Creating a service connection

Written by

Updated at October 23, 2024

Warning

The Service connections functionality (VPC Private Endpoints) is at the Preview stage and will become available for testing from September 26, 2024. To request access, contact your account manager.

To create a service connection, you need one of the following roles:

vpc.privateEndpoints.editor
vpc.privateEndpoints.admin
vpc.privateAdmin
vpc.admin
admin

To create a service connection:

CLI

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

View the description of the CLI command to create a service account:
```
yc vpc private-endpoint create --help
```

Create a service connection to Object Storage in the default folder:

yc vpc private-endpoint create \
  --name s3-vpc-link \
  --description "Private Endpoint to the Object Storage" \
  --network-name default-net \
  --object-storage

Where:

--name: (Optional) Service connection name.
--description: (Optional) Service connection description.
--network-name: Name of the cloud network the service connection will be created in. You can also use network ID in the --network-id parameter.
--object-storage: Service connection to Object Storage. Other service connection types are not available yet.

When creating a service connection, you can use the following additional parameters:

--address-spec: (Optional) Parameters in key=value format for the internal IP address which will be assigned to the service connection:
- address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet.
- subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from one of subnets in the cloud network.
  
  Note
  
  To create a service connection, there must be at least one subnet in your network.

--private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

Depending on whether the parameter is used, the following resource records will be created automatically for access to Object Storage:

The parameter is not used:

Name Type Value

storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection>

*.storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection>

The parameter is used:

Name	Type	Value
storage.pe.yandexcloud.net	A	<internal_IP_address_of_the_service_connection>
*.storage.pe.yandexcloud.net	A	<internal_IP_address_of_the_service_connection>
storage.yandexcloud.net	A	<internal_IP_address_of_the_service_connection>
*.storage.yandexcloud.net	A	<internal_IP_address_of_the_service_connection>

Make sure the service connection was created:

yc vpc private-endpoint list

Command result:

+----------------------+-------------+--------------------------------+
|          ID          |    NAME     |          DESCRIPTION           |
+----------------------+-------------+--------------------------------+
| enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
|                      |             | Storage                        |
+----------------------+-------------+--------------------------------+

On how to get the parameters of a service connection you created, see Getting information about a service connection.

Creating a service connection

Was the article helpful?