Contact UsGet started

Setting up a secure network configuration

Written by
Updated at March 6, 2025

Reserve two static public IP addresses

For your internet service to run, you need two static public IP addresses: one to be assigned to the VPN gateway and the other to the network load balancer.

  1. In the management console, open Virtual Private Cloud in the folder where you want to reserve the IP addresses.
  2. Open the IP addresses tab. Click Reserve address.
  3. In the window that opens, select the ru-central1-b availability zone. Click ** Reserve**.
  4. Click Reserve address once again.
  5. In the window that opens, select the ru-central1-a availability zone. Click ** Reserve**.

Create VMs for the service in all availability zones

  1. In the management console, open your folder and click Create resource. Select Virtual machine instance.

  2. Under Boot disk image, go to the Marketplace tab, click Show all Marketplace products, and select the Drupal image.

  3. Under Location, select the ru-central1-a availability zone.

  4. Under Network settings, specify:

    • Subnet: subnet-a.
    • Public IP address: No address.

  5. Under Access, select the SSH key option and specify the access credentials for the VM:

    • Under Login, enter the username.

      Alert

      Do not use root or other usernames reserved by the OS. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  6. Under General information, enter the VM name: web-node-a.

  7. Click Create VM.

  8. Do the same for the web-node-b and web-node-d VMs. Create the VMs in the ru-central1-b and ru-central1-d availability zones and connect them to subnet-b and subnet-d, respectively.

Create an IPSec instance for remote access

To provide secure access to your resources, create an IPSec instance.

  1. In the management console, open your folder and click Create resource. Select Virtual machine instance.

  2. Under Boot disk image, go to the Marketplace tab, click Show all Marketplace products, and select the IPSec instance image.

  3. Under Location, select the ru-central1-a availability zone.

  4. Under Network settings:

    • In the Subnet field, select subnet-a.
    • In the Public IP address field, select List and select the reserved IP address from the list.

  5. Under Access, select the SSH key option and specify the information required to access the VM:

    • Under Login, enter the username.

      Alert

      Do not use root or other usernames reserved by the OS. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  6. Under General information, enter the VM name: vpc.

  7. Click Create VM.

Configure VPN routing

Configure routing between the remote network and your IPSec instance. In the example, we will use the 192.168.0.0/24 subnet.

Create a route table

Create a route table and add static routes:

  1. In the management console, open the Virtual Private Cloud section in the folder where you want to configure routing.
  2. Select the network to create the route table in.
  3. In the left-hand panel, select Routing tables.
  4. Click Create.
  5. Enter the route table name: vpn-route.
  6. Click Add.
  7. In the window that opens, enter the prefix of the remote site destination subnet. In our example, it is 192.168.0.0/24.
  8. In the Next hop field, enter the internal IP address of the IPSec gateway. Click Add.
  9. Click Create routing table.

Link the route table to all subnets

To use static routes, link the route table to a subnet. To do this:

  1. In the management console, open Virtual Private Cloud in the folder where you want to configure routing.
  2. Select the network with the subnets to assign the route table to.
  3. In the row with the subnet you need, click .
  4. In the menu that opens, select Link routing table.
  5. In the window that opens, select the created table from the list.
  6. Click Link.
  7. Link the route table named vpn-route to all the three subnets.

Create and configure security groups

To distribute traffic between network segments, create security groups and set up rules for receiving and sending traffic.

Create a security group for a VPN

For a VPN to work properly, enable receiving and transmitting traffic to UDP ports 500 and 4500 from an external network. This is required for using the IPSec tunnel. You also need to allow traffic between the subnets of your virtual network and the network at the remote site.

  1. In the management console, open Virtual Private Cloud in the folder where you want to create a security group.
  2. In the left-hand panel, select Security groups.
  3. Click Create security group.
  4. Enter a name for the security group: vpn-sg.
  5. In the Network field, select the network that the security group will refer to.
  6. Under Rules, create traffic management rules:
    1. Select the Egress tab.
    2. Click Add.
    3. In the window that opens, set the port to 500 in the Port range field.
    4. In the Protocol field, select UDP.
    5. In the Destination name field, specify the public address of a remote VPN hub with the 32 mask.
  7. Click Save.
  8. Click Add.
    1. In the window that opens, set the port to 4500 in the Port range field.
    2. In the Protocol field, select UDP.
    3. In the Destination name field, specify the public address of a remote VPN hub with the 32 mask.
  9. Click Save.
  10. Set up rules that allow traffic between the web servers and VMs on the remote site. Click Add.
    1. In the window that opens, click Select entire range in the Port range field.
    2. In the Protocol field, select Any.
    3. In the Destination name field, specify the internal network CIDR: 10.0.0.0/8.
    4. Click Add and specify the remote site CIDR: 192.168.0.0/24.
  11. Create the same rules for incoming traffic.

Create a security group for the internet service VMs

Create a security group named web-service-sg and configure traffic rules.

Rules for outgoing traffic

Allow outgoing connections to other VM instances in the security group:

  • Protocol: Any
  • Destination name: Security group
  • Security group: Current

Rules for incoming traffic

Allow the following incoming connections:

  1. HTTP connections from multiple test dummy IP addresses:
    • Protocol: TCP
    • Port range: 80
    • CIDR: 1.1.1.1/32, 85.32.45.45/32
  2. HTTPS connections from multiple test dummy IP addresses:
    • Protocol: TCP
    • Port range: 443
    • CIDR: 1.1.1.1/32, 85.32.45.45/32
  3. TCP connections for SSH access:
    • Protocol: TCP
    • Port range: 22
    • CIDR: 0.0.0.0/0
  4. Connections from other VM instances in the security group:
    • Protocol: Any
    • Destination name Security group
    • Security group: Current
  5. Health checks from the network load balancer:
    • Protocol: Any
    • Port range: 80
    • CIDR: 198.18.235.0/24 and 198.18.248.0/24

Assign the security groups to the VMs

For the security group rules to take effect, assign the groups to the VM network interfaces.

  1. In the management console, open Compute Cloud.
  2. Select the vpn VM.
  3. Under Network, click and select Edit.
  4. In the window that opens, select the vpn-sg security group in the Security groups field.
  5. Click Save.
  6. Repeat the steps and assign the web-service-sg security group to the web-node-a, web-node-b, and web-node-d VMs.

Create a network load balancer

The network load balancer will distribute the internet service's incoming traffic across the VMs in the target group.

To create a network load balancer:

  1. In the management console, open Network Load Balancer in the folder where you want to create a load balancer.
  2. Click Create a network load balancer.
  3. Enter the load balancer name: web-service-lb.
  4. In the Public address field, select List and specify a static public address.
  5. Under Listeners, click Add listener.
  6. In the window that opens, enter a name for the listener and set the port to 80 in the Port and Target port fields. Click Add.
  7. Under Target groups, click Add target group .
  8. In the Target group field, click the list and then click Create target group.
  9. In the window that opens, enter the target group name: web-tg.
  10. Select the web-node-a, web-node-b, and web-node-d VMs.
  11. Click Create.
  12. Select the created target group from the list.
  13. Click Create.

Test the infrastructure

Test the infrastructure and make sure that traffic to the internet service VMs only comes from the addresses allowed by the rules:

  1. On your computer, run curl <Network_load_balancer_public_IP_address>. Make sure you get no response.
  2. Create a security group named web-service-test-sg with no rules and assign it to the web-node-a, web-node-b, and web-node-d VMs.
  3. In the web-service-test-sg security group, create the following rule for incoming traffic:
    • Protocol: TCP
    • Port range: 80
    • CIDR: <IP_address_of_your_computer>/32
  4. On your computer, run curl <Network_load_balancer_public_IP_address> once again. Make sure the Drupal homepage HTML code is returned in response.
  5. Delete the test security group.

Delete the resources you created

To stop paying for the deployed resources, delete the VMs and the load balancer you created:

  • vpn
  • web-node-a
  • web-node-b
  • web-node-d
  • web-service-lb

Release and delete the static public IP addresses you reserved.

Previous
Step 6. Resource hierarchy
Next
Step 8. Logging