Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Virtual Private Cloud
  • Getting started
    • Resource relationships
    • Yandex Cloud network overview
    • Cloud networks and subnets
    • Cloud resource addresses
    • Routing
    • Security groups
    • Gateways
    • Service connections
    • Monitoring network connections
    • Public IP address ranges
    • MTU and MSS
    • DHCP settings
    • Software accelerated network
    • Quotas and limits
  • DDoS Protection
  • Access management
  • Pricing policy
  • Terraform reference
  • Metrics Monitoring
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • How to use service connections
  • Service connection types
  • How to use certain types of service connections
  • Object Storage
  • Cloud Registry
  • Public API Gateway
  • Examples of connecting to services without a VPC PE
  1. Concepts
  2. Service connections

Service connections in Yandex Virtual Private Cloud

Written by
Yandex Cloud
Updated at June 24, 2026
View in Markdown
  • How to use service connections
  • Service connection types
  • How to use certain types of service connections
    • Object Storage
    • Cloud Registry
    • Public API Gateway
  • Examples of connecting to services without a VPC PE

Service connection (VPC private endpoint) enables cloud resources within VPC to connect to Yandex Cloud services over the internal network without using public IP addresses.

Yandex Cloud services remain accessible via both public IPs and service connections.

Service connections are regional and distributed across availability zones. If there is a failure in one zone, traffic is automatically rerouted to other zones.

Bandwidth for an individual service connection is not guaranteed and depends on the current workload on the target service. For stable operation, monitor usage via monitoring and adhere to limits in place.

A service connection can be divided into two parts:

  • A private endpoint (PE) represents (connects) the target service within VPC. It is implemented within VPC. This is a common part for all types of service connections.
  • Provider stands for integration implemented on the target service side to interact with the private endpoint.

How to use service connectionsHow to use service connections

Within a single virtual network, you can create service connections of different types, but only one connection per type. Creating two or more connections of the same type is not allowed.

The private endpoint is assigned an IP address from the subnets' CIDR ranges in the VPC network where the service connection is being created. Once you service connection is created, all cloud resources in that network gain IP connectivity to the target service.

Upon creation, every private endpoint automatically gets a PE record, which is an A-type DNS record with a special FQDN for that service connection. For example, for Object Storage, the PE record would be storage.pe.yandexcloud.net.

Optionally, you can also create a Primary record, i.e., an A-type DNS record for the service's public FQDN. It will also include the internal IP address allocated for the service connection. This is defined by the private-dns-records-enabled parameter. For Object Storage, the Primary record would be storage.yandexcloud.net.

These A-type DNS records are created in the internal service zone.

When using Cloud Interconnect, the service connection is accessible via private connections, just like other VPC resources. To access the service connection via FQDN from outside Yandex Cloud, configure A-type records on your corporate DNS server so that the service's FQDN resolves to the corresponding service connection IP address.

Service connection typesService connection types

Currently, you can create service connections for the following cloud services:

Service name Creation method PE record Primary record
Object Storage UI, CLI, Terraform storage.pe.yandexcloud.net storage.yandexcloud.net
Cloud Registry Contacting support registry.pe.yandexcloud.net registry.yandexcloud.net
AI Studio Contacting support ai.pe.api.cloud.yandex.net ai.api.cloud.yandex.net
Managed Service for Trino Contacting support trino.pe.yandexcloud.net, *.trino.pe.yandexcloud.net -
Serverless Containers Contacting support *.containers.pe.yandexcloud.net *.containers.yandexcloud.net
Cloud Functions Contacting support functions.pe.yandexcloud.net functions.yandexcloud.net
Public API Gateway Contacting support - *.api.cloud.yandex.net
AI Studio MCP Gateway Contacting support *.mcpgw.serverless.pe.yandexcloud.net *.mcpgw.serverless.yandexcloud.net

How to use certain types of service connectionsHow to use certain types of service connections

Object StorageObject Storage

Bucket policiesBucket policies

To allow access to Object Storage only from VPC via a service connection, you must apply the following access policy to the bucket:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

Where:

  • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
  • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

Cloud RegistryCloud Registry

Before creating a service connection for Cloud Registry, you must first create a service connection for Object Storage.

Public API GatewayPublic API Gateway

This PE type currently has the following limitations:

  1. PE-record-only access is not supported. When creating this PE type, you must always ensure Primary record creation.
  2. The following services are not supported when accessed via PE:
    • Certificate Manager
    • Lockbox
    • Cloud Backup
    • Object Storage S3 API

Examples of connecting to services without a VPC PEExamples of connecting to services without a VPC PE

  • Connecting to Object Storage from Virtual Private Cloud
  • Connecting to Container Registry from Virtual Private Cloud

Was the article helpful?

Previous
Gateways
Next
Monitoring network connections
© 2026 Direct Cursus Technology L.L.C.