Skip to main content
Safe connection to the VM over SSH uses a key pair: you place the public key on the VM and store the private key on your device.

Set up the VM

To be able to connect to the VM, define specific information during the VM creation.

Generate a key pair

Generate a key pair for SSH access to the VM and save it in the default location: 
ssh-keygen -t ed25519

Configure the user data

User configuration helps to quickly create VMs with identical user data: it stores your username and the public key for the access to the VM. The configuration has the cloud-init format and contains the following data:
  • name: Username for connecting to the VM. You can set the name explicitly or use your default one (the value of your machine’s USER environment variable). Do not use the root or admin usernames. They are reserved for internal needs and are not allowed to connect to a VM by SSH.
  • sudo: Sudo policy. ALL=(ALL) NOPASSWD:ALL allows users unrestricted sudo access. False prevents sudo access for users.
  • shell: Default shell to use.
  • ssh_authorized_keys: The public key contents.
User data configuration example: 
export USER_DATA=$(jq -Rs '.' <<EOF
users:
  - name: $USER
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - $(cat ~/.ssh/id_ed25519.pub)
EOF
)

Configure the VM

During the creation of the VM, configure the spec field as follows:
  • Pass the user data with your username and public key to the spec.cloud_init_user_data field.
  • To enable public access to the VM, pass an empty object ({}) to the spec.network_interfaces.public_ip_address field. You will not be able to allocate the public IP address to the already created VM.
Alternatively, to enable public access to the VM, pass the allocation ID to the spec.network_interfaces.public_ip_address.allocation_id field. This way the public IP address will be saved like an allocation object and you can use it after deleting this VM for another new one. You will not be able to allocate the public IP address to the already created VM.
  1. Get the default subnet’s ID: 
    export NB_SUBNET_ID=$(nebius vpc subnet list \
  --format json \
  | jq -r ".items[0].metadata.id")
  2. Create an allocation by using the default subnet’s ID: 
    export NB_ALLOCATION_ID=$(nebius vpc allocation create \
  --ipv4-public-subnet-id $NB_SUBNET_ID \
  --name allocation-name \
  --format json \
  | jq -r ".metadata.id")
If an allocation with a public address has not been assigned to any resource for 30 days, Nebius AI Cloud can delete this allocation and release its address. If you want to preserve the address, assign its allocation to a Nebius AI Cloud resource.
Example: 
nebius compute instance create \
- <<EOF
{
  "metadata": {
    "name": "inference-vm"
  },
  "spec": {
    "stopped": false,
    "cloud_init_user_data": $USER_DATA,
    "resources": {
      "platform": "<platform>",
      "preset": "<preset>"
    },
    "boot_disk": {
      <boot_disk_data>
    },
    "network_interfaces": [
      {
        "name": "<network_interface_name>",
        "subnet_id": "<subnet_ID>",
        "public_ip_address": {
          "allocation_id": "<allocation_ID>"
        },
        "ip_address": {}
      }
    ]
  }
}
EOF
See more examples.

Connect to the VM by using SSH

Requirements to connect to a private IP address or FQDNTo connect to a VM from another VM by using a private IP address or an FQDN, both VMs must be in the same network.
  1. Get your VM’s IP address and save it to an environment variable:
    To connect to the VM from the internet (if you have enabled public access to it), get its public IP address:
    export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
  --name <VM_name> \
  --format json \
  | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
  2. Connect to the VM: 
    ssh $USER@$PUBLIC_IP_ADDRESS

Shared access to the VM

To let the other users to connect to your VM:
  1. Ask them to generate an SSH key pair and share the contents of the public SSH key (e.g. id_ed25519.pub).
  2. Connect to the VM under the name used when creating the VM: 
    ssh $USER@$PUBLIC_IP_ADDRESS
  3. Create a new user for VM access, named newuser in this example: 
    sudo useradd -m -d /home/newuser -s /bin/bash newuser
  4. Switch to the new user: 
    sudo su - newuser
  5. Create the ssh directory: 
    mkdir .ssh
  6. In the directory, create the authorized_keys file: 
    cd .ssh
touch authorized_keys
  7. Add the new user’s public key to the created file: 
    echo "<public_key>" > /home/newuser/.ssh/authorized_keys
  8. Change the directory’s access permissions: 
    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  9. Exit the new user’s shell: 
    exit
  10. Restart the VM: 
    sudo reboot
  11. Ask the other user to check the connection: 
    ssh newuser@<public_api_address>

Example

Set of commands to connect to the VM named training-instance from the internet: 
export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
  --name training-instance \
  --format json \
  | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
ssh $USER@$PUBLIC_IP_ADDRESS