> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to connect to virtual machines in Nebius AI Cloud

Safe connection to the VM over SSH uses a key pair: you place the public key on the VM and store the private key on your device.

## Set up the VM

To be able to connect to the VM, define specific information during the [VM creation](./manage).

### Generate a key pair

Generate a key pair for SSH access to the VM and save it in the default location:

```bash theme={null}
ssh-keygen -t ed25519
```

### Configure the user data

User configuration helps to quickly create VMs with identical user data: it stores your username and the public key for the access to the VM.

The configuration has the [cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups) format and contains the following data:

* `name`: Username for connecting to the VM. You can set the name explicitly or use your default one (the value of your machine's `USER` environment variable).

  Do not use the `root` or `admin` usernames. They are reserved for internal needs and are not allowed to connect to a VM by SSH.

* `sudo`: Sudo policy. `ALL=(ALL) NOPASSWD:ALL` allows users unrestricted sudo access. `False` prevents sudo access for users.

* `shell`: Default shell to use.

* `ssh_authorized_keys`: The public key contents.

User data configuration example:

```bash theme={null}
export USER_DATA=$(jq -Rs '.' <<EOF
users:
  - name: $USER
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - $(cat ~/.ssh/id_ed25519.pub)
EOF
)
```

### Configure the VM

During the creation of the VM, configure the `spec` field as follows:

* Pass the user data with your username and public key to the `spec.cloud_init_user_data` field.

* To enable public access to the VM, pass an empty object (`{}`) to the `spec.network_interfaces.public_ip_address` field. You will not be able to allocate the public IP address to the already created VM.

Alternatively, to enable public access to the VM, pass the [allocation](../../vpc/overview#allocation) ID to the `spec.network_interfaces.public_ip_address.allocation_id` field. This way the public IP address will be saved like an allocation object and you can use it after deleting this VM for another new one. You will not be able to allocate the public IP address to the already created VM.

<Accordion title="How to create an allocation">
  1. Get the default subnet's ID:

     ```bash theme={null}
     export NB_SUBNET_ID=$(nebius vpc subnet list \
       --format json \
       | jq -r ".items[0].metadata.id")
     ```

  2. Create an [allocation](/vpc/overview#allocation) by using the default subnet's ID:

     ```bash theme={null}
     export NB_ALLOCATION_ID=$(nebius vpc allocation create \
       --ipv4-public-subnet-id $NB_SUBNET_ID \
       --name allocation-name \
       --format json \
       | jq -r ".metadata.id")
     ```

  <Note>
    If an allocation with a public address has not been assigned to any resource for 30 days, Nebius AI Cloud can delete this allocation and release its address. If you want to preserve the address, assign its allocation to a Nebius AI Cloud resource.
  </Note>
</Accordion>

Example:

```bash theme={null}
nebius compute instance create \
- <<EOF
{
  "metadata": {
    "name": "inference-vm"
  },
  "spec": {
    "stopped": false,
    "cloud_init_user_data": $USER_DATA,
    "resources": {
      "platform": "<platform>",
      "preset": "<preset>"
    },
    "boot_disk": {
      <boot_disk_data>
    },
    "network_interfaces": [
      {
        "name": "<network_interface_name>",
        "subnet_id": "<subnet_ID>",
        "public_ip_address": {
          "allocation_id": "<allocation_ID>"
        },
        "ip_address": {}
      }
    ]
  }
}
EOF
```

See more [examples](./manage#examples).

## Connect to the VM by using SSH

<Note>
  **Requirements to connect to a private IP address or FQDN**

  To connect to a VM from another VM by using a [private IP address](./network#private-ip-addresses) or an [FQDN](./fqdn), both VMs must be in the same network.
</Note>

1. Get your VM's IP address and save it to an environment variable:

   <Tabs>
     <Tab title="Connecting from the internet">
       To connect to the VM from the internet (if you have enabled public access to it), get its public IP address:

       ```bash theme={null}
       export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
         --name <VM_name> \
         --format json \
         | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
       ```
     </Tab>

     <Tab title="Connecting from another VM">
       To connect to the VM from another Compute VM, get the private IP address or FQDN of the VM that you connect to:

       * Private IP address:

         ```bash theme={null}
         nebius compute instance get-by-name \
           --name <VM_name> \
           --format json \
           | jq -r '.status.network_interfaces[0].ip_address.address | split("/")[0]'
         ```

       * FQDN:

         ```bash theme={null}
         nebius compute instance get-by-name \
           --name <VM_name> \
           --format json \
           | jq -r '.status.network_interfaces[0].fqdn | split("/")[0]'
         ```
     </Tab>
   </Tabs>

2. Connect to the VM:

   <Tabs>
     <Tab title="Connecting from the internet">
       ```bash theme={null}
       ssh $USER@$PUBLIC_IP_ADDRESS
       ```
     </Tab>

     <Tab title="Connecting from another VM">
       Use the received private address or FQDN:

       ```bash theme={null}
       ssh $USER@<private_address_or_FQDN>
       ```
     </Tab>
   </Tabs>

## Shared access to the VM

To let the other users to connect to your VM:

1. Ask them to [generate an SSH key pair](#generate-a-key-pair-key) and share the contents of the public SSH key (e.g. `id_ed25519.pub`).

2. Connect to the VM under the name used when creating the VM:

   ```bash theme={null}
   ssh $USER@$PUBLIC_IP_ADDRESS
   ```

3. Create a new user for VM access, named `newuser` in this example:

   ```bash theme={null}
   sudo useradd -m -d /home/newuser -s /bin/bash newuser
   ```

4. Switch to the new user:

   ```bash theme={null}
   sudo su - newuser
   ```

5. Create the `ssh` directory:

   ```bash theme={null}
   mkdir .ssh
   ```

6. In the directory, create the `authorized_keys` file:

   ```bash theme={null}
   cd .ssh
   touch authorized_keys
   ```

7. Add the new user's public key to the created file:

   ```bash theme={null}
   echo "<public_key>" > /home/newuser/.ssh/authorized_keys
   ```

8. Change the directory's access permissions:

   ```bash theme={null}
   chmod 700 ~/.ssh
   chmod 600 ~/.ssh/authorized_keys
   ```

9. Exit the new user's shell:

   ```bash theme={null}
   exit
   ```

10. Restart the VM:

    ```bash theme={null}
    sudo reboot
    ```

11. Ask the other user to check the connection:

    ```bash theme={null}
    ssh newuser@<public_api_address>
    ```

## Example

Set of commands to connect to the VM named `training-instance` from the internet:

```bash theme={null}
export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
  --name training-instance \
  --format json \
  | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
ssh $USER@$PUBLIC_IP_ADDRESS
```