How Virtual Private Cloud and networking in Nebius AI work
Virtual Private Cloud (VPC) provides networking resources that are used in other Nebius AI resources, such as Compute Cloud virtual machines and Managed Service for Kubernetes clusters and their nodes.
Network-connected resources: What Virtual Private Cloud works with
Nebius AI resources of the following types are network-connected and use Virtual Private Cloud addressing and service resources:
- Compute Cloud virtual machines (VMs).
- Managed Service for Kubernetes cluster masters (control planes) and nodes.
Addressing
Private IP addresses
Each network-connected resource gets a private IPv4 address at creation. Resources can communicate with each other without internet access using their private addresses. Private addresses are allocated from the IPv4 CIDR block 10.130.0.0/24
.
Private IP addresses are managed through subnets. For more details, see Subnets below.
Public IP addresses
You can enable public IPv4 addressing for a network-connected resource. A resource's public address is mapped to its private address using one-to-one NAT.
The public addresses are allocated to resources randomly from the following CIDR blocks:
195.242.16.0/20
A public IP address can be dynamic or static:
- Dynamic: When the resource is stopped, its dynamic public address is released, and the resource receives a new public IP address the next time it is started. When the resource is restarted, the address does not change. When public addressing is enabled for a resource, either at creation or modification, it receives a dynamic address.
- Static: When the resource is stopped or restarted, its static public address stays the same. You can make a dynamic address assigned to a resource static and vice versa.
You will need to pay to use public IP addresses. For details, see Pricing for Virtual Private Cloud.
Virtual Private Cloud service resources
Note
Virtual Private Cloud service resources are legacy resources. Unless stated otherwise, you cannot manage them, e.g. edit the default resources, delete them, or create new resources.
Network
A network contains other Virtual Private Cloud resources of most types, such as subnets, routing tables, and gateways.
The default network is default-eu-north1
.
Subnets
A subnet is a range of private IPv4 addresses. A resource, such as VM, is attached to a subnet and assigned a private address from it. Resources attached to the same subnet can communicate with each other using their private addresses. The first two addresses in a subnet are reserved for its gateway (x.x.x.1
) and DNS server (x.x.x.2
).
The default subnet is default-eu-north1-c
inside the default-eu-north1
network. Its IPv4 CIDR block is 10.130.0.0/24
; that is, resources in this subnet are assigned private IP addresses 10.130.0.3
to 10.130.0.254
. default-eu-north1-c
should be used for Compute Cloud virtual machines and Managed Service for Kubernetes node groups. VMs and node groups created in the management console are automatically added to this subnet.
When you create a Managed Service for Kubernetes cluster, two subnets with CIDR blocks that you specify are created for its pods and services respectively.
Routing tables and NAT gateways
A routing table defines how outgoing (egress) traffic from resources attached to a subnet is routed. Each rule in a routing table defines the next hop for the traffic depending on its destination. A NAT gateway is used as the next hop for all destinations outside the subnet, so that resources attached to the subnet have internet access but cannot receive incoming connections from the internet.
The default-eu-north1-c
subnet has a routing table with a NAT gateway rule, so that resources attached to the subnet have internet access.
Security groups
A security group defines access rules for incoming (ingress) and outgoing (egress) traffic. An ingress rule denies or allows incoming traffic from certain sources, and an egress rule denies or allows outgoing traffic to certain destinations. A security group can be attached to a resource such as VM so that the group's rules apply to the VM's traffic.
The default
network contains a default security group that allows all ingress and egress traffic. The security group is attached to all network-connected resources.