Yandex Application Load Balancer

Creating an L7 load balancer with DDoS protection using Terraform

September 22, 2024

To create an L7 load balancer with DDoS protection using Terraform:

  1. Prepare your cloud.
  2. Create an infrastructure.
  3. Test the load balancer.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.



The infrastructure support cost for a DDoS-protected load balancer includes:

Create an infrastructure

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.



If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

To create an infrastructure using Terraform:

  1. Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, Step 1).

  2. Prepare a file with the infrastructure description:

    1. Clone the repository with configuration files:

      git clone https://github.com/yandex-cloud-examples/yc-alb-ddos-protection.git

    2. Go to the directory with the repository. Make sure it contains the following files:

      • alb-with-ddos-protection.tf: New infrastructure configuration.
      • alb-with-ddos-protection.auto.tfvars: User data.

    1. Create a folder for the file with the infrastructure description.

    2. In the folder, create a configuration file named alb-with-ddos-protection.tf:

      alb-with-ddos-protection.tf
      variable "folder_id" {
  type = string
}

variable "vm_user" {
  type = string
}

variable "ssh_key_path" {
  type = string
}

locals {
  network_name     = "ddos-network"
  subnet_name1     = "subnet-1"
  subnet_name2     = "subnet-2"
  sa_name          = "ig-sa"
  sg_balancer_name = "ddos-sg-balancer"
  sg_vm_name       = "ddos-sg-vms"
  vm_name          = "ddos-group"
  tg_name          = "tg-ddos"
  address_name     = "ddos-addr"
  abg_name         = "ddos-backend-group"
  backend_name     = "backend-1"
  router_name      = "ddos-router"
  vh_name          = "ddos-host"
  authority_domain = ["alb-with-ddos.com"]
  route_name       = "route-1"
  alb_name         = "ddos-protect-alb"
  listener_name    = "ddos-listener"
}

terraform {
  required_providers {
    yandex = {
      source  = "yandex-cloud/yandex"
      version = ">= 0.47.0"
    }
  }
}

provider "yandex" {
  folder_id = var.folder_id
}

resource "yandex_iam_service_account" "ig-sa" {
  name = local.sa_name
}

resource "yandex_resourcemanager_folder_iam_member" "editor" {
  folder_id = var.folder_id
  role      = "editor"
  member    = "serviceAccount:${yandex_iam_service_account.ig-sa.id}"
}

resource "yandex_vpc_network" "ddos-network" {
  name = local.network_name
}

resource "yandex_vpc_subnet" "subnet-1" {
  name           = local.subnet_name1
  zone           = "ru-central1-a"
  network_id     = yandex_vpc_network.ddos-network.id
  v4_cidr_blocks = ["192.168.1.0/24"]
}

resource "yandex_vpc_subnet" "subnet-2" {
  name           = local.subnet_name2
  zone           = "ru-central1-b"
  network_id     = yandex_vpc_network.ddos-network.id
  v4_cidr_blocks = ["192.168.2.0/24"]
}

resource "yandex_vpc_security_group" "ddos-sg-balancer" {
  name       = local.sg_balancer_name
  network_id = yandex_vpc_network.ddos-network.id

  egress {
    protocol       = "ANY"
    description    = "any"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    description    = "ext-http"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = 80
  }

  ingress {
    protocol       = "TCP"
    description    = "ext-https"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = 443
  }

  ingress {
    protocol          = "TCP"
    description       = "healthchecks"
    predefined_target = "loadbalancer_healthchecks"
    port              = 30080
  }
}

resource "yandex_vpc_security_group" "ddos-sg-vms" {
  name       = local.sg_vm_name
  network_id = yandex_vpc_network.ddos-network.id

  ingress {
    protocol          = "TCP"
    description       = "balancer"
    security_group_id = yandex_vpc_security_group.ddos-sg-balancer.id
    port              = 80
  }

  ingress {
    protocol       = "TCP"
    description    = "ssh"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = 22
  }
}

resource "yandex_compute_image" "lemp" {
  source_family = "lemp"
}

resource "yandex_compute_instance_group" "ddos-group" {
  name               = local.vm_name
  folder_id          = var.folder_id
  service_account_id = yandex_iam_service_account.ig-sa.id
  instance_template {
    platform_id        = "standard-v2"
    service_account_id = yandex_iam_service_account.ig-sa.id
    resources {
      core_fraction = 5
      memory        = 1
      cores         = 2
    }

    boot_disk {
      mode = "READ_WRITE"
      initialize_params {
        image_id = yandex_compute_image.lemp.id
        type     = "network-hdd"
        size     = 3
      }
    }

    network_interface {
      network_id         = yandex_vpc_network.ddos-network.id
      subnet_ids         = [yandex_vpc_subnet.subnet-1.id,yandex_vpc_subnet.subnet-2.id]
      nat                = true
      security_group_ids = [yandex_vpc_security_group.ddos-sg-vms.id]
    }

    metadata = {
      user-data = "#cloud-config\nusers:\n  - name: ${var.vm_user}\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh-authorized-keys:\n      - ${file("${var.ssh_key_path}")}"
    }
  }

  scale_policy {
    fixed_scale {
      size = 2
    }
  }

  allocation_policy {
    zones = ["ru-central1-a", "ru-central1-b"]
  }

  deploy_policy {
    max_unavailable = 1
    max_expansion   = 0
  }

  application_load_balancer {
    target_group_name = local.tg_name
  }
}

resource "yandex_vpc_address" "ddos-addr" {
  name = local.address_name

  external_ipv4_address {
    zone_id                  = "ru-central1-a"
    ddos_protection_provider = "qrator"
  }
}

resource "yandex_alb_backend_group" "ddos-backend-group" {
  name = local.abg_name

  http_backend {
    name             = local.backend_name
    port             = 80
    target_group_ids = [yandex_compute_instance_group.ddos-group.application_load_balancer.0.target_group_id]
    healthcheck {
      timeout          = "10s"
      interval         = "2s"
      healthcheck_port = 80
      http_healthcheck {
        path = "/"
      }
    }
  }
}

resource "yandex_alb_http_router" "ddos-router" {
  name   = local.router_name
}

resource "yandex_alb_virtual_host" "ddos-host" {
  name           = local.vh_name
  http_router_id = yandex_alb_http_router.ddos-router.id
  authority      = local.authority_domain
  route {
    name = local.route_name
    http_route {
      http_route_action {
        backend_group_id = yandex_alb_backend_group.ddos-backend-group.id
      }
    }
  }
}

resource "yandex_alb_load_balancer" "ddos-protect-alb" {
  name               = local.alb_name
  network_id         = yandex_vpc_network.ddos-network.id
  security_group_ids = [yandex_vpc_security_group.ddos-sg-balancer.id]

  allocation_policy {
    location {
      zone_id   = "ru-central1-a"
      subnet_id = yandex_vpc_subnet.subnet-1.id
    }

    location {
      zone_id   = "ru-central1-b"
      subnet_id = yandex_vpc_subnet.subnet-2.id
    }
  }

  listener {
    name = local.listener_name
    endpoint {
      address {
        external_ipv4_address {
          address = yandex_vpc_address.ddos-addr.external_ipv4_address[0].address
        }
      }
      ports = [ 80 ]
    }
    http {
      handler {
        http_router_id = yandex_alb_http_router.ddos-router.id
      }
    }
  }
}

    3. In the folder, create a user data file named alb-with-ddos-protection.auto.tfvars:

      alb-with-ddos-protection.auto.tfvars
      folder_id    = "<folder_ID>"
vm_user      = "<VM_username>"
ssh_key_path = "<path_to_public_SSH_key>"

    For more information about the parameters of resources used in Terraform, see the provider documentation:

  3. In the alb-with-ddos-protection.auto.tfvars file, set the following user-defined parameters:

    • folder_id: Folder ID.
    • vm_user: VM username.
    • ssh_key_path: Path to the file with a public SSH key to authenticate the user on the VM. For more information, see Creating an SSH key pair.

  4. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

After creating the infrastructure, test it.

Test the load balancer

Check that the service is available on the alb-with-ddos.com host. To do this, run the following command:

curl -H "Host: alb-with-ddos.com" http://<L7_load_balancer_IP_address>

Result:

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
  body {
    width: 35em;
    margin: 0 auto;
    font-family: Tahoma, Verdana, Arial, sans-serif;
  }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

How to delete the resources you created

To stop paying for the resources you created:

  1. Open the tls-termination-config.tf configuration file and delete the description of the new infrastructure from it.

  2. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

