- Create Network and subnets in your folder
- Supports MultiFolder VPC concept by adding folder_id to subnet object
- Subnets can be both public for VMs with public IPs and private, with or without NAT gateway
- Create private endpoint for Object Storage
- Create default security group
- Easy to use in other resources via outputs
- Future Growth: Choose CIDR blocks that allow for future expansion
- Non-Overlapping Ranges: Ensure CIDR blocks don't overlap with other networks
- Consistent Sizing: Use consistent subnet sizes for similar resources
- Restrict Access: Limit access to resources in private subnets
- Use NAT Gateway: For outbound internet access from private subnets
- Custom Security Groups: Create additional security groups for specific workloads with module for SG
- CIDR Block Conflicts: Ensure CIDR blocks don't overlap with existing networks
- Folder Permissions: Verify proper permissions for multi-folder deployments
- Install YC CLI
- Add environment variables for terraform authentication in Yandex.Cloud
export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)
graph TD
subgraph "Yandex Cloud"
VPC[VPC Network]
subgraph "Public Subnets"
PS1[Public Subnet ru-central1-a]
PS2[Public Subnet ru-central1-b]
PS3[Public Subnet ru-central1-d]
end
subgraph "Private Subnets"
PRS1[Private Subnet ru-central1-a]
PRS2[Private Subnet ru-central1-b]
PRS3[Private Subnet ru-central1-d]
end
NAT[NAT Gateway]
S3PE[S3 Private Endpoint]
PRT[Private Route Table]
PBRT[Public Route Table]
SG[Default Security Group]
VPC --> PS1
VPC --> PS2
VPC --> PS3
VPC --> PRS1
VPC --> PRS2
VPC --> PRS3
PS1 --> PBRT
PS2 --> PBRT
PS3 --> PBRT
PRS1 --> PRT
PRS2 --> PRT
PRS3 --> PRT
PRT --> NAT
NAT --> Internet((Internet))
PRS1 --> S3PE
S3PE --> S3[Object Storage]
VPC --> SG
end
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| yandex | >= 0.101.0 |
| Name | Version |
|---|---|
| yandex | 0.140.1 |
No modules.
| Name | Type |
|---|---|
| yandex_vpc_default_security_group.default_sg | resource |
| yandex_vpc_gateway.egress_gateway | resource |
| yandex_vpc_network.this | resource |
| yandex_vpc_private_endpoint.object_storage | resource |
| yandex_vpc_route_table.private | resource |
| yandex_vpc_route_table.public | resource |
| yandex_vpc_subnet.private | resource |
| yandex_vpc_subnet.public | resource |
| yandex_client_config.client | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_nat_gw | Create a NAT gateway for internet access from private subnets | bool |
true |
no |
| create_sg | Shows whether а security group for VCP object should be created | bool |
true |
no |
| create_vpc | Shows whether a VCP object should be created. If false, an existing vpc_id is required. |
bool |
true |
no |
| domain_name | Domain name to be added to DHCP options | string |
"internal." |
no |
| domain_name_servers | Domain name servers to be added to DHCP options. Only ip addresses can be used | list(string) |
[] |
no |
| folder_id | Folder ID where the resources will be created | string |
null |
no |
| labels | Set of key/value label pairs to assign. | map(string) |
{ |
no |
| network_description | Optional description of this resource. Provide this property when you create the resource. | string |
"terraform-created" |
no |
| network_name | Prefix to be used with all the resources as an identifier | string |
n/a | yes |
| ntp_servers | NTP Servers for subnets. Only ip addresses can be used | list(string) |
[] |
no |
| private_subnets | "Describe your private subnet preferences. For VMs without public IPs but with or without NAT gateway. For Multi-Folder VPC add folder_id to subnet object" private_subnets = [ { "v4_cidr_blocks" : ["10.221.0.0/16"], "zone" : "ru-central1-a" "description" : "Custom private-subnet description" "name" : "Custom private-subnet name" }, { "v4_cidr_blocks" : ["10.231.0.0/16"], "zone" : "ru-central1-b" "folder_id" : "xxxxxxx" # For Multi-Folder VPC }, ] |
list(object({ |
[] |
no |
| public_subnets | "Describe your public subnet preferences. For VMs with public IPs. For Multi-Folder VPC add folder_ids to subnet objects" Example: public_subnets = [ { "v4_cidr_blocks" : ["10.121.0.0/16", "10.122.0.0/16"], "zone" : "ru-central1-a" "description" : "Custom public-subnet description" "name" : "Custom public-subnet name" }, { "v4_cidr_blocks" : ["10.131.0.0/16"], "zone" : "ru-central1-b" "folder_id" : "xxxxxxx" # For Multi-Folder VPC }, ] |
list(object({ |
[] |
no |
| routes_private_subnets | Describe your route preferences for public subnets | list(object({ |
null |
no |
| routes_public_subnets | Describe your route preferences for public subnets | list(object({ |
null |
no |
| s3_private_endpoint | Configuration for creating a private endpoint for Yandex Object Storage. When enabled, creates a secure connection to Object Storage without going through the public internet. Specify a subnet CIDR block and an IP address for the endpoint from one of the 'privite subnet's CIDR block'. At least one private subnet must be defined when s3_private_endpoint is enabled. | object({ |
{} |
no |
| vpc_id | Existing network_id (vpc-id) where resources will be created |
string |
null |
no |
| Name | Description |
|---|---|
| private_subnets | Map of private subnets: key = first v4_cidr_block |
| private_v4_cidr_blocks | List of v4_cidr_blocks used in the VPC network |
| public_subnets | Map of public subnets: key = first v4_cidr_block |
| public_v4_cidr_blocks | List of v4_cidr_blocks used in the VPC network |
| s3_private_endpoint_id | S3 Private Endpoint ID |
| s3_private_endpoint_ip | S3 Private Endpoint IP address |
| vpc_id | ID of the created network for internal communications |