Creating a service connection

Written by

Improved by

Updated at March 9, 2026

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

To create a service connection, you need one of the following roles:

vpc.privateEndpoints.editor
vpc.privateEndpoints.admin
vpc.privateAdmin
vpc.admin
admin

To create a service connection:

Management console

CLI

Terraform

API

In the management console, navigate to the folder where you want to set up a service connection.
Go to Virtual Private Cloud.
In the left-hand panel, select Service connections.
Click Create connection.
In the Name field, enter a name for the service connection. Make sure to follow these naming requirements:
- Length: between 3 and 63 characters.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Optionally, in the Description field, add a description.
Optionally, add labels:
1. Click Add label.
2. Enter a label in key: value format.
3. Press Enter.

Under Network settings:

In the Network field, specify a network for the new service connection.
To assign a random private IP address, select Automatic in the Address field.
To reserve a list of IP addresses:
1. In the IP address field, select List.
2. Click Reserve.
3. In the window that opens:
  - Specify a name and description for the IP address.
  - Select a subnet.
  - Assign an internal IPv4 address, e.g., 172.16.0.3.
  - Enable Deletion protection for the address to be immune from deletion until you disable protection.
  - Add labels.
  - Click Create.
  - Repeat these steps to reserve additional IP addresses.
In the Service field, select Object Storage.

Optionally, enable Create primary DNS record to automatically create an additional DNS A record for the service's public FQDN. The record will contain the internal IP address allocated to the service connection.

Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

The parameter is not used:

Name Type Value

storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

*.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

The parameter is used:

Name	Type	Value
storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>

Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

View the description of the CLI command to create a service connection:
```
yc vpc private-endpoint create --help
```

Create a service connection to Object Storage in the default folder:

yc vpc private-endpoint create \
  --name <service_connection_name> \
  --description "<service_connection_description>" \
  --network-name <network_name> \
  --object-storage

Where:

--name: (Optional) Service connection name.
--description: (Optional) Service connection description.
--network-name: Name of the cloud network the service connection will be created in. You can also use the network ID in the --network-id parameter.
--object-storage: Service connection to Object Storage. Other service connection types are not available yet.

When creating a service connection, you can use the following additional parameters:

--address-spec: (Optional) Parameters in the key=value format for the internal IP address which will be assigned to the service connection:
- address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet’s range.
- subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network.
  
  Note
  
  To create a service connection, you should have at least one subnet in your network.

--private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

The parameter is not used:

Name Type Value

storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

*.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

The parameter is used:

Name	Type	Value
storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>

Make sure the service connection is created:

yc vpc private-endpoint list

Result:

+----------------------+-------------+--------------------------------+
|          ID          |    NAME     |          DESCRIPTION           |
+----------------------+-------------+--------------------------------+
| enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
|                      |             | Storage                        |
+----------------------+-------------+--------------------------------+

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

In the Terraform configuration file, describe the resources you want to create:

resource "yandex_vpc_private_endpoint" "my-vpc-endpoint" {
  name        = "<service_connection_name>"
  description = "<service_connection_description>"
  network_id  = "<cloud_network_ID>"
  
  # Service connection to Object Storage
  object_storage {}

  # Creating additional DNS resource records 
  dns_options {
    private_dns_records_enabled = <true_or_false>
  }

  endpoint_address {
    subnet_id = "<subnet_ID>"
  }
}

Where:

name: Service connection name. This is an optional parameter.
description: Service connection description. This is an optional parameter.
network_id: Name of the cloud network the service connection will be created in. This is a required parameter.
object_storage: Service connection to Object Storage. Other service connection types are not available yet.

dns_options: Section with parameters for creating DNS records:

private_dns_records_enabled: Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created. This is an optional parameter.

Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

The parameter is not used:

Name Type Value

storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

*.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

The parameter is used:

Name	Type	Value
storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.pe.yandexcloud.net	A	<internal_IP_address_of_service_connection>
storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>
*.storage.yandexcloud.net	A	<internal_IP_address_of_service_connection>

endpoint_address: Section with parameters of the service connection's internal IP address:
- subnet_id: ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the cloud network's subnets. This is an optional parameter.
Note

To create a service connection, you should have at least one subnet in your network.

For more information about yandex_vpc_private_endpoint properties, see this provider guide.

Create the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources using the management console or this CLI command:
```
yc vpc private-endpoint list
```

To create a service connection, use the create REST API method for the PrivateEndpoint resource or the PrivateEndpointService/Create gRPC API call.

Creating a service connection

See also

Was the article helpful?

Creating a service connection

See alsoSee also

Was the article helpful?

See also