Recommendations for using public IP addresses

Public IPv4 addresses are a limited resource that becomes more and more expensive. However, the use of public IPv4 addresses is often not required and may even make your infrastructure vulnerable in some cases. Yandex Cloud provides services and VM images that allow you to minimize the use of public IPv4 addresses and build a more cost-effective and stable infrastructure.

Use a NAT gatewayUse a NAT gateway

If your cloud resources need to exchange data with the internet and other external resources (e.g., to download updates, packages, and code from public repositories), we recommend using NAT gateways. They allow you to manage access to external resources via a shared pool of cloud IP addresses.

Set up routing through a NAT instanceSet up routing through a NAT instance

To enable access to the internet from specific IP addresses, use a dedicated NAT instance and register its address as static. This is suitable, for example, for setting up access policies or firewalls when interacting with partner companies. This way your VMs can use a shared internet access point via a fixed IP address as part of the access network.

This model also enables secure access to Yandex Object Storage without accessing the internet. To do this, set up an access policy for a bucket by only adding your NAT instance's fixed IP address to the white list (see these sample settings).

Use load balancersUse load balancers

To publish your applications, use Yandex Network Load Balancer and Yandex Application Load Balancer load balancers or a service like LoadBalancer in Yandex Managed Service for Kubernetes. They allow you to publish services on a shared IP address using different ports or path-based and SNI routing.

Publish static files using Object Storage and Cloud CDNPublish static files using Object Storage and Cloud CDN

To publish static files, use Object Storage in combination with Yandex Cloud CDN. This will save your VMs' computing resources and boost their cost-effectiveness. Yandex Cloud CDN also speeds up content delivery to users and makes your services more reliable.

For more information, see the following:

• Setting up hosting.
• Enabling blue-green and canary deployment of web service versions.

Use a site-to-site VPNUse a site-to-site VPN

To set up networking between various sites and external clouds, use a site-to-site VPN. This will protect your applications against unauthorized access and prevent outside access. This also allows you to save on public IP addresses: you will only need a single public IP address for a VPN connection.

For more information, see the following:

• Setting up network connectivity between cloud and remote resources with IPsec gateways.
• Setting up a VPN with the Azure cloud.
• Setting up a VPN with the AWS cloud.

Use Yandex Cloud InterconnectUse Yandex Cloud Interconnect

Connect your local network and cloud infrastructures using Cloud Interconnect. This allows you to avoid using public IP addresses both in your network and in Yandex Cloud. Instead, you can use internal IP addresses from a custom range of subnets.

For more information, see the following:

• Traffic routing with Cloud Interconnect.

Connect to VMs using the serial consoleConnect to VMs using the serial console

If you only need SSH access to a VM, use the serial console instead of a public IP connection. We recommend disabling connections via the serial console when you do not use it.