Recommendations for using public IP addresses
Public IPv4 addresses are a limited resource with constantly increasing prices. However, the use of public IPv4 addresses is often not required and may even make your infrastructure vulnerable in some cases. Yandex Cloud provides services and VM images that allow you to minimize the use of public IPv4 addresses and build a more cost-effective and stable infrastructure.
Use a NAT gateway
If your cloud resources need to exchange data with the internet and other external resources (for instance, to download updates, packages, and code from public repositories), we recommend using NAT gateways. They allow you to manage access to external resources via a shared pool of cloud IP addresses.
Set up routing through a NAT instance
To enable access to the internet from specific IP addresses, use a dedicated NAT instance and register its address as static. This is suitable, for example, for setting up access policies or firewalls when interacting with partner companies. This way your VMs can use a shared internet access point via a fixed IP address as part of the access network.
This model also lets you enable secure access to Yandex Object Storage without accessing the internet. To do this, set up an access policy for a bucket by only adding your NAT instance's fixed IP address to the white list (see sample settings
Use load balancers
To publish your applications, use Yandex Network Load Balancer and Yandex Application Load Balancer load balancers or a service like LoadBalancer
in Yandex Managed Service for Kubernetes. They allow you to publish services on a shared IP address using different ports or path-based and SNI routing.
Publish static files using Object Storage and Cloud CDN
To publish static files, use Object Storage in combination with Yandex Cloud CDN. This will save your VMs' computing resources and boost their cost-effectiveness. Yandex Cloud CDN also speeds up content delivery to users and makes your services more reliable.
For more information, check:
Use a site-to-site VPN
To set up networking between various sites and external clouds, use a site-to-site VPN. This will protect your applications against unauthorized access and make sure they cannot be accessed from outside. This also allows you to save on public IP addresses: you will only need a single public IP for a VPN connection.
For more information, check:
- Setting up network connectivity between cloud and remote resources with IPsec gateways.
- Setting up a VPN with the Azure cloud
. - Setting up a VPN with the AWS cloud
.
Use Yandex Cloud Interconnect
Connect your local network and cloud infrastructures using Cloud Interconnect. This allows you to avoid using public IPs both in your network and in Yandex Cloud. Instead, you can use internal IP addresses from a custom range of subnets.
For more information, check:
Connect to VMs using the serial console
If you only need SSH access to a VM, use the serial console instead of a public IP connection. We recommend disabling connections via the serial console when you do not use it.