Network security
This section provides customers with recommendations on security settings in Virtual Private Cloud.
Setting up remote access and communication channels
To enable administrators to establish remote connections to your cloud resources, use one of the following:
-
A site-to-site VPN between a remote site (such as your office) and a cloud. As a remote access gateway, use a VM featuring a site-to-site VPN based on an image from Marketplace.
Setup option:
- Creating an IPsec VPN tunnel using the strongSwan.
-
Client VPN between remote devices and Nebius AI. As a remote access gateway, use a VM featuring a client VPN based on an image from Marketplace.
To access the infrastructure using control protocols (for example, SSH), create a bastion VM. You can do this using a free Teleport
For better control of administrative actions, we recommend that you use PAM (Privileged Access Management) solutions that support administrator session logging (for example, Teleport). For SSH and VPN access, we recommend that you avoid using passwords and use public keys, X.509 certificates, and SSH certificates instead. When setting up SSH for your virtual machines, we recommend that you use the SSH certificates (also for the SSH host).
To access web services deployed in the cloud, use TLS version 1.2 or higher.
Outbound internet access
Possible options for setting up outbound internet access:
- Public IP address. Assigned to a VM according to the one-to-one NAT rule.
- NAT gateway. Enables internet access for a subnet through a shared pool of Nebius AI public IP addresses. We don't recommend using an NAT gateway for critical interactions, since the NAT gateway's IP address might be used by multiple clients at the same time. This feature must be taken into account when modeling threats for your infrastructure.
Comparison of internet access methods:
Public IP address | NAT gateway | NAT instance |
---|---|---|
Advantages:- No setup required- A dedicated IP address for each VM | Benefits:- Runs only on egress connections | Advantages:- Traffic filtering on a NAT instance - Using your own firewall - Effective use of IP addresses |
Disadvantages:- It might be unsafe to expose a VM directly to the internet - The cost of reserving each IP address |
Drawbacks:- Shared pool of IP addresses | Disadvantages:- Setup required - The cost of using a VM (vCPU, RAM, and disk space) |
DNS security
To increase fault tolerance, some traffic can be routed to third-party recursive resolvers. To avoid this, contact support.