Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Running a containerized app in Yandex Serverless Containers

Written by
Updated at November 10, 2025

Follow this guide to deploy a containerized app in Serverless Containers to administer MongoDB.

MongoDB is deployed on a Yandex Compute Cloud VM. A Yandex Container Registry is used to host the container with the app. Yandex Lockbox is used to encrypt sensitive data. Secure access to the application is enabled over a Yandex API Gateway. The entire infrastructure of the containerized app resides in a single folder.

To deploy your containerized app:

  1. Get your cloud ready.
  2. Create a service account.
  3. Create a cloud network with a subnet.
  4. Configure the security group.
  5. Create a Compute Cloud VM with MongoDB.
  6. Create a Yandex Lockbox secret and version.
  7. Create a registry in Container Registry.
  8. Push the Docker image to Container Registry.
  9. Create a container in Serverless Containers.
  10. Create an API Gateway.
  11. Test the application.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The application support cost includes:

Create a service account

Create a service account and assign it the required roles for the folder that will host the containerized app infrastructure.

  1. In the management console, go to the folder that will host the containerized app infrastructure.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter mongo-express as the service account name.
  5. Click Add role and select the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles.
  6. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a service account named mongo-express:

    yc iam service-account create --name mongo-express

    Result:

    id: aje3pdqm1cul********
folder_id: b1g681qpemb4********
created_at: "2025-06-14T10:31:06.911280565Z"
name: mongo-express

  2. Assign the service account the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles for the folder that will host your container:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role container-registry.images.puller \
  --subject serviceAccount:<service_account_ID>

yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role lockbox.payloadViewer \
  --subject serviceAccount:<service_account_ID>

yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role serverless-containers.containerInvoker \
  --subject serviceAccount:<service_account_ID>

    Where:

    • <folder_name_or_ID>: Name or ID of the folder to host the container.
    • --subject serviceAccount: mongo-express service account ID.

    Result:

    effective_deltas:
  - action: ADD
    access_binding:
      role_id: container-registry.images.puller
      subject:
        id: aje3pdqm1cul********
        type: serviceAccount

effective_deltas:
  - action: ADD
    access_binding:
      role_id: lockbox.payloadViewer
      subject:
        id: aje3pdqm1cul********
        type: serviceAccount

effective_deltas:
  - action: ADD
    access_binding:
      role_id: serverless-containers.containerInvoker
      subject:
        id: aje3pdqm1cul********
        type: serviceAccount
  1. To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
  2. To assign the service account roles for a folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.

Create a cloud network and subnet

Create a cloud network and subnet the VM will reside in.

  1. In the management console, select Virtual Private Cloud from the list of services.
  2. At the top right, click Create network.
  3. In the Name field, specify mongo-express-network.
  4. In the Advanced field, select Create subnets.
  5. Click Create network.
  6. In the left-hand panel, select Subnets.
  7. At the top right, click Create.
  8. In the Name field, specify mongo-express-subnet-ru-central1-b.
  9. In the Availability zone field, select ru-central1-b.
  10. In the Network field, select mongo-express-network.
  11. In the CIDR field, specify 192.168.1.0/24.
  12. Click Create subnet.

  1. Create a cloud network:

    yc vpc network create \
  --name mongo-express-network

    Result:

    id: enp1b4okmg57********
folder_id: b1g681qpemb4********
created_at: "2025-06-13T12:57:02Z"
name: mongo-express-network
default_security_group_id: enphs1omp6m4********

    Save the default security group ID specified in the default_security_group_id field.

  2. Create a subnet:

    yc vpc subnet create \
   --name mongo-express-subnet-ru-central1-b \
   --zone ru-central1-b \
   --network-id <network_ID> \
   --range 192.168.1.0/24

    Where:

    • --name: Subnet name.
    • --zone: Availability zone.
    • --network-id: mongo-express-network network ID.
    • --range: List of IPv4 addresses the traffic will come to or from.

    Result:

    id: e2l9i0eaq32t********
folder_id: b1g681qpemb4********
created_at: "2025-06-14T09:27:37Z"
name: mongo-express-subnet-ru-central1-b
network_id: enp1b4okmg57********
zone_id: ru-central1-b
v4_cidr_blocks:
  - 192.168.1.0/24

  1. To create a cloud network, use the create REST API method for the Network resource or the NetworkService/Create gRPC API call, providing the following in your request:

    • ID of the folder to host the network.
    • Name of the new network,mongo-express-network, in the name parameter.

  2. To create a subnet, use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Configure the security group

Configure the default security group in the cloud network you created earlier.

  1. In the management console, select Virtual Private Cloud from the list of services.

  2. In the left-hand panel, select Security groups.

  3. Next to the default security group created for mongo-express-network, click and select Edit.

  4. Under Rules, navigate to the Egress tab.

  5. Click Add and create a rule based on this table:

    Traffic
    direction    		 Description Port range Protocol Destination name /
    Source    		 CIDR blocks
    Ingress any 27017 Any CIDR 0.0.0.0/0

  6. Click Save.

Add the rule to the security group:

yc vpc security-group update-rules <security_group_ID> \
  --add-rule "direction=ingress,port=27017,protocol=any,v4-cidrs=[0.0.0.0/0,0.0.0.0/0]"

Where <security_group_ID> is the default_security_group_id value obtained in the previous step.

Result:

id: enpmal7qcb1q********
folder_id: b1g681qpemb4********
created_at: "2025-06-14T09:24:47Z"
name: default-sg-enpeiqghds1j********
description: Default security group for network
network_id: enpeiqghds1j********
status: ACTIVE
rules:
  ...
  - id: enprm96de4ec********
    direction: INGRESS
    ports:
      from_port: "27017"
      to_port: "27017"
    protocol_name: ANY
    protocol_number: "-1"
    cidr_blocks:
      v4_cidr_blocks:
        - 0.0.0.0/0
        - 0.0.0.0/0
default_for_network: true

To add a rule to a security group, use the updateRules REST API method for the SecurityGroup resource or the SecurityGroupService/UpdateRules gRPC API call, providing the following in your request:

  • ID of the security group you want to add rules to, in the securityGroupId parameter.

    To get the security group ID, use the list REST API method for the SecurityGroup resource or the SecurityGroupService/List gRPC API call and provide the folder ID in the folderId request parameter.

  • New security group rules, in the additionRuleSpecs[] array:

    • Traffic direction: ingress.
    • Name of the traffic transmission protocol, in the additionRuleSpecs[].protocolName parameter: any.
    • List of CIDRs and subnet masks, in the additionRuleSpecs[].cidrBlocks.v4CidrBlocks[] parameter: [0.0.0.0/0,0.0.0.0/0].
    • First port in the traffic ports range, in the additionRuleSpecs[].ports.fromPort parameter: 0.
    • Last port in the traffic port range, in the additionRuleSpecs[].ports.toPort parameter: 65535.

Create a VM with MongoDB

We recommend using a VM with basic configuration.

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Select Advanced setup.

  3. Under Boot disk image:

    1. Navigate to the Container Solution tab and click Configure.

    2. In the window that opens, go to the Docker Compose tab and specify the Docker container as follows:

      version: '3.1'

services:
  mongo:
    image: mongo
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: mongo_db_user
      MONGO_INITDB_ROOT_PASSWORD: <password>
    ports:
      - 27017:27017

      In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use this password generator. Save the password, as you will need it in the next steps.

    3. Click Apply.

  4. Under Location, select an availability zone for your VM. If you are not sure which one to choose, leave the default.

  5. Under Network settings:

    • In the Subnet field, select mongo-express-subnet-ru-central1-b.
    • In the Public IP address field, select Auto.

  6. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter the username. Do not use root or other names reserved for the OS purposes. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  7. Under General information, specify the VM name: mongo-vm.

  8. Click Create VM.

Wait for the VM status to change to Running and save its public IP address: you will need it for connecting to the database.

  1. Create a key pair (public and private keys) for SSH access to the VM.

  2. Create docker-spec.yaml, a Docker container specification file:

    version: '3.1'

services:
  mongo:
    image: mongo
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: mongo_db_user
      MONGO_INITDB_ROOT_PASSWORD: <password>
    ports:
      - 27017:27017

    In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use this password generator. Save the password, as you will need it in the next steps.

  3. Run this command:

    yc compute instance create-with-container \
  --docker-compose-file docker-spec.yaml \
  --name mongo-vm \
  --zone ru-central1-b \
  --network-interface subnet-name=mongo-express-subnet-ru-central1-b,nat-ip-version=ipv4 \
  --ssh-key <path_to_public_key_file> \
  --create-boot-disk size=30

    Where:

    • --docker-compose-file: Path to the Docker container specification file.
    • --name: VM name.
    • --zone: Availability zone.
    • --network-interface: VM network settings.
    • --ssh-key: Path to the public SSH key file, e.g., ./ssh-key.pub. The default username for SSH access is yc-user.
    • --create-boot-disk size: Boot disk size. It must be at least 30 GB.

    Result:

    id: epde18u4mahl********
folder_id: b1g7gvsi89m3********
created_at: "2023-02-08T10:34:06.601Z"
name: mongo-vm
...

Create a Yandex Lockbox secret

The Yandex Lockbox secret will store encrypted authentication credentials.

  1. In the management console, select Lockbox from the list of services.

  2. Click Create secret.

  3. In the Name field, enter a name for the secret: mongodb-creds.

  4. Under Version:

    • In the Key field, enter login.
    • In the Value field, enter mongo_db_user as your DB user login.

  5. Click Add key/value and specify the second secret:

    • In the Key field, enter password.
    • In the Value field, enter the password to access the database: the MONGO_INITDB_ROOT_PASSWORD value from the Docker container specification.

  6. Click Create.

Create a secret named mongodb-creds:

yc lockbox secret create \
  --name mongodb-creds \
  --payload "[{'key': 'login', 'text_value': 'mongo_db_user'},{'key': 'password', 'text_value': '<password>'}]"

Where:

  • --name: Secret name.
  • --payload: Contents of the secret provided as a YAML or JSON array.
  • <password>: MONGO_INITDB_ROOT_PASSWORD value from the Docker container specification.

Result:

id: e6q6nbjfu9m2********
folder_id: b1qt6g8ht345********
created_at: "2023-02-08T10:34:06.601Z"
name: mongodb-creds
status: ACTIVE
current_version:
  id: e6q0s9airqca********
  secret_id: e6q6nbjfu9m2********
  created_at: "2023-02-08T10:34:06.601Z"
  status: ACTIVE
  payload_entry_keys:
    - login
    - password

To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.

Create a registry in Container Registry

The registry in Container Registry will house the Docker image of the mongo-express application.

  1. In the management console, select Container Registry from the list of services.
  2. Click Create registry.
  3. Specify app-registry as the registry name.
  4. Click Create registry.

Create a registry named app-registry:

yc container registry create --name app-registry

Result:

id: crpd50616s9a********
folder_id: b1g88tflru0e********
name: app-registry
status: ACTIVE
created_at: "2023-02-08T10:34:06.601Z"

To create a registry, use the create REST API method for the Registry resource or the RegistryService/CreateRegistryRequest gRPC API call.

Push the Docker image to the registry

  1. Create a Docker Hub account.

  2. Install Docker:

  3. Download the mongo-express image:

    docker pull mongo-express

    Result:

    Using default tag: latest
latest: Pulling from library/mongo-express
6a428f9f83b0: Pull complete
...
e60224d64a04: Pull complete
Digest: sha256:dcfcf89bf91238ff129469a5a94523b3025913dcc41597d72d4d5f4a********
Status: Downloaded newer image for mongo-express:latest
docker.io/library/mongo-express:latest

  4. Authenticate in Container Registry using the Docker credential helper:

    1. Configure Docker to use docker-credential-yc:

      yc container registry configure-docker

      Result:

      Credential helper is configured in '/home/<user>/.docker/config.json'

      The current user's profile holds the saved settings.

    2. Check that the ${HOME}/.docker/config.json file includes the following line:

      "cr.yandex": "yc"

    Docker is ready to use.

  5. Push the Docker image to the registry:

    1. Assign a URL to the pushed mongo-express image using the following format: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>:

      docker tag mongo-express \
cr.yandex/<registry_ID>/mongo-express:mongo-tag

    2. Push the mongo-express image to the registry:

      docker push cr.yandex/<registry_ID>/mongo-express:mongo-tag

      Result:

      \The push refers to repository [cr.yandex/crpbr3qaut47********/mongo-express]
7c550ce9591d: Pushed
...
aedc3bda2944: Pushed
mongo-tag: digest: sha256:c641... size: 1993

Create a container in Serverless Containers

To run your application in Yandex Cloud, create a container and its revision:

  1. In the management console, select Serverless Containers from the list of services.

  2. Click Create container.

  3. Enter the container name: mongo-express-container.

  4. Click Create.

  5. Navigate to the Editor tab.

    1. Under Resources, enter the amount of RAM: 1024 MB.

    2. Under Image settings:

      1. In the Image URL field, specify the URL of the Docker image you pushed previously.

      2. In the Environment variables field, add the following variables:

        • ME_CONFIG_BASICAUTH_USERNAME: Leave empty.
        • ME_CONFIG_BASICAUTH_PASSWORD: Leave empty.
        • VCAP_APP_PORT: Set it to 8080.
        • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained earlier.

      3. In the Lockbox secrets field, specify these secrets:

        • ME_CONFIG_MONGODB_AUTH_USERNAME: Secret with the login key.
        • ME_CONFIG_MONGODB_AUTH_PASSWORD: Secret with the password key.

    3. Under Settings:

      1. In the Service account field, specify mongo-express.
      2. In the Timeout field, specify 15.

  6. Click Create revision.

  1. Create a container:

    yc serverless container create --name mongo-express-container

    Result:

    id: bba3fva6ka5g********
folder_id: b1gqvft7kjk3********
created_at: "2023-02-08T10:34:06.601Z"
name: mongo-express-container
url: https://bba3fva6ka5g********.containers.yandexcloud.net/
status: ACTIVE

  2. Create a container revision:

    yc serverless container revision deploy \
  --container-name mongo-express-container \
  --cores 1 \
  --memory 1GB \
  --image cr.yandex/<registry_ID>/mongo-express:mongo-tag \
  --environment ME_CONFIG_BASICAUTH=false \
  --environment VCAP_APP_PORT=8080 \
  --environment ME_CONFIG_MONGODB_SERVER=<VM_public_address> \
  --secret environment-variable=ME_CONFIG_MONGODB_AUTH_USERNAME,key=login,id=<secret_ID> \
  --secret environment-variable=ME_CONFIG_MONGODB_AUTH_PASSWORD,key=password,id=<secret_ID> \
  --service-account-id <mongo_express_service_account_ID> \
  --network-id <network_ID> \
  --execution-timeout 15s \
  --concurrency 1

    Where:

    • --image: URL of the mongo-express Docker image you pushed earlier.

    • --environment: Environment variables:

      • ME_CONFIG_BASICAUTH: Set it to false.
      • VCAP_APP_PORT: Set it to 8080.
      • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained earlier.

    • --secret environment-variable: ME_CONFIG_MONGODB_AUTH_USERNAME and ME_CONFIG_MONGODB_AUTH_PASSWORD secrets you created earlier.

    • --service-account-id: ID of the mongo-express service account you created earlier.

    • --network-id: mongo-express-network network ID.

    Result:

    id: bbas0ktemln9********
container_id: bbai45hrl5et********
created_at: "2025-06-14T10:18:06.791Z"
image:
  image_url: cr.yandex/crpbr3qaut47********/mongo-express:mongo-tag
  image_digest: sha256:c641....
  environment:
    ME_CONFIG_BASICAUTH: "false"
    ME_CONFIG_MONGODB_SERVER: 89.169.***.***
    VCAP_APP_PORT: "8080"
resources:
  memory: "1073741824"
  cores: "1"
  core_fraction: "100"
execution_timeout: 15s
concurrency: "1"
service_account_id: ajeldi88vl73********
status: ACTIVE
secrets:
  - id: e6qfi832v2j8********
    version_id: e6qj9a9oifme********
    key: login
    environment_variable: ME_CONFIG_MONGODB_AUTH_USERNAME
  - id: e6qfi832v2j8********
    version_id: e6qj9a9oifme********
    key: password
    environment_variable: ME_CONFIG_MONGODB_AUTH_PASSWORD
log_options:
  folder_id: b1g681qpemb4********
runtime:
  http: {}
  1. To create a container, use the create REST API method for the Container resource or the ContainerService/Create gRPC API call.
  2. To create a container revision, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.

Create an API Gateway

Create an API gateway with the x-yc-apigateway-integration:serverless_containers extension.

  1. In the management console, select API Gateway from the list of services.

  2. Click Create API gateway.

  3. In the Name field, enter the API gateway name: mongo-express-gw.

  4. Under Specification, add the following specification:

    openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
paths:
  /{proxy+}:
    x-yc-apigateway-any-method:
      x-yc-apigateway-integration:
        type: serverless_containers
        container_id: <container_ID>
        service_account_id: <service_account_ID>
      parameters:
      - explode: false
        in: path
        name: proxy
        required: false
        schema:
          default: '-'
          type: string
        style: simple

    Where:

    • container_id: mongo-express-container ID.
    • service_account_id: mongo-express service account ID.

  5. Click Create.

  6. Open the created API gateway and copy the link from the Default domain field.

  1. Create an OpenAPI 3.0 specification file to describe your API.

    Specification
    openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
paths:
  /{proxy+}:
    x-yc-apigateway-any-method:
      x-yc-apigateway-integration:
        type: serverless_containers
        container_id: <container_ID>
        service_account_id: <service_account_ID>
      parameters:
      - explode: false
        in: path
        name: proxy
        required: false
        schema:
          default: '-'
          type: string
        style: simple

    Where:

    • container_id: mongo-express-container ID.
    • service_account_id: mongo-express service account ID.

  2. Specify the properties and use the following command to create your API gateway:

    yc serverless api-gateway create \
    --name mongo-express-gw \
    --spec=<specification_file_path>

    Result:

    id: d5d63uh1h26g********
folder_id: b1g681qpemb4********
created_at: "2025-06-14T10:23:19.682Z"
name: mongo-express-gw
status: ACTIVE
domain: d5d63uh1h26g********.********.apigw.yandexcloud.net
connectivity: {}
log_options:
  folder_id: b1g681qpemb4********
execution_timeout: 300s

    Save the link specified in the domain field.

To create an API gateway, use the create REST API method for the ApiGateway resource or the ApiGatewayService/Create gRPC API call.

Test the application

Follow the link formatted as d5d63uh1h26g********.********.apigw.yandexcloud.net obtained in the previous step. The MongoDB admin panel opens.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete mongo-express-gw.
  2. Delete mongo-express-container.
  3. Delete the image from app-registry.
  4. Delete app-registry.
  5. Delete the mongodb-creds secret.
  6. Delete mongo-vm.
  7. Delete the mongo-express service account.
Previous
Running external agents for load testing
Next
Deploying a gRPC service based on a Docker image