Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up network connectivity between Yandex BareMetal and Virtual Private Cloud subnets using Yandex Cloud Interconnect

Written by
Updated at July 7, 2025

Yandex Cloud Interconnect-based network connectivity in Yandex BareMetal enables access to CIDRs of Virtual Private Cloud private subnets in a cloud infrastructure and/or CIDRs of private subnets in an on-prem infrastructure.

In this tutorial, you will set up network connectivity between a BareMetal server located in a private Yandex BareMetal subnet and a Yandex Compute Cloud VM located in a subnet of a Yandex Virtual Private Cloud cloud network.

Similarly, you can set up network connectivity with your on-prem resources located in private subnets within your own network infrastructure.

You can use Yandex Cloud Interconnect free of charge as part of integration with Yandex BareMetal.

You can see the solution architecture in the diagram below:

To set up network connectivity between BareMetal and Virtual Private Cloud subnets using Cloud Interconnect:

  1. Get your cloud ready.
  2. Create a cloud infrastructure.
  3. Request a routing instance.
  4. Create a private connection.
  5. Check network connectivity.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders.

The cost of supporting an infrastructure for network connectivity between BareMetal and VPC subnets includes:

Traffic transmitted via Yandex Cloud Interconnect between private Yandex BareMetal and Yandex Virtual Private Cloud addresses in either direction is not billable.

Create a cloud infrastructure

Create the Yandex Cloud infrastructure you will use to set up network connectivity.

To configure Cloud Interconnect in BareMetal, you will need a private routable subnet and a VRF segment in BareMetal, a cloud network with one or more Virtual Private Cloud subnets, as well as a routing instance with one or more announced prefixes of VPC private subnets.

To check network connectivity, you will need a BareMetal server and a Compute Cloud VM.

Create a VRF segment and a BareMetal private subnet

Create a virtual network segment (VRF) and a private subnet in the ru-central1-m3 server pool:

  1. In the management console, select the folder where you are going to create your infrastructure.
  2. In the list of services, select BareMetal.
  3. Create a virtual routing and forwarding segment:
    1. In the left-hand panel, select VRF and click Create VRF.
    2. In the Name field, name your VRF segment: my-vrf.
    3. Click Create VRF.
  4. Create a private subnet:
    1. In the left-hand panel, select Private subnets and click Create subnet.
    2. In the Pool field, select the ru-central1-m3 server pool.
    3. In the Name field, enter the subnet name: subnet-m3.
    4. Enable IP addressing and routing.
    5. In the Virtual network segment (VRF) field, select the previously created segment, my-vrf.
    6. In the CIDR field, specify 192.168.1.0/24.
    7. In the Default gateway field, keep the default value, 192.168.1.1.
    8. Enable the Assigning IP addresses via DHCP option and in the IP address range field that appears, leave the default values, 192.168.1.1192.168.1.254.
    9. Click Create subnet.

Lease a BareMetal server

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select BareMetal and click Lease server.

  3. In the Pool field, select the ru-central1-m3 server pool.

  4. Under Configuration, select the appropriate server configuration.

  5. (Optional) Under Disk, configure disk partitioning:

    1. Click Configure disk layout.

    2. Specify the partitioning parameters. To create a new partition, click Add partition.

      To build RAID arrays and configure disk partitions yourself, click Remove RAID.

    3. Click Save.

  6. Under Image, select an image, e.g., Ubuntu 24.04.

  7. In the Lease duration field, select a lease period: 1 day, 1 month, 3 months, 6 months, or 1 year.

    When this period expires, server lease will be automatically renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.

  8. Under Network settings:

    1. In the Private subnet field, select subnet-m3 you created earlier.
    2. In the Public address field, select No address.

  9. Under Access:

    1. In the Password field, select one of the following options to create a root password:

      • To generate a new root password, select New password and click Generate.

        Warning

        This option requires you to maintain password security. Save the password you generated in a secure location. Yandex Cloud does not store it, and you will not be able to retrieve it once the server is deployed.

      • To use the root password saved in a Yandex Lockbox secret, select Lockbox secret.

        In the Name, Version, and Key fields, select the secret containing your password, its version, and its key, respectively.

        If you do not have a Yandex Lockbox secret, click Create to create it.

        Choose the Custom secret type to specify a custom password or Generated to generate password automatically.

    2. In the Public SSH key field, select the SSH key saved in your organization user profile.

      If your profile has no SSH keys or you need to add a new one:

      • Click Add key.
      • Specify the SSH key name.
      • Upload your public key file or paste its contents in the field below. You will need to create your own SSH key pair to establish a secure server connection.
      • Click Add.

      The system will add the SSH key to your organization user profile.

      If, due to restrictions, you cannot add SSH keys to your organization profile, the system will save the new public SSH key to your BareMetal server’s user profile.

  10. Under Server information, in the Name field, enter the server name: server-m3.

  11. Click Lease server.

Note

Server setup and OS installation may take up to 45 minutes. The server will have the Provisioning status during this time. After OS installation is complete, the server status will change to Ready.

Create a cloud network and subnet

Create a cloud network and subnet to connect the Compute Cloud VM to.

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. Create a cloud network:

    1. At the top right, click Create network.

    2. In the Name field, specify sample-network.

    3. In the Advanced field, disable Create subnets.

    4. Click Create network.

  4. Create a subnet:

    1. In the left-hand panel, select Subnets.

    2. At the top right, click Create subnet.

    3. In the Name field, specify subnet-ru-central1-b.

    4. In the Zone field, select ru-central1-b.

    5. In the Network field, select sample-network.

    6. In the CIDR field, specify 192.168.11.0/24.

      Warning

      To successfully configure network connectivity between BareMetal subnets and on-premise or VPC subnets, their CIDR address ranges must not match or overlap.

    7. Click Create subnet.

Create a VM

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines and click Create virtual machine.

  4. Under Boot disk image, select an appropriate VM image, e.g., Ubuntu 24.04.

  5. Under Location, select the ru-central1-b availability zone.

  6. Under Network settings:

    • In the Subnet field, select subnet-ru-central1-b.
    • In the Public IP address field, select Auto.

  7. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter the username: yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  8. Under General information, specify the VM name: sample-vm.

  9. Click Create VM.

Request a routing instance

To set up network connectivity between BareMetal subnets, Virtual Private Cloud subnets, and/or on-prem subnets, you will need a routing instance. To create a routing instance, contact support.

If Cloud Interconnect (VPC-to-On-Prem) network connectivity is already set up in your folder, you can either use the existing routing instance or request an additional routing instance for dedicated network connectivity.

Make sure you have a routing instance in your folder

  1. If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  2. Make sure you have a routing instance in your default folder:

    Run this command:

    yc cloudrouter routing-instance list

    If your folder already includes a routing instance, the command will output the following:

    +----------------------+------------------+--------+-----------------------+
|          ID          |       NAME       | STATUS | PRIVATE CONNECTION ID |
+----------------------+------------------+--------+-----------------------+
| cf35oot8f0eu******** | routing-instance | ACTIVE | cf395uf8dg7h********  |
+----------------------+------------------+--------+-----------------------+

  3. If you already have a routing instance, you may skip the next step and proceed to creating a private connection.

    If you do not have a routing instance or you want to build additional dedicated network connectivity, request a new routing instance.

Request a new routing instance

Contact support to create a routing instance in your folder.

Fill out your request as follows:

Subject: [CIC for BareMetal] Creating a routing instance.

Request text:
Please create a routing instance in the specified cloud folder with the following parameters:

folder_id: <folder_ID>

vpc:
  vpc_net_id: <network_ID>
    vpc_subnets: 
      ru-central1-a: [CIDR_a1, CIDR_a2, ..., CIDR_an]
      ru-central1-b: [CIDR_b1, CIDR_b2, ..., CIDR_bn]
      ru-central1-d: [CIDR_d1, CIDR_d2, ..., CIDR_dn]

Where:

  • folder_id: Folder ID.

  • vpc_net_id: Cloud network ID.

  • vpc_subnets: List of announced address prefixes for each availability zone. For example, for the VPC subnet you created earlier, you will specify ru-central1-b: [192.168.11.0/24].

    You may announce aggregated address prefixes.

Note

It may take up to 24 hours for the support to create a routing instance. After that, you will be able to get the ID of the new routing instance by running the yc cloudrouter routing-instance list Yandex Cloud CLI command.

Create a private connection

Once the routing instance has been created in your folder, create a private Cloud Interconnect connection in BareMetal:

  1. In the management console, select the folder where you want to create your private connection.

  2. In the list of services, select BareMetal.

  3. In the left-hand panel, select VRF and then select the virtual network segment you need.

  4. Under Private connection to cloud networks, click Set up connection and do the following in the window that opens:

    1. In the Setup method field, select Specify ID and enter the routing instance ID in the Connection ID field.

      Alternatively, you can choose Select from the folder and select a routing instance from the list that appears.

      You will see the CIDR blocks of BareMetal and Virtual Private Cloud subnets that will be advertised over Cloud Interconnect.

      Warning

      To successfully configure network connectivity between BareMetal subnets and on-premise or VPC subnets, their CIDR address ranges must not match or overlap.

    2. To create a private connection for the specified CIDR blocks, click Save.

As a result, the VRF information page will display the newly created connection ID and its status under Private connection to cloud networks.

Note

Setting up a private connection may take up to two business days. During this period, the connection status will display as Creating. Once the connection is created, its status will change to Ready.

Private cloud netweork connections may show one of the following statuses:

  • CREATING: Connection creation in progress.
  • READY: Connection is up and ready to use.
  • ERROR: Connection failure. Contact support.
  • DELETING: Connection deletion in progress.
  • UPDATING: Connection settings update in progress.

Check network connectivity

As soon as the status of the new private connection changes to Ready, network connectivity between the BareMetal and VPC subnets will be established, and you can start checking it.

A network connectivity check assumes that:

  • The process of setting up a private connection to cloud networks has been successfully completed (the connection status is Ready).
  • The local firewall on the BareMetal server allows ICMP traffic.
  • The routing table in the BareMetal server OS contains a route to the CIRD of the subnet the VM resides in.
  • The security group assigned to the VM network interface allows ICMP traffic.

Check network connectivity from the BareMetal private subnet to the VPC private subnet

  1. In the management console, select the folder where you created the infrastructure.

  2. In the list of services, select BareMetal.

  3. Next to server-m3, click and select KVM console.

    The KVM console terminal window will open, showing a login prompt:

    server-m3 login:

    If you do not see this prompt, try restarting the server.

  4. In the KVM console terminal, specify root for the username and press ENTER.

  5. Paste the password generated when leasing the server in the password input line and press ENTER. Note that when typing or pasting a password in Linux, the characters you enter will not appear on the screen.

    Tip

    To paste clipboard text to the KVM console, use the Paste text here field in the upper right corner.

    Result:

    Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-53-generic x86_64)
...
root@server-m3:~# _

    If you did not save the server administrator password, you can create a new password following this guide or reinstall the server OS.

  6. In the KVM console terminal, run the ping command to make sure you can access sample-vm by its internal IP address:

    ping <VM_internal_IP_address> -c 5

    You can find the VM internal IP address in the management console under Network interface on the VM information page.

    Result:

    PING 192.168.11.2 (192.168.11.2) 56(84) bytes of data.
64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=3.90 ms
64 bytes from 192.168.11.2: icmp_seq=2 ttl=64 time=0.235 ms
64 bytes from 192.168.11.2: icmp_seq=3 ttl=64 time=0.222 ms
64 bytes from 192.168.11.2: icmp_seq=4 ttl=64 time=0.231 ms
64 bytes from 192.168.11.2: icmp_seq=5 ttl=64 time=0.235 ms

--- 192.168.11.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4086ms
rtt min/avg/max/mdev = 0.222/0.964/3.899/1.467 ms

    Network connectivity between the BareMetal server and the VM has been established with zero packet loss.

Check network connectivity from the VPC private subnet to the BareMetal private subnet

  1. Connect to the virtual machine over SSH.

  2. In the terminal, run the ping command to make sure you can access server-m3 by its private IP address:

    ping <server_private_IP_address> -c 5

    You can find the private IP address of the BareMetal server in the management console under Network settings on the server information page.

    Result:

    PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.271 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.262 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.223 ms
64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.208 ms

--- 192.168.1.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4106ms
rtt min/avg/max/mdev = 0.208/0.235/0.271/0.025 ms

    Network connectivity between the VM and the BareMetal server has been established with zero packet loss.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM.

  2. You cannot delete a BareMetal server. Instead, cancel the server lease renewal.

  3. Delete the private connection if you no longer need it:

    1. In the management console, select the folder where you created the infrastructure.
    2. In the list of services, select BareMetal.
    3. In the left-hand panel, click VRF and select my-vrf.
    4. Under Private connection to cloud networks, click and select Disable connection.
    5. In the window that opens, confirm the deletion.

    The connection status will change to Deleting. Once all links are deleted, the connection will disappear from the list.

Previous
Automating tasks using Managed Service for Apache Airflow™
Next
Resource relationships