Skip to main content
In some scenarios, you may need to ensure that some of your Nebius AI Cloud resources do not have connectivity with the internet. For example, you may want to set up a secure zone and connect to it from a demilitarized zone (DMZ) via a jump server. To do so, you can create a subnet that cannot allocate public IP addresses. Resources in such a subnet can only have private IP addresses.

Prerequisites

  1. Make sure you are in a group that has at least the editor role within your tenant; for example, the default editors group. You can check this in the Administration → IAM section of the web console.
  2. Install and initialize the Nebius AI Cloud CLI.
  3. Install jq to extract IDs and tokens from the JSON data returned by the Nebius AI Cloud CLI: 
    sudo apt-get install jq

Create a subnet without public IP addresses

  1. Choose a network that has at least one private pool. You can get information about available networks by using the following command: 
    nebius vpc network list
    In the output, check the metadata.spec.ipv4_private_pools parameter to determine whether a network has private pools. Save the ID of the required network for the next command.
  2. Create a subnet that does not use the network’s public pools, and save the subnet’s ID to an environment variable: 
    export PRIVATE_SUBNET_ID=$(nebius vpc subnet create \
  --name <private_subnet> \
  --network-id <network_ID> \
  --ipv4-public-pools-use-network-pools=False \
  --format json | jq -r ".metadata.id")
    In this command, specify the subnet name and the copied network ID.
  3. To check that public addresses are disabled in this subnet, try to create an allocation of a public IP address in this subnet: 
    nebius vpc allocation create \
  --name <public_allocation> \
  --ipv4-public-subnet-id $PRIVATE_SUBNET_ID
    This command returns an error.
Use this subnet to create resources that should have no connectivity with the internet. These resources have only private IP addresses that can be accessed from within the same network. You can create a virtual machine with a public IP address within the same network, but outside the private subnet, and use this virtual machine as a jump server for external connections.