> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to connect to virtual machines in Nebius AI Cloud

Safe connection to the VM over SSH uses a key pair: you place the public key on the VM and store the private key on your device.

## Set up the VM

To be able to connect to the VM, define specific information during the [VM creation](/compute/virtual-machines/manage).

### Generate a key pair

Generate an [SSH key pair](/compute/virtual-machines/ssh-keys).

You will need the [contents of the public key](/compute/virtual-machines/ssh-keys#getting-the-public-key) and the path to your private key in later steps.

### Configure the user data

User configuration helps to quickly create VMs with identical user data: it stores your username and the public key for the access to the VM.

Create a configuration in the [cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups) format:

```bash theme={null}
export USER_DATA=$(jq -Rrs '.' <<EOF
#cloud-config
users:
  - name: $USER
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - $(cat ~/.ssh/id_ed25519.pub)
EOF
)
```

The configuration contains the following parameters:

* `name`: Username for connecting to the VM. The above example sets the value of the machine's `USER` environment variable as the username for the VM.

  Do not use the `root` or `admin` usernames. They are reserved for internal needs and are not allowed to connect to a VM by SSH.

* `sudo`: Sudo policy. `ALL=(ALL) NOPASSWD:ALL` allows users unrestricted sudo access; `False` disables sudo access for users.

* `shell`: Default shell.

* `ssh_authorized_keys`: User's authorized keys. Allows configuring SSH access to the VM.

  To create the key pair, follow the instructions in [Generating SSH keys](/compute/virtual-machines/ssh-keys).

You can specify several users and their public SSH keys.

For more information, see [cloud-init configuration examples](https://cloudinit.readthedocs.io/en/latest/reference/examples.html).

### Configure the VM

When you [create the VM](/compute/virtual-machines/manage#create-a-vm), set the following parameters in the `nebius compute instance create` command:

* `--cloud-init-user-data`: Pass the user data with your username and public key.
* `--network-interfaces`: To enable public access to the VM, include `"public_ip_address": {}` in the network interface specification.

  Alternatively, to enable public access to the VM, set `"public_ip_address": {"allocation_id": "<allocation_ID>"}` with an [allocation](/vpc/overview#allocation) ID. This way the public IP address is preserved as an allocation object and you can reuse it for another VM after deleting this one.

<Accordion title="How to create an allocation">
  1. Get the default subnet's ID:

     ```bash theme={null}
     export SUBNET_ID=$(nebius vpc subnet list \
       --format json \
       | jq -r ".items[0].metadata.id")
     ```

  2. Create an [allocation](/vpc/overview#allocation) by using the default subnet's ID:

     ```bash theme={null}
     export ALLOCATION_ID=$(nebius vpc allocation create \
       --ipv4-public-subnet-id $SUBNET_ID \
       --name allocation-name \
       --format json \
       | jq -r ".metadata.id")
     ```

  <Note>
    If an allocation with a public address has not been assigned to any resource for 30 days, Nebius AI Cloud can delete this allocation and release its address. If you want to preserve the address, assign its allocation to a Nebius AI Cloud resource.
  </Note>
</Accordion>

Example:

```bash theme={null}
nebius compute instance create \
  --name inference-vm \
  --resources-platform <platform> \
  --resources-preset <preset> \
  --boot-disk-existing-disk-id <boot_disk_ID> \
  --boot-disk-attach-mode READ_WRITE \
  --cloud-init-user-data "$USER_DATA" \
  --network-interfaces '[{"name": "eth0", "subnet_id": "<subnet_ID>", "ip_address": {}, "public_ip_address": {"allocation_id": "<allocation_ID>"}}]'
```

For the full set of parameters and more examples, see [How to create a virtual machine in Nebius AI Cloud](/compute/virtual-machines/manage#examples).

## Connect to the VM by using SSH

<Note>
  **Requirements to connect to a private IP address or FQDN**

  To connect to a VM from another VM by using a [private IP address](/compute/virtual-machines/network#private-ip-addresses) or an [FQDN](/compute/virtual-machines/fqdn), both VMs must be in the same network.
</Note>

1. Get your VM's IP address and save it to an environment variable:

   <Tabs>
     <Tab title="Connecting from the internet">
       To connect to the VM from the internet (if you have enabled public access to it), get its public IP address:

       ```bash theme={null}
       export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
         --name <VM_name> \
         --format json \
         | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
       ```
     </Tab>

     <Tab title="Connecting from another VM">
       To connect to the VM from another Compute VM, get the private IP address or FQDN of the VM that you connect to:

       * Private IP address:

         ```bash theme={null}
         nebius compute instance get-by-name \
           --name <VM_name> \
           --format json \
           | jq -r '.status.network_interfaces[0].ip_address.address | split("/")[0]'
         ```

       * FQDN:

         ```bash theme={null}
         nebius compute instance get-by-name \
           --name <VM_name> \
           --format json \
           | jq -r '.status.network_interfaces[0].fqdn | split("/")[0]'
         ```
     </Tab>
   </Tabs>

2. Connect to the VM:

   <Tabs>
     <Tab title="Connecting from the internet">
       ```bash theme={null}
       ssh <username>@<public_IP_address>
       ```

       If your private key is stored in a custom location, specify the path to it with the `-i` parameter:

       ```bash theme={null}
       ssh -i ~/.ssh/<private_key_file> <username>@<public_IP_address>
       ```
     </Tab>

     <Tab title="Connecting from another VM">
       Use the received private address or FQDN:

       ```bash theme={null}
       ssh <username>@<private_address_or_FQDN>
       ```

       If your private key is stored in a custom location, specify the path to it with the `-i` parameter:

       ```bash theme={null}
       ssh -i ~/.ssh/<private_key_file> <username>@<private_address_or_FQDN>
       ```
     </Tab>
   </Tabs>

## Shared access to the VM

To let the other users connect to your VM:

1. Ask them to [generate an SSH key pair](/compute/virtual-machines/ssh-keys#generating-a-key-pair) and share the [contents of their public key](/compute/virtual-machines/ssh-keys#getting-the-public-key) with you.

2. Connect to the VM under the name used when creating the VM:

   ```bash theme={null}
   ssh <username>@<public_IP_address>
   ```

3. Create a new user for VM access, named `newuser` in this example:

   ```bash theme={null}
   sudo useradd -m -d /home/newuser -s /bin/bash newuser
   ```

4. Switch to the new user:

   ```bash theme={null}
   sudo su - newuser
   ```

5. Create the `ssh` directory:

   ```bash theme={null}
   mkdir .ssh
   ```

6. In the directory, create the `authorized_keys` file:

   ```bash theme={null}
   cd .ssh
   touch authorized_keys
   ```

7. Add the new user's public key to the created file:

   ```bash theme={null}
   echo "<public_key>" > /home/newuser/.ssh/authorized_keys
   ```

8. Change the directory's access permissions:

   ```bash theme={null}
   chmod 700 ~/.ssh
   chmod 600 ~/.ssh/authorized_keys
   ```

9. Exit the new user's shell:

   ```bash theme={null}
   exit
   ```

10. Restart the VM:

    ```bash theme={null}
    sudo reboot
    ```

11. Ask the other user to check the connection:

    ```bash theme={null}
    ssh newuser@<public_api_address>
    ```

## Example

Set of commands to connect to the VM named `training-instance` from the internet:

```bash theme={null}
export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
  --name training-instance \
  --format json \
  | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
ssh $USER@$PUBLIC_IP_ADDRESS
```