Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Running a containerized app in Yandex Serverless Containers

Written by
Updated at June 3, 2025

Follow this guide to deploy a containerized app in Serverless Containers to administer MongoDB.

MongoDB is deployed on a Yandex Compute Cloud VM. A Yandex Container Registry is used to host the container with the app. Yandex Lockbox is used to encrypt sensitive data. Secure access to the application is enabled over a Yandex API Gateway. The entire infrastructure of the containerized app resides in a single folder.

To deploy your containerized app:

  1. Get your cloud ready.
  2. Create a service account.
  3. Create a network and configure its security group.
  4. Create a Compute Cloud VM with MongoDB.
  5. Create a Yandex Lockbox secret and version.
  6. Create a registry in Container Registry.
  7. Push the Docker image to Container Registry.
  8. Create a container in Serverless Containers.
  9. Create an API Gateway.
  10. Test the application.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The application support cost includes:

Create a service account

Create a service account and assign it the required roles for the folder that will host the containerized app infrastructure.

  1. In the management console, go to the folder that will host the containerized app infrastructure.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter mongo-express as the service account name.
  5. Click Add role and select the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles.
  6. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a service account named mongo-express:

    yc iam service-account create --name mongo-express

  2. Assign the service account the container-registry.images.puller, lockbox.payloadViewer, and serverless-containers.containerInvoker roles for the folder that will host your container:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role container-registry.images.puller, lockbox.payloadViewer, serverless-containers.containerInvoker \
  --subject serviceAccount:<service_account_ID>

    Where:

    • <folder_name_or_ID>: Name or ID of the folder to host the container.
    • --subject serviceAccount: mongo-express service account ID.

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the service account roles for a folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.

Create a network and configure its security group

  1. In the management console, select the folder where you want to create a network.

  2. In the list of services, select Virtual Private Cloud.

  3. At the top right, click Create network.

  4. In the Name field, specify mongo-express-network.

  5. In the Advanced field, select Create subnets.

  6. Click Create network.

  7. In the left-hand panel, select Security groups.

  8. Click next to the default security group created for mongo-express-network.

  9. In the menu that opens, click Edit.

  10. Configure the security group:

    1. Click Create security group.

    2. Under Rules, add a rule by following the steps below the table:

      Traffic
      direction      		 Description Port range Protocol Destination name /
      Source      		 CIDR blocks
      Ingress any 27017 Any CIDR 0.0.0.0/0
      1. Select the Egress or Ingress tab.
      2. Click Add.
      3. In the Port range field of the window that opens, specify a port or range of ports open for inbound or outbound traffic. To open all ports, click Select entire range.
      4. In the Protocol field, specify the required protocol or leave Any to allow traffic over any protocol.
      5. In the Destination name or Source field, select CIDR for the rule to apply to a range of IP addresses. In the CIDR blocks field, specify 0.0.0.0/0.
      6. Click Save.

    3. Click Save.

    4. Click Save once again.

  1. Create a cloud network:

    yc vpc network create \
  --name mongo-express-network

  2. Get the name or ID of the group to edit:

    yc vpc security-groups list

    Result:

    +----------------------+---------------------------------+------------------------------------+----------------------+
|          ID          |              NAME               |          DESCRIPTION               |      NETWORK-ID      |
+----------------------+---------------------------------+------------------------------------+----------------------+
| enp9bmjge93b******** | default-sg-enp509crtquf******** | Default security group for network | enp509crtquf******** |
+----------------------+---------------------------------+------------------------------------+----------------------+

  3. Add a rule using the update-rules command and the --add-rule parameter:

    yc vpc security-group update-rules <group_name_or_ID> \
  --add-rule "direction=ingress,port=27017,protocol=any,v4-cidrs=[0.0.0.0/0,0.0.0.0/0]"

    Where <group_name_or_ID> is the value obtained in the previous step.

  1. To create a cloud network, use the create REST API method for the Network resource or the NetworkService/Create gRPC API call, providing the following in your request:

    • ID of the folder to host the network.
    • Name of the new network,mongo-express-network, in the name parameter.

  2. To add a rule to a security group, use the updateRules REST API method for the SecurityGroup resource or the SecurityGroupService/UpdateRules gRPC API call, providing the following in your request:

    • ID of the security group you want to add rules to, in the securityGroupId parameter.

      To get the security group ID, use the list REST API method for the SecurityGroup resource or the SecurityGroupService/List gRPC API call and provide the folder ID in the folderId request parameter.

    • New security group rules, in the additionRuleSpecs[] array:

      • Traffic direction: ingress.
      • Name of the traffic transmission protocol, in the additionRuleSpecs[].protocolName parameter: any.
      • List of CIDRs and subnet masks, in the additionRuleSpecs[].cidrBlocks.v4CidrBlocks[] parameter: [0.0.0.0/0,0.0.0.0/0].
      • First port in the traffic ports range, in the additionRuleSpecs[].ports.fromPort parameter: 0.
      • Last port in the traffic port range, in the additionRuleSpecs[].ports.toPort parameter: 65535.

Create a VM with MongoDB

We recommend using a VM with basic configuration.

  1. On the folder dashboard of the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image:

    1. Navigate to the Container Solution tab and click Configure.

    2. In the window that opens, go to the Docker Compose tab and specify the VM as follows:

      version: '3.1'

services:
  mongo:
    image: mongo
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: mongo_db_user
      MONGO_INITDB_ROOT_PASSWORD: <password>
    ports:
      - 27017:27017

      In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use this password generator. Save the password, as you will need it in the next steps.

    3. Click Apply.

  3. Under Location, select an availability zone for your VM. If you are not sure which one to choose, leave the default.

  4. Under Network settings:

    • In the Subnet field, select a subnet in mongo-express-network.
    • In the Public IP address field, select Auto.

  5. Under Access, select SSH key and specify the VM access credentials:

    • Under Login, enter the username. Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  6. Under General information, specify the VM name: mongo-vm.

  7. Click Create VM.

Wait for the VM status to change to Running and save its public IP address: you will need it for connecting to the database.

  1. Create a key pair (public and private keys) for SSH access to the VM.

  2. Create docker-spec.yaml, a Docker container specification file:

    version: '3.1'

services:
  mongo:
    image: mongo
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: mongo_db_user
      MONGO_INITDB_ROOT_PASSWORD: <password>
    ports:
      - 27017:27017

    In the MONGO_INITDB_ROOT_PASSWORD parameter, specify the password to use for accessing the database. To create a password, you can use this password generator. Save the password, as you will need it in the next steps.

  3. Run this command:

    yc compute instance create-with-container \
  --coi-spec-file docker-spec.yaml \
  --name mongo-vm \
  --zone ru-central1-b \
  --ssh-key ssh-key.pub \
  --create-boot-disk size=30

    Where:

    • --coi-spec-file: Path to the Docker container specification file.
    • --name: VM name.
    • --zone: Availability zone.
    • --ssh-key: Contents of the public key file. You need to create a key pair for the SSH connection on your own.
    • --create-boot-disk size: Boot disk size. It must be at least 30 GB.

    Result:

    done (1m40s)
 id: epde18u4mahl********
 folder_id: b1g7gvsi89m3********
 created_at: "2023-02-08T10:34:06.601Z"
 name: mongo-vm
 ...

Create a Yandex Lockbox secret

The Yandex Lockbox secret will store encrypted authentication credentials.

  1. In the management console, select the folder where you want to create a secret.
  2. In the list of services, select Lockbox.
  3. Click Create secret.
  4. In the Name field, enter a name for the secret: mongodb-creds.
  5. Under Version:
    • In the Key field, enter login.
    • In the Value field, enter mongo_db_user as your DB user login.
  6. Click Add key/value and specify the second secret:
    • In the Key field, enter password.
    • In the Value field, enter the password to access the database: the MONGO_INITDB_ROOT_PASSWORD value from the VM specification.
  7. Click Create.

  1. Use the following command to create the mongodb-creds secret:

    yc lockbox secret create \
  --name mongodb-creds \
  --payload "[{'key': 'login', 'text_value': 'mongo_db_user'},{'key': 'password', 'text_value': '<password>'}]"

    Where:

    • --name: Secret name.
    • --payload: Contents of the secret provided as a YAML or JSON array.
    • <password>: MONGO_INITDB_ROOT_PASSWORD value from the VM specification.

    Result:

    id: e6q6nbjfu9m2********
folder_id: b1qt6g8ht345********
created_at: "2023-02-08T10:34:06.601Z"
name: mongodb-creds
status: ACTIVE
current_version:
  id: e6q0s9airqca********
  secret_id: e6q6nbjfu9m2********
  created_at: "2023-02-08T10:34:06.601Z"
  status: ACTIVE
  payload_entry_keys:
    - login
    - password

To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.

Create a registry in Container Registry

The registry in Container Registry will house the Docker image of the mongo-express application.

  1. In the management console, select the folder where you want to create a registry.
  2. In the list of services, select Container Registry.
  3. Click Create registry.
  4. Specify app-registry as the registry name.
  5. Click Create registry.

Create a registry named app-registry:

yc container registry create --name app-registry

Result:

done
id: crpd50616s9a********
folder_id: b1g88tflru0e********
name: app-registry
status: ACTIVE
created_at: "2023-02-08T10:34:06.601Z"

To create a registry, use the create REST API method for the Registry resource or the RegistryService/CreateRegistryRequest gRPC API call.

Push the Docker image to the registry

  1. Create a Docker Hub account.

  2. Install Docker:

  3. Download the mongo-express image:

    docker pull mongo-express

    Result:

    Using default tag: latest
latest: Pulling from library/mongo-express
6a428f9f83b0: Pull complete
f2b1fb32259e: Pull complete
40888f2a0a1f: Pull complete
4e3cc9ce09be: Pull complete
eaa1898f3899: Pull complete
ab4078090382: Pull complete
ae780a42c79e: Pull complete
e60224d64a04: Pull complete
Digest: sha256:dcfcf89bf91238ff129469a5a94523b3025913dcc41597d72d4d5f4a********
Status: Downloaded newer image for mongo-express:latest
docker.io/library/mongo-express:latest

  4. Authenticate in Container Registry using the Docker credential helper:

    1. Configure Docker to use docker-credential-yc:

      yc container registry configure-docker

      Result:

      Credential helper is configured in '/home/<user>/.docker/config.json'

      The current user's profile holds the saved settings.

    2. Check that the ${HOME}/.docker/config.json file includes the following line:

      "cr.yandex": "yc"

    Docker is ready to use.

  5. Push the Docker image to the registry:

    1. Assign a URL to the pushed mongo-express image using the following format: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>:

      docker tag mongo-express \
cr.yandex/<registry_ID>/mongo-express:mongo-tag

    2. Push the mongo-express image to the registry:

      docker push cr.yandex/<registry_ID>/mongo-express:mongo-tag

Create a container in Serverless Containers

To run your application in Yandex Cloud, create a container and its revision:

  1. In the management console, select the folder where you want to create a container.
  2. Select Serverless Containers.
  3. Click Create container.
  4. Enter the container name: mongo-express-container.
  5. Click Create.
  6. Navigate to the Editor tab.
    1. Under Resources, enter the amount of RAM: 1024 MB.
    2. Under Image settings:
      1. In the Image URL field, specify the Docker image you pushed earlier.
      2. In the Environment variables field, add the following variables:
        • ME_CONFIG_BASICAUTH_USERNAME: Leave empty.
        • ME_CONFIG_BASICAUTH_PASSWORD: Leave empty.
        • VCAP_APP_PORT: Set it to 8080.
        • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained earlier.
      3. In the Lockbox secrets field, specify these secrets:
        • ME_CONFIG_MONGODB_AUTH_USERNAME: Secret with the login key.
        • ME_CONFIG_MONGODB_AUTH_PASSWORD: Secret with the password key.
    3. Under Settings:
      1. In the Service account field, specify mongo-express.
      2. In the Timeout field, specify 15.
  7. Click Create revision.

  1. Create a container:

    yc serverless container create --name mongo-express-container

    Result:

    id: bba3fva6ka5g********
folder_id: b1gqvft7kjk3********
created_at: "2023-02-08T10:34:06.601Z"
name: mongo-express-container
url: https://bba3fva6ka5g********.containers.yandexcloud.net/
status: ACTIVE

  2. Create a container revision:

    yc serverless container revision deploy \
  --container-name mongo-express-container \
  --image <Docker_image_URL> \
  --cores 1 \
  --memory 1GB \
  --concurrency 1 \
  --execution-timeout 15s \
  --service-account-id <mongo_express_service_account_ID> \
  --environment ME_CONFIG_BASICAUTH_USERNAME="", ME_CONFIG_BASICAUTH_PASSWORD="", VCAP_APP_PORT=8080, ME_CONFIG_MONGODB_SERVER=<VM_public_address> \
  --secret environment-variable=ME_CONFIG_MONGODB_AUTH_USERNAME,key=login \
  --secret environment-variable=ME_CONFIG_MONGODB_AUTH_PASSWORD,key=password

    Where:

    • --image: URL of the mongo-express Docker image you pushed earlier.

    • --service-account-id: ID of the mongo-express service account you created earlier.

    • --environment: Environment variables:

      • ME_CONFIG_BASICAUTH_USERNAME: Leave empty.
      • ME_CONFIG_BASICAUTH_PASSWORD: Leave empty.
      • VCAP_APP_PORT: Set it to 8080.
      • ME_CONFIG_MONGODB_SERVER: Specify the VM public IP address obtained earlier.

    • --secret environment-variable: ME_CONFIG_MONGODB_AUTH_USERNAME and ME_CONFIG_MONGODB_AUTH_PASSWORD secrets you created earlier.

    Result:

    id: bbajn5q2d74c********
container_id: bba3fva6ka5g********
created_at: "2023-02-08T10:34:06.601Z"
image:
  image_url: cr.yandex/crpd3cicopk7********/mongo-express-container:latest
  image_digest: sha256:de8e1dce7ceceeafaae122f7670084a1119c961cd9ea1795eae92bd********
resources:
  memory: "1073741824"
  cores: "1"
execution_timeout: 15s
service_account_id: ajeqnasj95o7********
status: ACTIVE

To create a container, use the create REST API method for the Container resource or the ContainerService/Create gRPC API call.

To create a container revision, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.

Create an API Gateway

Create an API gateway with the x-yc-apigateway-integration:serverless_containers extension.

  1. In the management console, select the folder where you want to create an API gateway.

  2. In the list of services, select API Gateway.

  3. Click Create API gateway.

  4. In the Name field, enter the API gateway name: mongo-express-gw.

  5. Under Specification, add the following specification:

    openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
servers:
  - url: https://mongo-express-container.apigw.yandexcloud.net
paths:
  /{proxy+}:
    x-yc-apigateway-any-method:
      x-yc-apigateway-integration:
        type: serverless_containers
        container_id: <container_ID>
        service_account_id: <service_account_ID>
      parameters:
      - explode: false
        in: path
        name: proxy
        required: false
        schema:
          default: '-'
          type: string
        style: simple

    Where:

    • container_id: mongo-express-container ID.
    • service_account_id: mongo-express service account ID.

  6. Click Create.

  1. Create an OpenAPI 3.0 specification file to describe your API.

    Specification
    openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
servers:
  - url: https://mongo-express-container.apigw.yandexcloud.net
paths:
  /{proxy+}:
    x-yc-apigateway-any-method:
      x-yc-apigateway-integration:
        type: serverless_containers
        container_id: <container_ID>
        service_account_id: <service_account_ID>
      parameters:
      - explode: false
        in: path
        name: proxy
        required: false
        schema:
          default: '-'
          type: string
        style: simple

    Where:

    • container_id: mongo-express-container ID.
    • service_account_id: mongo-express service account ID.

  2. Specify the properties and use the following command to create your API gateway:

    yc serverless api-gateway create \
    --name mongo-express-gw \
    --spec=<specification_file_path>

To create an API gateway, use the create REST API method for the ApiGateway resource or the ApiGatewayService/Create gRPC API call.

Test the application

Go to https://mongo-express-container.apigw.yandexcloud.net to open the MongoDB admin panel.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete mongo-express-gw.
  2. Delete mongo-express-container.
  3. Delete the image from app-registry.
  4. Delete app-registry.
  5. Delete the mongodb-creds secret.
  6. Delete mongo-vm.
  7. Delete the mongo-express service account.
Previous
Setting up a Yandex Managed Service for PostgreSQL connection from a container in Serverless Containers
Next
Developing a custom integration in API Gateway