Service connections in Yandex Virtual Private Cloud
Warning
The Service connections functionality (VPC Private Endpoints) is at the Preview stage and will become available for testing from September 26, 2024. To request access, contact your account manager.
A service connection (Private Endpoint) provides direct IP connectivity between resources within VPC and Yandex Cloud services that are hosted outside VPC.
In this case, direct IP connectivity refers to availability of such services via VPC internal IP addresses without using public IP addresses.
An example is the Object Storage service.
Service connection structure
A service connection can be divided into two parts:
- The client part (Private Endpoint, PE) is responsible for presenting the service in VPC. It is implemented within VPC. This is a common part for all types of service connections.
- The service part (Provider) is responsible for interaction with the client part and is implemented on the service side. This part is unique for each service and service connection type.
A service connection has the following specifications:
- An IP address of a connection in VPC from subnet CIDR ranges in the network you want to create a service connection for.
- Connection type: service to which the connection is made. For a list of available service connection types, see below.
When creating a service connection in VPC, the following objects are created:
- Internal IP address to which the created connection is bound.
- A type DNS record with a special FQDN for the service connection being created, e.g.,
storage.pe.yandexcloud.net
which will specify the internal IP address allocated for the service connection. - Optional. If required, an additional A type DNS record can be created for the public FQDN service. It will also include the internal IP address allocated for the service connection.
Once you create a service connection, all cloud resources that will be added to subnets on the network with this connection will be linked to it through the internal IP address (1). To use the services, you can use either a fully qualified domain name (FQDN) (2) or its part (3). A type DNS records will be created in the internal service zone.
To use service connections outside the cloud infrastructure, you need to provide IP connectivity between your infrastructure and Yandex Cloud using VPN technologies (IPsec, Wireguard, etc.) or Cloud Interconnect services.
Note
If you need to access the service connection via FQDN from outside Yandex Cloud, you must configure the appropriate A records on the corporate DNS server so that the FQDN of the service points to the IP address of the connection.
Service connection types
Service name (Connection type) | API service FQDN |
---|---|
Object Storage | storage.yandexcloud.net |
Object Storage. Access from VPC
To allow access to Object Storage only from VPC via a service connection, you must apply the following access policy to the bucket:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
],
"Condition": {
"StringEquals": {
"yc:private-endpoint-id": "<connection_ID>"
}
}
}
}
Where:
<bucket_name>
: Name of the bucket in Object Storage to apply the access policy to, e.g.,my-s3-bucket
.<connection_ID>
: Service connection ID (Private Endpoint), e.g.,enpd7rq1s3f5********
.