Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Data Transfer
  • Available transfers
  • Getting started
    • Resource relationships
    • Transfer types and lifecycles
    • What objects can be transferred
    • Regular incremental copy
    • Parallel copy
    • Data transformation
    • Serialization
    • Yandex Data Transfer specifics for sources and targets
    • Delivery guarantees
    • Operations on transfers
    • Networking in Yandex Data Transfer
    • Speed for copying data in Yandex Data Transfer
    • Change data capture
    • What tasks the service is used for
    • Quotas and limits
  • Troubleshooting
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Public materials

In this article:

  • MDB cluster subnets
  • Subnet IP address ranges
  • IP address availability and ownership
  • IP addresses and domain names in endpoint settings
  • Security groups
  • Transfering between a source on an external network and a target in Yandex Cloud
  1. Concepts
  2. Networking in Yandex Data Transfer

Networking in Yandex Data Transfer

Written by
Yandex Cloud
Improved by
Dmitry A.
Updated at April 9, 2025
  • MDB cluster subnets
  • Subnet IP address ranges
  • IP address availability and ownership
  • IP addresses and domain names in endpoint settings
  • Security groups
  • Transfering between a source on an external network and a target in Yandex Cloud

When creating endpoints of certain types, you can select a cloud subnet. The transfer will use the above subnet to access source or target endpoint hosts.

You can specify the subnet manually in the endpoint settings (for On-Premise endpoints) or have one selected automatically for MDB endpoints. This subnet is referred to as the selected subnet. The network the selected subnet belongs to is referred to as the selected network.

If hosts are referenced by domain names in the endpoint settings, the DNS servers specified in the selected subnet DHCP settings will be used to resolve them into IP addresses. All the subnet's DNS servers must resolve the host domain name into an IP address; otherwise, the transfer may fail to start because the transfer services use an arbitrary subnet DNS server for name resolution. For more information, see IP addresses and domain names in endpoint settings.

The subnets selected for both endpoints of the same transfer must belong to the same availability zone.

MDB cluster subnetsMDB cluster subnets

You can only specify a subnet for endpoints with the On-Premise connection type. If the endpoint settings contain an MDB cluster ID rather than a host, one of the subnets that the database cluster is connected to will be selected for endpoint access.

Note

If both endpoints of the transfer are MDB clusters, and the availability zones of the source and target subnets do not intersect, you will not be able to initiate a transfer. There are two workarounds for this situation:

  • Adding a host to one of the clusters and selecting an appropriate availability zone.
  • Configuring one of the endpoints as On-Premise and connecting it to any subnet with an availability zone matching that of the other endpoint. If there is no suitable network, create a new one in a required zone and specify it in the On-Premise endpoint settings.

Subnet IP address rangesSubnet IP address ranges

When performing transfers between the source and target hosts that are in different subnets within Yandex Cloud, their IP address ranges should not overlap. For example, an error occurs if the hosts use subnets with the following IP ranges:

  • network-1/subnet-a with the IPv4 CIDR 10.130.0.0/24.
  • network-2/subnet-b with the IPv4 CIDR 10.130.0.0/24.

Note

To launch a successful transfer in the selected endpoint subnet address range, there must be at least one free IP address:

IP address availability and ownershipIP address availability and ownership

An IP address belongs to a network if it belongs to any CIDR of any subnet on this network. For example, if there is a network named my-network with the my-network-a (CIDR 192.168.0.0/24) and my-network-b (CIDR 192.168.1.0/24) subnets, then the 192.168.0.100 and 192.168.1.50 addresses belong to my-network while 1.2.3.4 does not.

An IP address is available via a subnet if it belongs to this subnet's network, or if the network this subnet belongs to has routing correctly configured for the IP address. 192.168.0.100 and 192.168.1.50 will be available via the my-network-a subnet (as well as via my-network-b). 1.2.3.4 will be available through these subnets in the following cases only:

  • An egress NAT gateway is enabled in my-network; this will cause traffic to be routed to the internet.
  • my-network has a static route configured to process the address in question (1.2.3.4). This will cause traffic to be directed to the next-hop address specified in the route.

IP addresses and domain names in endpoint settingsIP addresses and domain names in endpoint settings

If a host is specified as an IP address in the endpoint settings, the selected endpoint subnet will be used for access to a cluster even if the specified IP does not belong to the network selected for the endpoint.

If an On-Premise endpoint with a host specified as a domain name or an MDB endpoint is being used, the host name will be resolved into an IP address using a DNS server specified in the DHCP settings for the selected subnet or a default DNS server (second address in the subnet range). For a transfer to be successful, the address that the host domain name resolves into must belong to the network selected for the endpoint while the DNS server address must be available via the selected subnet.

Security groupsSecurity groups

You can assign security groups to the subnet selected for the endpoint. In the event that network access to source or target hosts is restricted by security groups, you can disable network connectivity between Yandex Data Transfer and your DBMS without adding permissive rules for wide IP ranges to your security groups, and allow access from specific groups granularly. You can grant access to your DBMS hosts using one of the methods below:

  • Create a permissive rule called self in the security group that protects source or target hosts, and specify this security group in the endpoint settings.
  • Create a new security group for the endpoint and create permissive rules between the endpoint and the DBMS security groups.

Note

Make sure to allow outgoing traffic to the port required by the security group specified in the endpoint.

Transfering between a source on an external network and a target in Yandex CloudTransfering between a source on an external network and a target in Yandex Cloud

You can provide access to a source on an external network using one of the following methods:

  • Configure the source to make it accessible from the internet.
  • Use Yandex Cloud Interconnect.
  • Use a VPN.

If you need to transfer data between your cloud in Yandex Cloud and another cloud, including a different cloud in Yandex Cloud, or between your cloud in Yandex Cloud and a cluster in a user installation on your site, allow internet connections to a database in the third-party cloud or your site from Data Transfer IP addresses.

If you are using Cloud Interconnect or a VPN for connections, you do not need to configure the third-party cloud. To set up network connectivity, in the endpoint settings, specify a subnet from which you can connect to an external resource.

To run transfers requiring internet access, the data-transfer.admin role is required. To create endpoints with a subnet specified in their settings, assign to the user the vpc.user role for the folder the subnet resides in.

Was the article helpful?

Previous
Operations on transfers
Next
Speed for copying data in Yandex Data Transfer
© 2025 Direct Cursus Technology L.L.C.