[Yandex Cloud documentation](../../../index.md) > [Yandex Compute Cloud](../../index.md) > [Step-by-step guides](../index.md) > Images with pre-installed software > Creating a VM from a public image

# Creating a VM from a public image


{% note info %}

To create, modify, and edit a [VM](../../concepts/vm.md), you need the `compute.editor` _minimum_ [role](../../security/index.md#compute-editor) for the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder). To create a VM with a licensed image, you will additionally need the `license-manager.viewer` [role](../../../marketplace/security/index.md#license-manager-viewer).

To create a VM with a [public IP address](../../../vpc/concepts/address.md#public-addresses), you will additionally need the `vpc.publicAdmin` [role](../../../vpc/security/index.md#vpc-public-admin).

{% endnote %}

To create a VM:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder to create your VM in.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/server.svg) **Virtual machines**.
  1. Click **Create virtual machine**.
  1. Under **Boot disk image**, select a public [image](../../concepts/image.md) with the software you want to use.
  1. Under **Location**, select an [availability zone](../../../overview/concepts/geo-scope.md) where your VM will reside.
  1. Optionally, configure the boot [disk](../../concepts/disk.md) under **Disks and file storages**:

      * Select the [disk type](../../concepts/disk.md#disks_types).
      * Specify the required disk size.

  1. Optionally, add a secondary [disk](../../concepts/disk.md):
     
     * Under **Disks and file storages**, click **Add**.
     * In the window that opens, select **Disk**. You can select an existing disk or create a new one, either empty or from a snapshot or image.
     
         For example, to create a new empty disk:
     
         * Select `Create new`.
         * In the **Contents** field, select `Empty`.
         * Enter a name for the disk.
         * Select the [disk type](../../concepts/disk.md#disks_types).
         * Specify the required disk and block size.
         * Optionally, enable **Additional** in the **Delete along with the virtual machine** field if you need this disk automatically deleted when deleting the VM.
         * Click **Add disk**.
  1. Optionally, connect a [file storage](../../concepts/filesystem.md):
     
     * Under **Disks and file storages**, click **Add**.
     
         * In the window that opens, select **File storage** and choose the storage you want to connect from the list.
     
         * Click **Add file storage**.
  1. Under **Computing resources**, select one of the preset configurations or create a custom one. To create a custom configuration:
     
     * Go to the **Custom** tab.
     * Select a [platform](../../concepts/vm-platforms.md).
     * Specify the [guaranteed performance](../../concepts/performance-levels.md) and required number of vCPUs, as well as RAM size.
     * Enable a [software-accelerated network](../../concepts/software-accelerated-network.md) if needed.
     * Make your VM [preemptible](../../concepts/preemptible-vm.md), if required.

      {% note info %}

      Each public image has specific minimum system requirements that a VM must meet. For example, a [GitLab](https://yandex.cloud/en/marketplace/products/yc/gitlab) image from Yandex Cloud Marketplace requires at least 4 virtual cores and 8 GB of RAM.

      {% endnote %}

  1. Under **Network settings**:
     
     * In the **Subnet** field, enter the ID of a subnet in the new VM’s availability zone. Alternatively, select a [cloud network](../../../vpc/concepts/network.md#network) from the list.
     
         * Each network must have at least one [subnet](../../../vpc/concepts/network.md#subnet). If your network has no subnets, create one by selecting **Create subnet**.
         * If there are no networks in the list, click **Create network** to create one:
     
             * In the window that opens, specify the network name and select the folder where it will be created.
             * Optionally, enable the **Create subnets** setting to automatically create subnets in all availability zones.
             * Click **Create network**.
     
     * In the **Public IP address** field, select the IP address assignment method:
     
         * `Auto`: To assign a random IP address from the Yandex Cloud IP address pool. In this case, you can enable [DDoS protection](../../../vpc/ddos-protection/index.md) using the option below.
         * `List`: To select a public IP address from the list of previously reserved static addresses. For more information, see [Converting a dynamic public IP address to static](../../../vpc/operations/set-static-ip.md).
         * `No address`: Do not assign a public IP address.
     
     * Select [relevant security groups](../../../vpc/concepts/security-groups.md):
     
         * To connect to a virtual machine over `SSH`, the security group must allow incoming network traffic over `TCP` and `UDP` on port `22`.
     
         * To connect to a virtual machine over `RDP`, the security group must allow incoming network traffic over `TCP` and `UDP` on port `3389`.
         
         If you leave the field empty, the virtual machine will be automatically assigned the [default security group](../../../vpc/concepts/security-groups.md#default-security-group) allowing connections to the VM over `SSH` and `RDP`.
     
     * Expand **Additional** and select a method for assigning internal addresses in the **Internal IPv4 address** field:
     
         * `Auto`: To assign a random IP address from the pool of IP addresses available in the selected subnet.
         * `Manual`: To manually assign a private IP address to the VM.
         * Enable **DDoS protection**, if required. The option is available if you previously selected the automatic IP assignment method in the public address settings.
     
     * Optionally, create records for your VM in the [DNS zone](../../../dns/concepts/dns-zone.md):
     
         * Expand **DNS settings for internal addresses** and click **Add record**.
         * Specify a zone, FQDN, and TTL for the record. When setting the FQDN, you can enable `Detect automatically` for the zone.
           You can add multiple records to [internal DNS zones](../../../dns/concepts/dns-zone.md). For more information, see [Cloud DNS integration with Compute Cloud](../../../dns/concepts/compute-integration.md).
         * To create another record, click **Add record**.
     
     If you want to add another [network interface](../../concepts/network.md) to your VM, click **Add network interface** and repeat the settings from this step for the new interface. You can add up to eight network interfaces to a single VM.
  1. Under **Access**:
     
     * Select **Access by OS Login** to [connect](../vm-connect/os-login.md) and manage access to the new VM using [OS Login](../../../organization/concepts/os-login.md) in Yandex Identity Hub.
     
         With OS Login, you can connect to VMs using SSH keys and SSH certificates via a standard SSH client or the [Yandex Cloud CLI](../../../cli/quickstart.md). OS Login enables rotating the SSH keys used to access VMs, providing the most [secure](../../../security/domains/iaas-checklist.md#vm-security) access option.
     
     * If you prefer not to use OS Login, select **SSH key** and specify the following VM access data:
     
         * In the **Login** field, enter the username.
     
             {% note alert %}
     
             Do not use `root` or other [OS-reserved usernames](https://github.com/canonical/subiquity/blob/main/reserved-usernames). To perform operations requiring root privileges, use the `sudo` command.
     
             {% endnote %}
     
         * In the **SSH key** field, select the SSH key saved in your [organization user](../../../organization/concepts/membership.md) profile.
           
           If there are no SSH keys in your profile or you want to add a new key:
           
           1. Click **Add key**.
           1. Enter a name for the SSH key.
           1. Select one of the following:
           
               * `Enter manually`: Paste the contents of the public SSH key. You need to [create](../vm-connect/ssh.md#creating-ssh-keys) an SSH key pair on your own.
               * `Load from file`: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
               * `Generate key`: Automatically create an SSH key pair.
               
                 When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the `/home/<user_name>/.ssh` directory. In Windows, unpack the archive to the `C:\Users\<user_name>/.ssh` directory. You do not need additionally enter the public key in the management console.
           
           1. Click **Add**.
           
           The system will add the SSH key to your organization user profile. If the organization has [disabled](../../../organization/operations/os-login-access.md) the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.
     
     If you want to add multiple users with SSH keys to the VM at the same time, [specify](../../concepts/metadata/sending-metadata.md) these users' data under **Metadata**. You can also use metadata to [install additional software](../vm-create/create-with-cloud-init-scripts.md) on a VM when creating it.
     
     In public Linux images provided by Yandex Cloud, the functionality of connecting over SSH using login and password is disabled by default.

      {% note info %}

      On VMs with OS Login access enabled, provide your custom SSH keys through [metadata](../../concepts/metadata/sending-metadata.md).

      {% endnote %}
  1. Optionally, enable the **Backup** option and, in the **Backup policies** field, select or create a [backup policy](../../../backup/concepts/policy.md) to back up your VMs automatically using [Cloud Backup](../../../backup/index.md).
     
     To create a new VM with a Cloud Backup connection, your account must have the `backup.user` [role](../../../backup/security/index.md#backup-user) or higher for the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) you are creating the VM in.
     
     {% note info %}
     
     If your account does not have the `backup.user` role or higher, you can connect the VM to Cloud Backup using a [service account](../../../iam/concepts/users/service-accounts.md) which has that role. 
     
     To do this, expand the **Additional** section and select the service account under **Service account**. If required, [create](../../../iam/operations/sa/create.md) a new service account and [assign](../../../iam/operations/sa/assign-role-for-sa.md) it the `backup.user` [role](../../../backup/security/index.md#backup-user).
     
     {% endnote %}
     
     {% note tip %}
     
     Installing a Cloud Backup agent is a resource-intensive operation. If you want to use a VM in the minimum possible configuration or, for example, a VM with a [vCPU performance level](../../concepts/performance-levels.md) below 100%, we recommend increasing the VM's resources during the Cloud Backup agent installation.
     
     {% endnote %}
     
     For more information, see [Connecting Compute Cloud VMs and Yandex BareMetal servers to Cloud Backup](../../../backup/concepts/vm-connection.md). 
  1. Under **General information**, enter a name for your VM:

      * Length: between 3 and 63 characters.
      * It can only contain lowercase Latin letters, numbers, and hyphens.
      * It must start with a letter and cannot end with a hyphen.

      {% note info %}
      
      The VM name is used to generate an [internal FQDN](../../concepts/network.md#hostname), which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
      
      {% endnote %}

  1. Under **Additional**:
     
     * Optionally, select or create a [service account](../../../iam/concepts/users/service-accounts.md). With a service account, you can flexibly configure access permissions for your resources.
     * Optionally, enable access to the [serial console](../../concepts/serial-console.md).
     * Optionally, to configure delivering [Linux metrics](../../../monitoring/operations/unified-agent/linux_metrics.md) and any additional metrics from your apps, enable **Monitoring** under **Agent for delivering metrics** and select:
       * **Yandex Monitoring**: [Install an agent](../../../monitoring/concepts/data-collection/unified-agent/index.md) to collect additional metrics from VM instances and apps.
       * **Yandex Managed Service for Prometheus®**: [Install and configure an agent](../../../monitoring/operations/prometheus/ingestion/prometheus-agent.md) to collect additional metrics from VM instances and apps in Prometheus format:
          * Select or create a workspace to store your metrics.
          * Optionally, describe the [delivery parameters](../../../monitoring/operations/prometheus/ingestion/prometheus-agent.md) for your custom metrics, in JSON format.
     * Optionally, under **Placement**, select a VM [placement group](../../concepts/placement-groups.md).
  1. Click **Create VM**.

  It takes a few minutes to create a VM. When the VM status changes to `RUNNING`, proceed to [configure the software](setup.md). To monitor VM statuses, check the list of VMs in the folder.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command to create a VM:

     ```bash
     yc compute instance create --help
     ```

  1. Prepare a [key pair](../vm-connect/ssh.md#creating-ssh-keys) (public and private keys) for SSH access to the VM.
  1. Select one of the Yandex Cloud Marketplace public [images](get-list.md).

     You can also view image IDs in the [management console](https://console.yandex.cloud) when creating a VM or in [Cloud Marketplace](https://yandex.cloud/en/marketplace) on the image page under **Product IDs**.

     To get a list of available images using the CLI, run this command:
     
     ```bash
     yc compute image list --folder-id standard-images
     ```
     
     Result:
     
     ```text
     +----------------------+-------------------------------------+--------------------------+----------------------+--------+
     |          ID          |                NAME                 |          FAMILY          |     PRODUCT IDS      | STATUS |
     +----------------------+-------------------------------------+--------------------------+----------------------+--------+
     ...
     | fdvk34al8k5n******** | centos-7-1549279494                 | centos-7                 | dqni65lfhvv2******** | READY  |
     | fdv7ooobjfl3******** | windows-2016-gvlk-1548913814        | windows-2016-gvlk        | dqnnc72gj2is******** | READY  |
     | fdv4f5kv5cvf******** | ubuntu-1604-lts-1549457823          | ubuntu-1604-lts          | dqnnb6dc7640******** | READY  |
     ...
     +----------------------+-------------------------------------+--------------------------+----------------------+--------+
     ```
     
     Where:
     
     * `ID`: Image ID.
     * `NAME`: Image name.
     * `FAMILY`: ID of the [image family](../../concepts/image.md#family) the image belongs to.
     * `PRODUCT IDS`: IDs of Yandex Cloud Marketplace [products](../../../marketplace/concepts/product.md) associated with the image.
     * `STATUS`: Current status of the image. It may take one of the following values:
     
         * `STATUS_UNSPECIFIED`: Image status is not defined.
         * `CREATING`: Image is being created.
         * `READY`: Image is ready to use.
         * `ERROR`: You cannot use the image due to an issue.
         * `DELETING`: Image is being deleted.

  1. Select a [subnet](../../../vpc/concepts/network.md#subnet):

     ```bash
     yc vpc subnet list
     ```

     Result:

     ```text
     +----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+
     |          ID          |           NAME            |      NETWORK ID      | ROUTE TABLE ID |       ZONE        |      RANGE      |
     +----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+
     | b0c6n43f9lgh******** | default-ru-central1-a     | enpe3m3fa00u******** |                | ru-central1-a     | [10.130.0.0/24] |
     | e2l2da8a20b3******** | default-ru-central1-b     | enpe3m3fa00u******** |                | ru-central1-a     | [10.129.0.0/24] |
     | e9bnlm18l70a******** | default-ru-central1-d     | enpe3m3fa00u******** |                | ru-central1-a     | [10.128.0.0/24] |
     +----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+
     ```

  1. Create a VM in the default [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder):

      ```bash
      yc compute instance create \
        --name first-instance \
        --zone ru-central1-a \
        --network-interface subnet-name=default-ru-central1-a,nat-ip-version=ipv4 \
        --create-boot-disk image-folder-id=standard-images,image-family=centos-7 \
        --ssh-key ~/.ssh/id_ed25519.pub
      ```

      Where:

      * `--name`: VM name. The naming requirements are as follows:

        * Length: between 3 and 63 characters.
        * It can only contain lowercase Latin letters, numbers, and hyphens.
        * It must start with a letter and cannot end with a hyphen.

        {% note info %}
        
        The VM name is used to generate an [internal FQDN](../../concepts/network.md#hostname), which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
        
        {% endnote %}

      * `--zone`: [Availability zone](../../../overview/concepts/geo-scope.md) matching the selected subnet.
      * `--network-interface`: VM [network interface](../../concepts/network.md) settings:
          * `subnet-name`: Name of the selected subnet.
          * `nat-ip-version=ipv4`: [Public IP address](../../../vpc/concepts/address.md#public-addresses). To create a VM without a public IP address, omit this parameter.

          If you want to add multiple [network interfaces](../../concepts/network.md) to your VM, specify the `--network-interface` parameter as many times as you need. You can add up to eight network interfaces to a single VM.

      * `--create-boot-disk`: VM boot disk settings:
          * `image-family`: [Image family](../../concepts/image.md#family), e.g., `centos-7`. This option allows you to install the latest version of the OS from the specified family.

      * `--ssh-key`: Path to the file with the [public SSH key](../vm-connect/ssh.md#creating-ssh-keys). The VM will automatically create a user named `yc-user` for this key.

          When creating a VM from a [Yandex Cloud Marketplace](https://yandex.cloud/en/marketplace) public image, make sure to provide an SSH key, as SSH access with a username and password is disabled by default for such images.

          If you want to add multiple users with SSH keys to your VM at the same time, [specify](../../concepts/metadata/sending-metadata.md) these users' data in the `--metadata-from-file` parameter.

  All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/quickstart.md) command:
  
  ```bash
  yc compute instance list
  ```

  When a VM is created, it is assigned an IP address and hostname (FQDN). This data can be used for SSH access.
  
  You can make a public IP address static. For more information, see [Making a VM public IP address static](../vm-control/vm-set-static-ip.md).

- Terraform {#tf}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  1. In the configuration file, describe the resources you want to create:

     ```hcl

     resource "yandex_compute_disk" "boot-disk" {
       name     = "<disk_name>"
       type     = "<disk_type>"
       zone     = "<availability_zone>"
       size     = "<disk_size>"
       image_id = "<image_ID>"
     }

     resource "yandex_compute_instance" "linux-vm" {
       name        = "linux-vm"
       platform_id = "standard-v3"
       zone        = "<availability_zone>"

       resources {
         cores  = "<number_of_vCPUs>"
         memory = "<RAM_in_GB>"
       }

       boot_disk {
         disk_id = yandex_compute_disk.boot-disk.id
       }

       network_interface {
         subnet_id = yandex_vpc_subnet.subnet-1.id
         nat       = true
       }

       metadata = {
         user-data = "#cloud-config\nusers:\n  - name: <username>\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh_authorized_keys:\n      - ${file("<path_to_public_SSH_key>")}"
       }
     }

     resource "yandex_vpc_network" "network-1" {
       name = "network1"
     }

     resource "yandex_vpc_subnet" "subnet-1" {
       name           = "subnet1"
       zone           = "<availability_zone>"
       v4_cidr_blocks = ["192.168.10.0/24"]
       network_id     = yandex_vpc_network.network-1.id
     }
     ```

     Where:

     * `yandex_compute_disk`: Boot [disk](../../concepts/disk.md) description:
       * `name`: Disk name.
       * `type`: Disk type.
       * `zone`: [Availability zone](../../../overview/concepts/geo-scope.md) the disk will reside in.
       * `size`: Disk size, in GB.
       * `image_id`: ID of the image to create the VM from. You can get the image ID from the [list of public images](get-list.md).

         You can also view image IDs in the [management console](https://console.yandex.cloud) when creating a VM or in [Cloud Marketplace](https://yandex.cloud/en/marketplace) on the image page under **Product IDs**.

     * `yandex_compute_instance`: VM description:
       * `name`: VM name.
       * `platform_id`: [Platform](../../concepts/vm-platforms.md).
       * `zone`: Availability zone the VM will reside in.
       * `resources`: Number of vCPUs and amount of RAM available to the VM. The values must match the selected [platform](../../concepts/vm-platforms.md).
       * `boot_disk`: Boot disk settings. Specify the disk ID.
       * `network_interface`: VM [network interface](../../concepts/network.md) settings. Specify the ID of the selected [subnet](../../../vpc/concepts/network.md#subnet). To automatically assign a [public IP address](../../../vpc/concepts/address.md#public-addresses) to the VM, set `nat = true`.

           If you want to add multiple [network interfaces](../../concepts/network.md) to your VM, specify the `network_interface` section as many times as you need.

       * `metadata`: In the metadata, provide the username and [public key for SSH access](../vm-connect/ssh.md#creating-ssh-keys) to the VM. For more information, see [VM metadata](../../concepts/vm-metadata.md).

           If you want to add multiple users with SSH keys to the VM at the same time, [specify](../../concepts/metadata/sending-metadata.md) these users' data in a file and provide it under `metadata`.
     * `yandex_vpc_network`: Cloud network description.
     * `yandex_vpc_subnet`: Description of the subnet to connect your VM to.

     {% note info %}

     If you already have suitable resources, such as a cloud network and subnet, you do not need to redefine them. Specify their names and IDs in the appropriate parameters.

     {% endnote %}

     For more information about the resources you can create with Terraform, see [this provider guide](../../../terraform/resources/compute_instance.md).
  1. Make sure the configuration files are correct.
     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using this command:

        ```bash
        terraform plan
        ```

     If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors.
  1. Deploy the cloud resources.
     1. If the configuration is correct, run this command:

        ```bash
        terraform apply
        ```

     1. Confirm creating the resources by typing `yes` and pressing **Enter**.

     All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/quickstart.md) command:
     
     ```bash
     yc compute instance list
     ```

  When a VM is created, it is assigned an IP address and hostname (FQDN). This data can be used for SSH access.
  
  You can make a public IP address static. For more information, see [Making a VM public IP address static](../vm-control/vm-set-static-ip.md).

{% endlist %}