Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Creating a service connection

Written by
Updated at July 29, 2025

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

To create a service connection, you need one of the following roles:

  • vpc.privateEndpoints.editor
  • vpc.privateEndpoints.admin
  • vpc.privateAdmin
  • vpc.admin
  • admin

To create a service connection:

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to create a service connection:

    yc vpc private-endpoint create --help

  2. Create a service connection to Object Storage in the default folder:

    yc vpc private-endpoint create \
  --name <service_connection_name> \
  --description "<service_connection_description>" \
  --network-name <network_name> \
  --object-storage

    Where:

    • --name: (Optional) Service connection name.
    • --description: (Optional) Service connection description.
    • --network-name: Name of the cloud network the service connection will be created in. You can also use the network ID in the --network-id parameter.
    • --object-storage: Service connection to Object Storage. Other service connection types are not available yet.

    When creating a service connection, you can use the following additional parameters:

    • --address-spec: (Optional) Parameters in the key=value format for the internal IP address which will be assigned to the service connection:

      • address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet’s range.

      • subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network.

        Note

        To create a service connection, you should have at least one subnet in your network.

    • --private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

      Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

      • The parameter is not used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

      • The parameter is used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        storage.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>

  3. Make sure the service connection is created:

    yc vpc private-endpoint list

    Result:

    +----------------------+-------------+--------------------------------+
|          ID          |    NAME     |          DESCRIPTION           |
+----------------------+-------------+--------------------------------+
| enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
|                      |             | Storage                        |
+----------------------+-------------+--------------------------------+

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, describe the resources you want to create:

    resource "yandex_vpc_private_endpoint" "my-vpc-endpoint" {
  name        = "<service_connection_name>"
  description = "<service_connection_description>"
  network_id  = "<cloud_network_ID>"
  
  # Service connection to Object Storage
  object_storage {}

  # Creating additional DNS resource records 
  dns_options {
    private_dns_records_enabled = <true_or_false>
  }

  endpoint_address {
    subnet_id = "<subnet_ID>"
  }
}

    Where:

    • name: Service connection name. This is an optional parameter.

    • description: Service connection description. This is an optional parameter.

    • network_id: Name of the cloud network the service connection will be created in. This is a required parameter.

    • object_storage: Service connection to Object Storage. Other service connection types are not available yet.

    • dns_options: Section with parameters for creating DNS records:

      • private_dns_records_enabled: Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created. This is an optional parameter.

        Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

        • The parameter is not used:

          Name Type Value
          storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
          *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

        • The parameter is used:

          Name Type Value
          storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
          *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
          storage.yandexcloud.net A <internal_IP_address_of_service_connection>
          *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>

    • endpoint_address: Section with parameters of the service connection's internal IP address:

      • subnet_id: ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network. This is an optional parameter.

      Note

      To create a service connection, you should have at least one subnet in your network.

    For more information about yandex_vpc_private_endpoint properties, see this Terraform article.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources using the management console or this CLI command:

    yc vpc private-endpoint list

To create a service connection, use the create REST API method for the PrivateEndpoint resource or the PrivateEndpointService/Create gRPC API call.

See also

Previous
Deleting a NAT gateway
Next
Getting service connection info