securityGroupId parameter.

      To get the security group ID, use the list REST API method for the SecurityGroup resource or the SecurityGroupService/List gRPC API call and provide the folder ID in the folderId request parameter.

    • New security group rules, in the additionRuleSpecs[] array:

      • Traffic direction: ingress.
      • Name of the traffic transmission protocol, in the additionRuleSpecs[].protocolName parameter: any.
      • List of CIDRs and subnet masks, in the additionRuleSpecs[].cidrBlocks.v4CidrBlocks[] parameter: [0.0.0.0/0,0.0.0.0/0].
      • First port in the traffic ports range, in the additionRuleSpecs[].ports.fromPort parameter: 0.
      • Last port in the traffic ports range, in the additionRuleSpecs[].ports.toPort parameter: 65535.

Create a VM with MongoDBCreate a VM with MongoDB

We recommend using a VM with basic configuration.

Management console
CLI
  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image:

    1. Go to the Container Solution tab and click Configure.

    2. In the window that opens, go to the Docker Compose tab and enter the VM specification:

      version: '3.1'
      
      services:
        mongo:
          image: mongo
          restart: always
          environment:
            MONGO_INITDB_ROOT_USERNAME: mongo_db_user
            MONGO_INITDB_ROOT_PASSWORD: <password>
          ports:
            - 27017:27017
      

      In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use the password generator. Save the password as you will need it in the next steps.

    3. Click Apply.

  3. Under Location, select an availability zone to create your VM in. If you do not know which availability zone you need, leave the default one.

  4. Under Network settings:

    • In the Subnet field, select a subnet in the mongo-express-network network you created earlier.
    • In the Public IP address field, select Auto.
  5. Under Access, select the SSH key option, and specify the data for access to the VM:

    • Under Login, enter the username. Do not use root or other names reserved by the OS. To perform actions requiring root privileges, use the sudo command.
    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  6. Under General information, specify the VM name: mongo-vm.

  7. Click Create VM.

Wait for the VM status to change to Running and save its public IP address: you will need it for connecting to the database.

  1. Prepare a key pair (public and private keys) for SSH access to the VM.

  2. Create docker-spec.yaml, a Docker container specification file:

    version: '3.1'
    
    services:
      mongo:
        image: mongo
        restart: always
        environment:
          MONGO_INITDB_ROOT_USERNAME: mongo_db_user
          MONGO_INITDB_ROOT_PASSWORD: <password>
        ports:
          - 27017:27017
    

    In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use the password generator. Save the password as you will need it in the next steps.

  3. Run the following command:

    yc compute instance create-with-container \
      --coi-spec-file docker-spec.yaml \
      --name mongo-vm \
      --zone ru-central1-b \
      --ssh-key ssh-key.pub \
      --create-boot-disk size=30 
    

    Where:

    • --coi-spec-file: Path to the Docker container specification file.
    • --name: VM name.
    • --zone: Availability zone.
    • --ssh-key: Contents of the public key file. You need to create a key pair for the SSH connection yourself.
    • --create-boot-disk size: Boot disk size. It must be at least 30 GB.

    Result:

    done (1m40s)
     id: epde18u4mahl********
     folder_id: b1g7gvsi89m3********
     created_at: "2023-02-08T10:34:06.601Z"
     name: mongo-vm
     ...
    

Create a Yandex Lockbox secretCreate a Yandex Lockbox secret

A Yandex Lockbox secret will store the encrypted authentication credentials.

Management console
CLI
API
  1. In the management console, select the folder where you want to create a secret.
  2. In the services list, select Lockbox.
  3. Click Create secret.
  4. In the Name field, enter a name for the secret: mongodb-creds.
  5. Under Version:
    • In the Key field, enter login.
    • In the Value field, enter mongo_db_user as your DB user login.
  6. Click Add key/value and specify the second secret:
    • In the Key field, enter password.
    • In the Value field, enter the password to access the database: the MONGO_INITDB_ROOT_PASSWORD value from the VM specification.
  7. Click Create.
  1. Use the following command to create the mongodb-creds secret:

    yc lockbox secret create \
      --name mongodb-creds \
      --payload "[{'key': 'login', 'text_value': 'mongo_db_user'},{'key': 'password', 'text_value': '<password>'}]" 
    

    Where:

    • --name: Secret name.
    • --payload: Contents of the secret as a YAML or JSON array.
    • <password>: MONGO_INITDB_ROOT_PASSWORD value from the VM specification.

    Result:

    id: e6q6nbjfu9m2********
    folder_id: b1qt6g8ht345********
    created_at: "2023-02-08T10:34:06.601Z"
    name: mongodb-creds
    status: ACTIVE
    current_version:
      id: e6q0s9airqca********
      secret_id: e6q6nbjfu9m2********
      created_at: "2023-02-08T10:34:06.601Z"
      status: ACTIVE
      payload_entry_keys:
        - login
        - password
    

To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.

Create a registry in Container RegistryCreate a registry in Container Registry

The registry in Container Registry will house the Docker image of the mongo-express application.

Management console
CLI
API
  1. In the management console, select the folder to create a registry in.
  2. In the services list, select Container Registry.
  3. Click Create registry.
  4. Specify a name for the registry: app-registry.
  5. Click Create registry.

Create the app-registry registry:

yc container registry create --name app-registry

Result:

done
id: crpd50616s9a********
folder_id: b1g88tflru0e********
name: app-registry
status: ACTIVE
created_at: "2023-02-08T10:34:06.601Z"

To create a registry, use the create REST API method for the Registry resource or the RegistryService/CreateRegistryRequest gRPC API call.

Push the Docker image to the registryPush the Docker image to the registry

  1. Create a Docker Hub account.

  2. Install Docker:

    • For a Windows workstation, install this version.
    • Install on Linux.
    • Install on Mac OS.
  3. Download the mongo-express image:

    docker pull mongo-express
    

    The result will be as follows:

    Using default tag: latest
    latest: Pulling from library/mongo-express
    6a428f9f83b0: Pull complete
    f2b1fb32259e: Pull complete
    40888f2a0a1f: Pull complete
    4e3cc9ce09be: Pull complete
    eaa1898f3899: Pull complete
    ab4078090382: Pull complete
    ae780a42c79e: Pull complete
    e60224d64a04: Pull complete
    Digest: sha256:dcfcf89bf91238ff129469a5a94523b3025913dcc41597d72d4d5f4a********
    Status: Downloaded newer image for mongo-express:latest
    docker.io/library/mongo-express:latest
    
  4. Authenticate in Container Registry using the Docker credential helper:

    CLI
    1. Configure Docker to use docker-credential-yc:

      yc container registry configure-docker
      

      Result:

      Credential helper is configured in '/home/<user>/.docker/config.json'
      

      Settings are saved in the current user's profile.

    2. Check that the ${HOME}/.docker/config.json configuration file includes the following line:

      "cr.yandex": "yc"
      

    Docker is ready to use.

  5. Push the Docker image to the registry:

    CLI
    1. Assign a URL to the pushed mongo-express image using the following format: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>:

      docker tag mongo-express \
      cr.yandex/<registry_ID>/mongo-express:mongo-tag
      
    2. Push the mongo-express image to the registry:

      docker push cr.yandex/<registry_ID>/mongo-express:mongo-tag
      

Create a Serverless Containers containerCreate a Serverless Containers container

To run your application in Yandex Cloud, create a container and its revision:

Management console
CLI
API
  1. In the management console, select the folder where you want to create a container.
  2. Select Serverless Containers.
  3. Click Create container.
  4. Enter the container name: mongo-express-container.
  5. Click Create.
  6. Go to the Editor tab.
    1. Under Resources, enter the amount of RAM: 1024 MB.
    2. Under Image settings:
      1. In the Image URL field, specify the Docker image you pushed previously.
      2. In the Environment variables field, add the following variables:
        • ME_CONFIG_BASICAUTH_USERNAME: Leave empty.
        • ME_CONFIG_BASICAUTH_PASSWORD: Leave empty.
        • VCAP_APP_PORT: Set the port to 8080.
        • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained previously.
      3. In the Lockbox secrets field, specify these secrets:
        • ME_CONFIG_MONGODB_AUTH_USERNAME: Secret with the login key.
        • ME_CONFIG_MONGODB_AUTH_PASSWORD: Secret with the password key.
    3. Under Settings:
      1. In the Service account field, specify mongo-express.
      2. In the Timeout field, specify 15.
  7. Click Create revision.
  1. Create a container:

    yc serverless container create --name mongo-express-container
    

    Result:

    id: bba3fva6ka5g********
    folder_id: b1gqvft7kjk3********
    created_at: "2023-02-08T10:34:06.601Z"
    name: mongo-express-container
    url: https://bba3fva6ka5g********.containers.yandexcloud.net/
    status: ACTIVE
    
  2. Create a container revision:

    yc serverless container revision deploy \
      --container-name mongo-express-container \
      --image <Docker_image_URL> \
      --cores 1 \
      --memory 1GB \
      --concurrency 1 \
      --execution-timeout 15s \
      --service-account-id <mongo_express_service_account_ID> \
      --environment ME_CONFIG_BASICAUTH_USERNAME="", ME_CONFIG_BASICAUTH_PASSWORD="", VCAP_APP_PORT=8080, ME_CONFIG_MONGODB_SERVER=<VM_public_address> \
      --secret environment-variable=ME_CONFIG_MONGODB_AUTH_USERNAME,key=login \
      --secret environment-variable=ME_CONFIG_MONGODB_AUTH_PASSWORD,key=password
    

    Where:

    • --image: URL of the mongo-express Docker image you pushed earlier.

    • --service-account-id: ID of the mongo-express service account you created earlier.

    • --environment: Environment variables:

      • ME_CONFIG_BASICAUTH_USERNAME: Leave empty.
      • ME_CONFIG_BASICAUTH_PASSWORD: Leave empty.
      • VCAP_APP_PORT: Set the port to 8080.
      • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained previously.
    • --secret environment-variable: ME_CONFIG_MONGODB_AUTH_USERNAME and ME_CONFIG_MONGODB_AUTH_PASSWORD secrets you created earlier.

    Result:

    id: bbajn5q2d74c********
    container_id: bba3fva6ka5g********
    created_at: "2023-02-08T10:34:06.601Z"
    image:
      image_url: cr.yandex/crpd3cicopk7********/mongo-express-container:latest
      image_digest: sha256:de8e1dce7ceceeafaae122f7670084a1119c961cd9ea1795eae92bd********
    resources:
      memory: "1073741824"
      cores: "1"
    execution_timeout: 15s
    service_account_id: ajeqnasj95o7********
    status: ACTIVE
    

To create a container, use the create REST API method for the Container resource or the ContainerService/Create gRPC API call.

To create a container revision, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.

Create an API GatewayCreate an API Gateway

Create an API gateway with the x-yc-apigateway-integration:serverless_containers extension.

Management console
CLI
API
  1. In the management console, select the folder where you want to create an API gateway.

  2. In the services list, select API Gateway.

  3. Click Create API gateway.

  4. In the Name field, enter a name for the API gateway: mongo-express-gw.

  5. In the Specification section, add the specification:

    openapi: 3.0.0
    info:
      title: Sample API
      version: 1.0.0
    servers:
      - url: https://mongo-express-container.apigw.yandexcloud.net
    paths:
      /{proxy+}:
        x-yc-apigateway-any-method:
          x-yc-apigateway-integration:
            type: serverless_containers
            container_id: <container_ID>
            service_account_id: <service_account_ID>
          parameters:
          - explode: false
            in: path
            name: proxy
            required: false
            schema:
              default: '-'
              type: string
            style: simple
    

    Where:

    • container_id: Container ID for mongo-express-container.
    • service_account_id: mongo-express service account ID.
  6. Click Create.

  1. Prepare an OpenAPI 3.0 API specification file.

    Specification
    openapi: 3.0.0
    info:
      title: Sample API
      version: 1.0.0
    servers:
      - url: https://mongo-express-container.apigw.yandexcloud.net
    paths:
      /{proxy+}:
        x-yc-apigateway-any-method:
          x-yc-apigateway-integration:
            type: serverless_containers
            container_id: <container_ID>
            service_account_id: <service_account_ID>
          parameters:
          - explode: false
            in: path
            name: proxy
            required: false
            schema:
              default: '-'
              type: string
            style: simple
    

    Where:

    • container_id: Container ID for mongo-express-container.
    • service_account_id: mongo-express service account ID.
  2. Specify the parameters and create an API gateway using this command:

    yc serverless api-gateway create \
        --name mongo-express-gw \
        --spec=<specification_file_path>
    

To create an API gateway, use the create REST API method for the ApiGateway resource or the ApiGatewayService/Create gRPC API call.

Test the applicationTest the application

Click https://mongo-express-container.apigw.yandexcloud.net. The MongoDB admin panel will open.

How to delete the resources you createdHow to delete the resources you created

To stop paying for the created resources:

  1. Delete the mongo-express-gw API gateway.
  2. Delete the mongo-express-container container.
  3. Delete the image from app-registry.
  4. Delete the app-registry registry.
  5. Delete mongodb-creds.
  6. Delete mongo-vm.
  7. Delete the mongo-express service account.

Was the article helpful?

Previous
Running external agents for load testing
Next
Deploying a gRPC service based on a Docker image
© 2025 Direct Cursus Technology L.L.C.