Skip to main content
Safe connection to the VM over SSH uses a key pair: you place the public key on the VM and store the private key on your device.

Set up the VM

To be able to connect to the VM, define specific information during the VM creation.

Generate a key pair

Generate an SSH key pair. You will need the contents of the public key and the path to your private key in later steps.

Configure the user data

User configuration helps to quickly create VMs with identical user data: it stores your username and the public key for the access to the VM. Create a configuration in the cloud-init format: 
export USER_DATA=$(jq -Rs '.' <<EOF
users:
  - name: $USER
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - $(cat ~/.ssh/id_ed25519.pub)
EOF
)
The configuration contains the following parameters:
  • name: Username for connecting to the VM. The above example sets the value of the machine’s USER environment variable as the username for the VM. Do not use the root or admin usernames. They are reserved for internal needs and are not allowed to connect to a VM by SSH.
  • sudo: Sudo policy. ALL=(ALL) NOPASSWD:ALL allows users unrestricted sudo access; False disables sudo access for users.
  • shell: Default shell.
  • ssh_authorized_keys: User’s authorized keys. Allows configuring SSH access to the VM. To create the key pair, follow the instructions in Generating SSH keys.
You can specify several users and their public SSH keys. For more information, see cloud-init configuration examples.

Configure the VM

When you create the VM, set the following parameters in the nebius compute instance create command:
  • --cloud-init-user-data: Pass the user data with your username and public key.
  • --network-interfaces: To enable public access to the VM, include "public_ip_address": {} in the network interface specification. Alternatively, to enable public access to the VM, set "public_ip_address": {"allocation_id": "<allocation_ID>"} with an allocation ID. This way the public IP address is preserved as an allocation object and you can reuse it for another VM after deleting this one.
  1. Get the default subnet’s ID: 
    export SUBNET_ID=$(nebius vpc subnet list \
  --format json \
  | jq -r ".items[0].metadata.id")
  2. Create an allocation by using the default subnet’s ID: 
    export ALLOCATION_ID=$(nebius vpc allocation create \
  --ipv4-public-subnet-id $SUBNET_ID \
  --name allocation-name \
  --format json \
  | jq -r ".metadata.id")
If an allocation with a public address has not been assigned to any resource for 30 days, Nebius AI Cloud can delete this allocation and release its address. If you want to preserve the address, assign its allocation to a Nebius AI Cloud resource.
Example: 
nebius compute instance create \
  --name inference-vm \
  --resources-platform <platform> \
  --resources-preset <preset> \
  --boot-disk-existing-disk-id <boot_disk_ID> \
  --boot-disk-attach-mode READ_WRITE \
  --cloud-init-user-data "$USER_DATA" \
  --network-interfaces '[{"name": "eth0", "subnet_id": "<subnet_ID>", "ip_address": {}, "public_ip_address": {"allocation_id": "<allocation_ID>"}}]'
For the full set of parameters and more examples, see How to create a virtual machine in Nebius AI Cloud.

Connect to the VM by using SSH

Requirements to connect to a private IP address or FQDNTo connect to a VM from another VM by using a private IP address or an FQDN, both VMs must be in the same network.
  1. Get your VM’s IP address and save it to an environment variable:
    To connect to the VM from the internet (if you have enabled public access to it), get its public IP address:
    export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
  --name <VM_name> \
  --format json \
  | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
  2. Connect to the VM: 
    ssh <username>@<public_IP_address>
    If your private key is stored in a custom location, specify the path to it with the -i parameter:
    ssh -i ~/.ssh/<private_key_file> <username>@<public_IP_address>

Shared access to the VM

To let the other users connect to your VM:
  1. Ask them to generate an SSH key pair and share the contents of their public key with you.
  2. Connect to the VM under the name used when creating the VM: 
    ssh <username>@<public_IP_address>
  3. Create a new user for VM access, named newuser in this example: 
    sudo useradd -m -d /home/newuser -s /bin/bash newuser
  4. Switch to the new user: 
    sudo su - newuser
  5. Create the ssh directory: 
    mkdir .ssh
  6. In the directory, create the authorized_keys file: 
    cd .ssh
touch authorized_keys
  7. Add the new user’s public key to the created file: 
    echo "<public_key>" > /home/newuser/.ssh/authorized_keys
  8. Change the directory’s access permissions: 
    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  9. Exit the new user’s shell: 
    exit
  10. Restart the VM: 
    sudo reboot
  11. Ask the other user to check the connection: 
    ssh newuser@<public_api_address>

Example

Set of commands to connect to the VM named training-instance from the internet: 
export PUBLIC_IP_ADDRESS=$(nebius compute instance get-by-name \
  --name training-instance \
  --format json \
  | jq -r '.status.network_interfaces[0].public_ip_address.address | split("/")[0]')
ssh $USER@$PUBLIC_IP_ADDRESS