Skip to main content
You can create a jump server to build a reliable tunnel between two zones:
  • Secure zone that consists of virtual machine (VMs) created in Nebius AI Cloud
  • Demilitarized zone (DMZ) that consists of machines outside Nebius AI Cloud
All connections from the DMZ to the secure zone go through the jump server. This solution provides several benefits:
  • You can use one public IP address to access all VMs.
  • You can keep the number of public addresses within a quota.
  • You can limit access to the secure zone and allow only authorized machines to connect to the secure zone.
To create a jump server, deploy a VM with WireGuard installed and configure a VPN. The traffic between the zones is routed in an encrypted form via the jump server. To create a VM with WireGuard deployed, Nebius AI Cloud offers a Terraform-based solution. You can apply manifests that contain configuration of a VM with a WireGuard image.

Costs

The tutorial includes the following chargeable resources:

Prerequisites

  1. Install Terraform.
  2. Install and configure CLI for Nebius AI Cloud. The Terraform-based solution uses the CLI to get credentials. For enhanced security, use a service account to configure the CLI. Make sure that this account is in a group that has at least the editor role within your tenant; for example, the default editors group. You can check this in the Administration → IAM section of the web console.
  3. Install jq: 
    sudo apt-get install jq
  4. Clone the nebius-solution-library repository from where the WireGuard solution is going to be deployed: 
    git clone git@github.com:nebius/nebius-solution-library.git
  5. Create an SSH key pair for the virtual machine:
    1. Run the following command: 
      ssh-keygen -t ed25519 -C "For my virtual machine"
    2. Enter the file name where to store the key pair.
    3. (Optionally) Enter a passphrase.

Steps

Deploy infrastructure

  1. In your terminal, go to the wireguard directory in the cloned repository: 
    cd nebius-solution-library/wireguard
  2. In the environment.sh file in this directory, uncomment the following variables and specify values for them:
    • NEBIUS_TENANT_ID: The tenant ID. To copy it, go to the web console and expand the top-left tenants list. Next to the tenant’s name, click https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/button-vellipsis.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e80b8e57c43bfd117679262e6a1334adCopy tenant ID.
    • NEBIUS_PROJECT_ID: The project ID. To copy it, go to the web console and expand a top-left list of projects. Next to the project’s name, click https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/button-vellipsis.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e80b8e57c43bfd117679262e6a1334adCopy project ID.
    • NEBIUS_REGION: Specify the region where your project is located. You can find the region in the web console, in the list of projects.
  3. Run the script that creates an access token for Terraform, saves the token to environment variables and configures Terraform state to be saved in Object Storage: 
    source ./environment.sh
  4. Initialize Terraform in the wireguard directory: 
    terraform init
  5. In the terraform.tfvars file in this directory, uncomment the following variables and specify values for them:
    • ssh_user_name: The user required for an SSH connection to the VM, for example user1.
    • ssh_public_key: The public SSH key that you created earlier. Specify either the key body or the path to this key.
    • public_ip_allocation_id: An ID of an allocation with a public IP address. The WireGuard UI will be available at this address. To preserve the address even in case of the VM deletion, create the allocation: 
      nebius vpc allocation create \
  --ipv4-public-subnet-id <subnet_ID> \
  --name wireguard_allocation \
  --parent-id <project_ID> \
  --format json \
  | jq -r ".metadata.id"
      The command returns the allocation ID. Specify it in the public_ip_allocation_id variable.
  6. Preview the configuration that you are going to deploy: 
    terraform plan
  7. Apply the changes: 
    terraform apply
    When the command is finished, it returns the VM public address: 
    Outputs:

wg_instance_pib = "<public_IP_address>"
    Copy the address: It is required to connect to the deployed VM.

Access WireGuard

  1. Connect to the VM: 
    ssh -i <path_to_private_key> <username>@<public_IP_address>
    The command contains:
    • Path to the private SSH key that you created earlier
    • Username specified in the terraform.tfvars file
    • Public IP address of the deployed VM
  2. Get the WireGuard UI password: 
    sudo cat /var/lib/wireguard-ui/initial_password
  3. In the browser, open the WireGuard UI at http://<public_IP_address>:5000.
  4. In the window that opens, sign in with the admin username and the password retrieved from the VM. The working space of the WireGuard UI opens.

Configure WireGuard

Set up a VPN and grant access to the VMs in the secure zone. To do this, add the DMZ machines as WireGuard clients:
  1. Click https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/plus.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=7c9efc69d65fc58db0eb73702fd81aa1 New client.
  2. In the window that opens, specify details of the machines that require access. In the Allowed IPs field, enter CIDRs of these machines.
  3. Click Submit.
  4. After the window is closed, click Apply config. Click this button every time after you create, change or delete WireGuard clients.
After that, the DMZ machines are able to connect to the VMs in the secure zone. You do not need to configure the same access for the jump server because it is located in the same subnet as the VMs in the secure zone.

How to delete the created resources

The created Compute virtual machine and its boot disk are chargeable. If you do not need them, delete these resources, so Nebius AI Cloud does not charge for it. Use the following command to delete all the created infrastructure at once: 
terraform destroy -target=nebius_compute_v1_instance.wireguard_instance