Networking in Yandex Data Transfer
When creating endpoints of certain types, you can select a cloud subnet. The transfer will use the above subnet to access source or target endpoint hosts.
You can specify the subnet manually in the endpoint settings (for On-Premise endpoints) or have one selected automatically for MDB endpoints. This subnet is referred to as the selected subnet. The network the selected subnet belongs to is referred to as the selected network.
If hosts are referenced by domain names in the endpoint settings, the DNS servers specified in the selected subnet DHCP settings will be used to resolve them into IP addresses. All subnet's DNS servers must resolve the host domain name into an IP address; otherwise, the transfer may fail, since an arbitrary DNS server is used for transfer service name resolution in the subnet. For more information, see IP addresses and domain names in endpoint settings.
The subnets selected for both endpoints of the same transfer must belong to the same availability zone.
MDB cluster subnets
You can only specify a subnet for endpoints with the On-Premise connection type. If the endpoint settings contain an MDB cluster ID rather than a host, one of the subnets that the database cluster is connected to will be selected for endpoint access.
Note
If both endpoints of the transfer are MDB clusters, and the availability zones of the source and target subnets do not intersect, you will not be able to initiate a transfer. There are two workarounds for this situation:
- Adding a host to one of the clusters and selecting an appropriate availability zone.
- Configuring one of the endpoints as On-Premise and connecting it to any subnet with an availability zone matching that of the other endpoint. If there is no suitable network, create a new one in a required zone and specify it in the On-Premise endpoint settings.
Subnet IP address ranges
When performing transfers between the source and target hosts that are in different subnets within Yandex Cloud, their IP address ranges should not overlap. For example, an error occurs if the hosts use subnets with the following IP ranges:
network-1/subnet-a
with the IPv4 CIDR10.130.0.0/24
.network-2/subnet-b
with the IPv4 CIDR10.130.0.0/24
.
Note
To launch a successful transfer in the selected endpoint subnet address range, there must be at least one free IP address:
IP address availability and ownership
An IP address belongs to a network if it belongs to any CIDR of any subnet on this network. For example, if there is a network named my-network
with the my-network-a
(CIDR 192.168.0.0/24
) and my-network-b
(CIDR 192.168.1.0/24
) subnets, then the 192.168.0.100
and 192.168.1.50
addresses belong to my-network
while 1.2.3.4
does not.
An IP address is available via a subnet if it belongs to this subnet's network, or if the network this subnet belongs to has routing correctly configured for the IP address. 192.168.0.100
and 192.168.1.50
will be available via the my-network-a
subnet (as well as via my-network-b
). 1.2.3.4
will be available through these subnets in the following cases only:
- An egress NAT gateway is enabled in
my-network
; this will cause traffic to be routed to the internet. my-network
has a static route configured to process the address in question (1.2.3.4
). This will cause traffic to be directed to the next-hop address specified in the route.
IP addresses and domain names in endpoint settings
If a host is specified as an IP address in the endpoint settings, the selected endpoint subnet will be used for access to a cluster even if the specified IP does not belong to the network selected for the endpoint.
If an On-Premise endpoint with a host specified as a domain name or an MDB endpoint is being used, the host name will be resolved into an IP address using a DNS server specified in the DHCP settings for the selected subnet or a default DNS server (second address in the subnet range). For a transfer to be successful, the address that the host domain name resolves into must belong to the network selected for the endpoint while the DNS server address must be available via the selected subnet.
Security groups
You can assign security groups to the subnet selected for the endpoint. In the event that network access to source or target hosts is restricted by security groups, you can disable network connectivity between Yandex Data Transfer and your DBMS without adding permissive rules for wide IP ranges to your security groups, and allow access from specific groups granularly. You can grant access to your DBMS hosts using one of the methods below:
- Create a permissive rule called
self
in the security group that protects source or target hosts, and specify this security group in the endpoint settings. - Create a new security group for the endpoint and create permissive rules between the endpoint and the DBMS security groups.
Note
Make sure to allow outgoing traffic to the port required by the security group specified in the endpoint.
Transfering between a source on an external network and a target in Yandex Cloud
You can provide access to a source on an external network using one of the following methods:
- By configuring a source to make it available from the internet.
- Using Yandex Cloud Interconnect.
- Using an intermediate VM configured to route traffic to Virtual Private Cloud.
If you need to migrate data between Yandex Cloud and a third-party cloud, allow incoming connections to the third-party cloud database from the internet from IP addresses used by Data Transfer
To run transfers requiring internet access, the data-transfer.admin
role is required. To create endpoints with a subnet specified in their settings, assign the vpc.user
role to the user for the folder the subnet is in.