Integrating an L7 load balancer with Cloud CDN and Object Storage
- Supported tools
- Prepare your cloud
- Add a certificate to Certificate Manager
- Create a cloud network and subnets
- Create a bucket in Object Storage
- Upload the file of your service to the bucket
- Create a security group
- Create Application Load Balancer backend groups
- Create an HTTP router and a virtual host
- Create an L7 load balancer
- Create a CDN resource
- Configure DNS for the service
- Run a health check for the service
- How to delete the resources you created
In this tutorial a Yandex Object Storage bucket is used as the Yandex Application Load Balancer L7 load balancer backend. User requests are transmitted to the load balancer via the Yandex Cloud CDN content delivery network (CDN) that reduces the time of content delivery.
We will use the cdn.yandexcloud.example
domain name as an example.
To perform steps, you can use various supported tools.
To build architecture for integrating an L7 load balancer with CDN and Object Storage:
- Prepare your cloud.
- Add a certificate to Certificate Manager
- Create a cloud network and subnets.
- Create a bucket in Object Storage.
- Upload the file of your service to the bucket.
- Create a security group.
- Create Application Load Balancer backend groups.
- Create an HTTP router and a virtual host.
- Create an L7 load balancer.
- Create a CDN resource.
- Configure DNS for the service.
- Run a health check for the service.
If you no longer need the resources you created, delete them.
Supported tools
You can complete most of the steps in the tutorial in any standard tool, such as the management console
Some steps do not support certain tools:
- Currently, you cannot use CLIs and Terraform to:
- Create a Application Load Balancer backend group with buckets as backends.
- Get the domain name of a CDN load balancer when configuring DNS for the service.
- Currently, you cannot get the domain name of a CDN load balancer when configuring DNS for the service.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
We use a folder named example-folder
as an example.
Required paid resources
The infrastructure support costs include:
- Fee for data storage in Object Storage, operations with data, and outgoing traffic (see Object Storage pricing).
- Fee for using computing resources of the L7 load balancer (see Application Load Balancer pricing).
- Fee for outgoing traffic from CDN servers (see Cloud CDN pricing).
- Fee for public DNS queries and DNS zones if using Yandex Cloud DNS (see Cloud DNS pricing).
Add a certificate to Certificate Manager
Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.
The certificate must be located in the same folder as your CDN resource.
For a Let's Encrypt® certificate, have your rights checked for the domain specified in the certificate.
Create a cloud network and subnets
All resources belong to the same cloud network.
- In the management console
, selectexample-folder
. - In the list of services, select Virtual Private Cloud.
- At the top right, click Create network.
- In the Name field, specify
example-network
. - In the Advanced field, select
Create subnets
. - Click Create network.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a network named
example-network
:yc vpc network create example-network
Result:
id: enptrcle5q3d******** folder_id: b1g9hv2loamq******** created_at: "2022-04-04T05:25:03Z" name: example-network default_security_group_id: enpbsnnop4ak********
For more information about the
yc vpc network create
command, see the CLI reference. -
Create subnets in all availability zones.
-
In
ru-central1-a
:yc vpc subnet create example-subnet-ru-central1-a \ --zone ru-central1-a \ --network-name example-network \ --range 10.1.0.0/16
Result:
id: e9bnnssj8sc8******** folder_id: b1g9hv2loamq******** created_at: "2022-04-04T09:27:00Z" name: example-subnet-ru-central1-a network_id: enptrcle5q3d******** zone_id: ru-central1-a v4_cidr_blocks: - 10.1.0.0/16
-
In
ru-central1-b
:yc vpc subnet create example-subnet-ru-central1-b \ --zone ru-central1-b \ --network-name example-network \ --range 10.2.0.0/16
Result:
id: e2lghukd9iqo******** folder_id: b1g9hv2loamq******** created_at: "2022-04-04T09:27:39Z" name: example-subnet-ru-central1-b network_id: enptrcle5q3d******** zone_id: ru-central1-b v4_cidr_blocks: - 10.2.0.0/16
-
In
ru-central1-d
:yc vpc subnet create example-subnet-ru-central1-d \ --zone ru-central1-d \ --network-name example-network \ --range 10.3.0.0/16
Result:
id: b0c3pte4o2kn******** folder_id: b1g9hv2loamq******** created_at: "2022-04-04T09:28:08Z" name: example-subnet-ru-central1-d network_id: enptrcle5q3d******** zone_id: ru-central1-d v4_cidr_blocks: - 10.3.0.0/16
For more information about the
yc vpc subnet create
command, see the CLI reference. -
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of
example-network
and itsexample-subnet-ru-central1-a
,example-subnet-ru-central1-b
, andexample-subnet-ru-central1-d
subnets:resource "yandex_vpc_network" "example-network" { name = "example-network" } resource "yandex_vpc_subnet" "example-subnet-a" { name = "example-subnet-ru-central1-a" zone = "ru-central1-a" network_id = "${yandex_vpc_network.example-network.id}" v4_cidr_blocks = ["10.1.0.0/16"] } resource "yandex_vpc_subnet" "example-subnet-b" { name = "example-subnet-ru-central1-b" zone = "ru-central1-b" network_id = "${yandex_vpc_network.example-network.id}" v4_cidr_blocks = ["10.2.0.0/16"] } resource "yandex_vpc_subnet" "example-subnet-d" { name = "example-subnet-ru-central1-d" zone = "ru-central1-d" network_id = "${yandex_vpc_network.example-network.id}" v4_cidr_blocks = ["10.3.0.0/16"] }
Learn more in the description of the yandex_vpc_network
and yandex_vpc_subnet resources in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
-
- Create a network named
example-network
using the NetworkService/Create gRPC API call or the create REST API method. - Create the
example-subnet-ru-central1-a
,example-subnet-ru-central1-b
, andexample-subnet-ru-central1-d
subnets in three availability zones using the SubnetService/Create gRPC API call or the create REST API method.
Create a bucket in Object Storage
- In the management console
, selectexample-folder
. - In the list of services, select Object Storage.
- At the top right, click Create bucket.
- In the ** Name** field, enter a name for the bucket.
- In the Object read access and Object listing access fields, select
Public
. - Click Create bucket.
-
Create a bucket:
aws --endpoint-url https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>
Result:
make_bucket: s3://<bucket_name>
-
Enable public access to reading objects and their list:
aws --endpoint-url https://storage.yandexcloud.net \ s3api put-bucket-acl \ --bucket <bucket_name> \ --acl public-read
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
-
Describe the parameters for creating a service account and access key in the configuration file:
... // Creating a service account resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" } // Assigning a role to a service account resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = "<folder_ID>" role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } // Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" }
-
Add bucket parameters to the configuration file:
... resource "yandex_storage_bucket" "<bucket_name>" { access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key bucket = "<bucket_name>" acl = "public-read" }
For more information about the
yandex_storage_bucket
resource, see the Terraform provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
-
Use the create REST API method.
Upload the file of your service to the bucket
-
Create an
index.html
file.Example of the index.html file
<!DOCTYPE html> <html> <head> <title>My service</title> </head> <body> <p>The service is working</p> </body> </html>
-
Upload a file to the bucket:
Management consoleAWS CLITerraformAPI- In the management console
, selectexample-folder
. - In the list of services, select Object Storage.
- Select the bucket.
- Click Upload and select the
index.html
file for uploading.
-
Upload the
index.html
file to the bucket:aws --endpoint-url https://storage.yandexcloud.net \ s3 cp v1/index.html s3://<bucket_name>/index.html
Result:
upload: v1/index.html to s3://<bucket_name>/index.html
-
To the configuration file, add the parameters of the
v1/index.html
file uploaded to the bucket:... resource "yandex_storage_object" "example-bucket-index" { bucket = "<bucket_name>" key = "index.html" source = "v1/index.html" }
For more information about the
yandex_storage_object
resource, see the Terraform provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
-
Use the upload REST API method.
- In the management console
Create a security group
Security groups contain rules that allow the L7 load balancer to receive incoming traffic and send it to backend buckets.
To create security groups:
-
In the management console
, selectexample-folder
. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
At the top right, click Create security group.
-
In the Name field, specify
example-sg
. -
In the Network field, select
example-network
. -
Under Rules, create the following rules using the instructions below the table:
Traffic
directionDescription Port range Protocol Source /
destinationCIDR blocks Outgoing
any
All
Any
CIDR
0.0.0.0/0
Incoming
ext-http
80
TCP
CIDR
0.0.0.0/0
Incoming
ext-https
443
TCP
CIDR
0.0.0.0/0
Incoming
healthchecks
30080
TCP
Load balancer healthchecks
— -
Go to the Egress or Ingress tab.
-
Click Add rule.
-
In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
-
In the Protocol field, specify the required protocol or leave
Any
. -
In the Destination name or Source field, select the purpose of the rule:
CIDR
: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.Load balancer healthchecks
: Rule allowing a load balancer to health check VMs.
-
Click Save. Repeat the steps to create all the rules from the table.
-
-
Click Save.
Run the following command:
yc vpc security-group create example-sg \
--network-name example-network \
--rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=80,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=30080,protocol=tcp,predefined=loadbalancer_healthchecks
Result:
id: enpd133ngcnr********
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T10:26:16Z"
name: example-sg
network_id: enptrcle5q3d********
status: ACTIVE
rules:
- id: enpkgrpi2gsi********
direction: EGRESS
protocol_name: ANY
protocol_number: "-1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpgssij0i16********
direction: INGRESS
ports:
from_port: "80"
to_port: "80"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enp0bft67j9l********
direction: INGRESS
ports:
from_port: "443"
to_port: "443"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpmorcimu65********
direction: INGRESS
ports:
from_port: "30080"
to_port: "30080"
protocol_name: TCP
protocol_number: "6"
predefined_target: loadbalancer_healthchecks
For more information about the yc vpc security-group create
command, see the CLI reference.
-
Add the
example-sg
security group parameters to the configuration file:resource "yandex_vpc_security_group" "example-sg" { name = "example-sg" network_id = "yandex_vpc_network.example-network.id" egress { protocol = "ANY" from_port = 0 to_port = 65535 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 80 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 443 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 30080 predefined_target = "loadbalancer_healthchecks" } }
For more information about resource parameters in Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
-
Use the SecurityGroupService/Create gRPC API call or the create REST API method.
To add a rule for load balancer health checks, use the loadbalancer_healthchecks
parameter in the SecurityGroupRuleSpec.target.predefined_target field for the gRPC API or the predefinedTarget field for the REST API.
Create Application Load Balancer backend groups
- In the management console
, selectexample-folder
. - In the list of services, select Application Load Balancer.
- In the left-hand panel, select
Backend groups. - At the top right, click Create backend group.
- In the Name field, specify
example-bg
. - In the Type field, select
HTTP
as the backend group type. - Under Backends, click Add and set up the backend:
- In the Name field, specify
example-backend
. - In the Weight field, enter
100
. - In the Type field, select
Bucket
as the backend type. - In the Bucket field, select the previously created bucket.
- In the Name field, specify
- Click Create.
If you are going to complete the next steps in Terraform, copy the ID of the example-bg
backend group from the
Use the BackendGroupService/Create gRPC API call or the create REST API method.
Create an HTTP router and a virtual host
-
In the management console
, selectexample-folder
. -
In the list of services, select Application Load Balancer.
-
In the left-hand panel, select
HTTP routers. -
At the top right, click Create HTTP router.
-
In the Name field, specify
example-router
. -
Create the
example-vh
virtual host:- Under Virtual hosts, click Add virtual host.
- In the Name field, specify
example-vh
. - In the Authority field, specify
cdn.yandexcloud.example
. - Click Add route.
- In the Name field, specify
example-route
. - In the Path field, select
Starts with
and specify the path/
. - In the HTTP methods list, select
GET
. - In the Action field, keep
Routing
. - In the Backend group list, select
example-bg
.
-
Leave all other settings unchanged and click Create.
-
Create the
example-router
HTTP Router:yc alb http-router create example-router
Result:
id: ds7qd0vj01dj******** name: example-router folder_id: b1g9hv2loamq******** created_at: "2022-04-04T10:31:41.027649223Z"
For more information about the
yc alb http-router create
command, see the CLI reference. -
Create the
example-vh
virtual host:yc alb virtual-host create example-vh \ --http-router-name example-router \ --authority cdn.yandexcloud.example
Result:
done (1s) name: example-vh authority: - cdn.yandexcloud.example
For more information about the
yc alb virtual-host create
command, see the CLI reference. -
Create the
example-route
route in theexample-vh
virtual host:yc alb virtual-host append-http-route example-route \ --http-router-name example-router \ --virtual-host-name example-vh \ --prefix-path-match "/" \ --backend-group-name example-bg
Result:
done (1s) name: example-vh authority: - cdn.yandexcloud.example routes: - name: example-route http: match: path: prefix_match: / route: backend_group_id: ds7pbm5fj2v0********
For more information about the
yc alb virtual-host append-http-route
command, see the CLI reference.
-
Add parameters of the
example-router
HTTP router, its virtual hosts and routes, to the configuration file:... resource "yandex_alb_http_router" "example-router" { name = "example-router" } resource "yandex_alb_virtual_host" "example-vh" { name = "example-vh" http_router_id = ${yandex_alb_http_router.example-router.id} authority = "cdn.yandexcloud.example" route { name = "example-route" http_route { http_route_action { backend_group_id = "<ID_of_example-bg_backend_group>" } } } }
Learn more in the description of the yandex_alb_http_router
and yandex_alb_virtual_host resources in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
-
- Create the
example-router
HTTP router using the gRPC API HttpRouterService/Create call or the create REST API method. - Create the
example-vh
virtual host linked to the router and its route using the gRPC API VirtualHostService/Create call or the create REST API method.
Create an L7 load balancer
-
In the management console
, selectexample-folder
. -
In the list of services, select Application Load Balancer.
-
At the top right, click Create L7 load balancer.
-
In the Name field, specify
example-balancer
. -
Under Network settings:
- In the Network field, select
example-network
. - In the Security groups field, select
example-sg
. If you leave this field blank, any incoming and outgoing traffic will be allowed for the load balancer.
- In the Network field, select
-
Under Allocation, select these three subnets for the load balancer nodes:
example-subnet-ru-central1-a
,example-subnet-ru-central1-b
, andexample-subnet-ru-central1-d
, and enable traffic to these subnets. -
Under Listeners, click Add listener and set up the listener:
- In the Name field, specify
example-listener
. - Under Public IP address:
- In the Port field, enter
80
. - In the Type field, select
Automatically
.
- In the Port field, enter
- In the Name field, specify
-
In the HTTP router field, select
example-router
. -
Click Create.
-
Get the IDs of subnets for
example-network
:yc vpc network list-subnets example-network
Result:
+----------------------+----------------------------------+----------------------+----------------------+----------------+-------------------+---------------+ | ID | NAME | FOLDER ID | NETWORK ID | ROUTE TABLE ID | ZONE | RANGE | +----------------------+----------------------------------+----------------------+----------------------+----------------+-------------------+---------------+ | e9bnnssj8sc8******** | example-subnet-ru-central1-d | b1g9hv2loamq******** | enptrcle5q3d******** | | ru-central1-d | [10.1.0.0/16] | | e2lghukd9iqo******** | example-subnet-ru-central1-b | b1g9hv2loamq******** | enptrcle5q3d******** | | ru-central1-b | [10.2.0.0/16] | | b0c3pte4o2kn******** | example-subnet-ru-central1-a | b1g9hv2loamq******** | enptrcle5q3d******** | | ru-central1-a | [10.3.0.0/16] | +----------------------+----------------------------------+----------------------+----------------------+----------------+-------------------+---------------+
For more information about the
yc vpc network list-subnets
command, see the CLI reference. -
Get the
example-sg
security group ID:yc vpc security-group get example-sg | grep "^id"
Result:
id: enpd133ngcnr********
For more information about the
yc vpc security-group get
command, see the CLI reference. -
Create a load balancer named
example-balancer
:yc alb load-balancer create example-balancer \ --network-name example-network \ --security-group-id <example-sg_security_group_ID> \ --location zone=ru-central1-a,subnet-id=<example-subnet-ru-central1-a_subnet_ID> \ --location zone=ru-central1-b,subnet-id=<example-subnet-ru-central1-b_subnet_ID> \ --location zone=ru-central1-d,subnet-id=<example-subnet-ru-central1-d_subnet_ID>
Result:
done (3m0s) id: ds77q7v39b4u******** name: example-balancer folder_id: b1g9hv2loamq******** status: ACTIVE region_id: ru-central1 network_id: enptrcle5q3d******** allocation_policy: locations: - zone_id: ru-central1-d subnet_id: b0c3pte4o2kn******** - zone_id: ru-central1-b subnet_id: e2lghukd9iqo******** - zone_id: ru-central1-a subnet_id: e9bnnssj8sc8******** log_group_id: ckg23vr4dlks******** security_group_ids: - enpd133ngcnr******** created_at: "2022-04-04T10:55:49.134935148Z"
For more information about the
yc alb load-balancer create
command, see the CLI reference. -
Add a listener to the load balancer:
yc alb load-balancer add-listener \ --name example-balancer \ --listener-name example-listener \ --external-ipv4-endpoint port=80 \ --http-router-name example-router
Result:
done (43s) id: ds77q7v39b4u******** name: example-balancer folder_id: b1g9hv2loamq******** status: ACTIVE region_id: ru-central1 network_id: enptrcle5q3d******** listeners: - name: example-listener endpoints: - addresses: - external_ipv4_address: address: 84.252.133.149 ports: - "80" http: handler: http_router_id: ds7qd0vj01dj******** allocation_policy: locations: - zone_id: ru-central1-d subnet_id: b0c3pte4o2kn******** - zone_id: ru-central1-b subnet_id: e2lghukd9iqo******** - zone_id: ru-central1-a subnet_id: e9bnnssj8sc8******** log_group_id: ckg23vr4dlks******** security_group_ids: - enpd133ngcnr******** created_at: "2022-04-04T10:55:49.134935148Z"
For more information about the
yc alb load-balancer add-listener
command, see the CLI reference.
-
Add the parameters of the
example-balancer
L7 load balancer to the configuration file:... resource "yandex_alb_load_balancer" "example-balancer" { name = "example-balancer" network_id = ${yandex_vpc_network.example-network.id} security_group_ids = [ ${yandex_vpc_security_group.example-sg.id} ] allocation_policy { location { zone_id = "ru-central1-a" subnet_id = ${yandex_vpc_subnet.example-subnet-ru-central1-a.id} } location { zone_id = "ru-central1-b" subnet_id = ${yandex_vpc_subnet.example-subnet-ru-central1-b.id} } location { zone_id = "ru-central1-d" subnet_id = ${yandex_vpc_subnet.example-subnet-ru-central1-d.id} } } listener { name = "example-listener" endpoint { address { external_ipv4_address { } } ports = [80] } http { handler { http_router_id = ${yandex_alb_http_router.example-router.id} } } } }
For more information about the
yandex_alb_load_balancer
resource, see the Terraform provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
-
Use the LoadBalancerService/Create gRPC API call or the create REST API method.
Create a CDN resource
-
In the management console
, selectexample-folder
. -
In the list of services, select Cloud CDN.
-
If the CDN provider is not activated yet, click Activate provider. A connection will be established automatically.
If you do not see the Activate provider button and you can create resources and origin groups, it means that the provider is already activated. Proceed to the next step.
-
Create a CDN resource:
-
At the top right, click Create resource.
-
Set the main parameters of the CDN resource:
-
Content query:
From one origin
. -
Origin type:
L7 load balancer
. -
L7 load balancer:
example-balancer
. -
IP address: IP address assigned to the load balancer (the only one in the list).
-
Domain name:
cdn.yandexcloud.example
.Alert
The
cdn.yandexcloud.example
domain name will become the primary one, and you will not be able to edit it after you create a CDN resource. -
Under Additional:
- In the Origin request protocol field, select
HTTP
. - In the Redirect clients field, select
Don't use
. - Select End-user access to content.
- In the Certificate type field, specify
Certificate from Certificate Manager
and select a certificate for thecdn.yandexcloud.example
domain name. - In the Host header field, select
Match client
.
- In the Origin request protocol field, select
-
-
Click Create.
-
-
Enable a client redirect from HTTP to HTTPS:
- Select the previously created resource.
- Make sure the certificate status under Additional changes to
Issued
. - At the top right, click
Edit. - Under Additional, select
HTTP to HTTPS
in the Redirect clients field. - Click Save.
-
If the CDN provider is not activated yet, run this command:
yc cdn provider activate --folder-id <folder_ID> --type gcore
-
Create the
example-origin-group
origin group by indicating the IP address of the load balancer:yc cdn origin-group create --name "example-origin-group" \ --origin source=<load_balancer_IP_address>:80,enabled=true
Result:
id: "90748" folder_id: b1geoelk7fld******** name: example-origin-group use_next: true origins: - id: "562449" origin_group_id: "90748" source: 51.250.10.216:80 enabled: true
For more information about the
yc cdn origin-group create
command, see the CLI reference. -
Copy the
origin_group_id
from the previous step and create a CDN resource by running the command:yc cdn resource create \ --cname cdn.yandexcloud.example \ --origin-group-id <origin_group_ID> \ --origin-protocol http \ --cert-manager-ssl-cert-id <certificate_ID> \ --forward-host-header
Result:
id: bc843k2yinvq******** folder_id: b1ge1elk72ld******** cname: cdn.yandexcloud.example ... active: true ... ... ...
For more information about the
yc cdn resource create
command, see the CLI reference. -
Enable a client redirect for a resource:
yc cdn resource update <resource_ID> --redirect-http-to-https
-
Add parameters of the CDN resources to the configuration file:
... resource "yandex_cdn_origin_group" "my_group" { name = "example-origin-group" use_next = true origin { source = "<load_balancer_IP_address>:80" backup = false } } resource "yandex_cdn_resource" "my_resource" { cname = "cdn.yandexcloud.example" active = true origin_protocol = "http" origin_group_id = yandex_cdn_origin_group.my_group.id ssl_certificate { type = "certificate_manager" certificate_manager_id = "<certificate_ID>" } options { edge_cache_settings = "345600" browser_cache_settings = "1800" ignore_cookie = true ignore_query_params = false } }
For more information, see the descriptions of the yandex_cdn_origin_group
and yandex_cdn_resource resources in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
. -
-
Enable client redirect for a resource. Add the following field at the beginning of the
options
section for a CDN resource:... options { redirect_https_to_http = true ...
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of updated resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
If there are no errors, run this command:
terraform apply
-
Confirm the resource update: type
yes
in the terminal and press Enter.
This enables a redirect for the resource.
Use the ResourceService/Create gRPC API call or the create REST API method.
Configure DNS for the service
The cdn.yandexcloud.example
domain name must be linked to the CDN resource using DNS records.
To configure DNS:
-
Get the domain name of the CDN load balancer:
Management console- In the management console
, selectexample-folder
. - In the list of services, select Cloud CDN.
- In the list of CDN resources, select the resource with the
cdn.yandexcloud.example
primary domain name. - From DNS settings, copy the domain name in
cl-********.edgecdn.ru
format.
- In the management console
-
On the site of your DNS hosting provider, go to the DNS settings.
-
Create or edit a CNAME record for
cdn.yandexcloud.example
so that it points to the copied domain name:cdn CNAME cl-********.edgecdn.ru
Note
Do not use an ANAME resource record with domain names for content distribution; otherwise, the end user will get a response from a CDN server not linked to the user's geolocation. The response will always be the same for all users.
If you use Cloud DNS, follow this guide to configure the record:
Configuring DNS records for Cloud DNS
Management consoleYandex Cloud CLITerraformAPI-
In the management console
, select Cloud DNS. -
If you do not have a public DNS zone, create one:
- Click Create zone.
- In the Zone field, enter the site's domain name with a trailing dot:
yandexcloud.example
. - In the Type field, select
Public
. - In the Name field, specify
example-dns-zone
. - Click Create.
-
In the zone, create a CNAME record for
cdn.yandexcloud.example
:- Select
example-dns-zone
. - Click Create record.
- In the Name field, specify
cdn
. - In the Type field, specify
CNAME
. - In the Data field, paste the copied value in
cl-********.edgecdn.ru
format. - Click Create.
- Select
-
If you do not have a public DNS zone, create one:
yc dns zone create \ --name example-dns-zone \ --zone yandexcloud.example. \ --public-visibility
Result:
id: dns4rq4taddd******** folder_id: b1g9hv2loamq******** created_at: "2022-04-04T11:03:28.847Z" name: example-dns-zone zone: yandexcloud.example. public_visibility: {}
For more information about the
yc dns zone create
command, see the CLI reference. -
In the zone, create a CNAME record for
cdn.yandexcloud.example
with a copied value incl-********.edgecdn.ru
format:yc dns zone add-records \ --name example-dns-zone \ --record "cdn CNAME cl-********.edgecdn.ru" \
For more information about the
yc dns zone add-records
command, see the CLI reference.
-
Add the parameters of the
example-dns-zone
DNS zone and its CNAME records to the configuration file:... resource "yandex_dns_zone" "example-dns-zone" { zone = "yandexcloud.example." name = "example-dns-zone" public = true } resource "yandex_dns_recordset" "example-recordset" { zone_id = ${yandex_dns_zone.example-dns-zone.id} name = "cdn" type = "CNAME" data = ["<copied_value_in_the_ format_cl-********.edgecdn.ru>"] }
Learn more in the description of the yandex_dns_zone
and yandex_dns_recordset resources in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
-
- Create a DNS zone named
example-dns-zone
using the gRPC API DnsZoneService/Create call or the create REST API method. - Add the
cdn
CNAME record to the zone, copying thecl-********.edgecdn.ru
value with the DnsZoneService/UpdateRecordSets gRPC API call or the updateRecordSets REST API method.
-
A few hours might be needed to update DNS records on DNS servers. After that, you can check the health of the service.
Run a health check for the service
To check the service performance, open https://cdn.yandexcloud.example/index.html
in the browser. You should see a page with the following content:
<!DOCTYPE html>
<html>
<head>
<title>My service</title>
</head>
<body>
<p>The service is working</p>
</body>
</html>
How to delete the resources you created
To shut down the infrastructure and stop paying for the resources you created:
- If you set up CNAME records in Cloud DNS, delete the
example-dns-zone
DNS zone. - Delete the CDN resource with the primary
cdn.yandexcloud.example
domain name. - Delete the
example-balancer
L7 load balancer. - Delete all objects from the bucket.
- Delete the bucket.
- Delete the
example-subnet-ru-central1-a
,example-subnet-ru-central1-b
, andexample-subnet-ru-central1-d
subnets. - Delete the
example-network
network.