Contact UsGet started

Architecture and protection of a basic internet service

Written by
Updated at November 14, 2024

Follow this guide to deploy and configure the infrastructure of a basic internet service with multiple VMs. You will connect to the infrastructure from a remote site. To restrict access to the VMs, you will configure security groups. A network load balancer will distribute the load across web app servers.

This diagram illustrates networking between the remote site and basic internet service:

Remote site:

  • remote-net network with subnet-1 (10.129.0.0/24).
  • Test VM running Linux Ubuntu named vm-1 residing in subnet-1. This VM is used to health-check the cloud site infrastructure.

Note

You can also use your PC as the remote site. To do this, you need to know the local machine's subnet CIDR and external IP address it uses to access the internet.

Cloud site:

  • Network named network with the following subnets: subnet-a (192.168.5.0/24), subnet-b (192.168.15.0/24), and subnet-d (192.168.25.0/24).
  • IPsec instance (gateway) named vpn residing in subnet-a. The IPsec gateway serves to provide an IPsec connection to the remote site and allow networking between cloud VMs.
  • Route table with vpn-route (static route) directing traffic from the remote site subnet-1 towards the cloud site VMs via the main IPsec gateway.
  • Drupal VMs of the basic internet service: web-node-a, web-node-b, and web-node-d residing in subnet-a, subnet-b, and subnet-d, respectively.
  • vpn-sg security group used by the vpn VM to manage traffic in the IPSec tunnel. The web-service-sg security group allows traffic between the web-node-a, web-node-b, and web-node-d VMs.
  • web-service-lb load balancer distributing incoming traffic across web-node-a, web-node-b, and web-node-d.

To create the infrastructure of an internet service:

  1. Prepare your cloud.
  2. Set up a remote site.
  3. Set up a cloud site.
  4. Test the infrastructure.

If you no longer need the infrastructure, delete the created resources.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of support for the new infrastructure includes:

Set up a remote site

At this stage, you will create and set up an infrastructure for your remote site. This comprises a network, a subnet, and a VM to access the infrastructure of the basic internet service.

Note

You can use your PC as the remote site. To do this, find out your PC's subnet CIDR and external IP address it uses to access the internet.

If you are going to use your PC as the remote site, skip this section and go to Set up a cloud site.

Create a network and subnet

  1. Create a network named remote-net. When creating your network, disable the Create subnets option.

  2. Create a subnet for your remote site test VM with the following parameters:

    • Name: subnet-1.
    • Zone: ru-central1-b.
    • Network: remote-net.
    • CIDR: 10.129.0.0/24.

Create a test VM

Create a VM you will use to connect to the basic internet service infrastructure from the outside.

  1. In the management console, select the folder to create your VM in.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select the Ubuntu 22.04 LTS OS Login image.

  6. Under Location, select the ru-central1-b availability zone.

  7. Under Network settings:

    • In the Subnet field, select subnet-1.
    • In the Public IP field, select Auto.

  8. Under Access, select Access via OS Login to connect and manage access to the new VM using OS Login in Yandex Cloud Organization.

    Using OS Login, you can connect to VMs via SSH keys and SSH certificates using a standard SSH client or YC CLI. OS Login allows you to rotate the SSH keys used to access the VM and is the most secure access option.

  9. Under General information, specify the VM name: vm-1.

  10. Click Create VM.

  11. Get the public IP address of the new VM:

    1. Wait until the status of vm-1 changes to Running and click the row with this VM.

    2. In the VM overview page that opens, copy the value in the Public IPv4 address field under Network interface.

      You will need the remote VM's public IP address later when creating a security group.

Set up a cloud site

Create and set up a cloud network

  1. In the management console, go to the folder where you want to deploy the infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. Create a cloud network named network. When creating your network, disable the Create subnets option.

  4. In network, create subnets with the following parameters:

    1. To connect the web-node-a VM and the vpn IPSec instance:

      • Name: subnet-a.
      • Zone: ru-central1-a.
      • Network: network.
      • CIDR: 192.168.5.0/24.

    2. To connect the web-node-b VM:

      • Name: subnet-b.
      • Zone: ru-central1-b.
      • Network: network.
      • CIDR: 192.168.15.0/24.

    3. To connect the web-node-d VM:

      • Name: subnet-d.
      • Zone: ru-central1-d.
      • Network: network.
      • CIDR: 192.168.25.0/24.

Reserve two static public IP addresses

For your internet service to run, you need two static public IP addresses: one to be assigned to the VPN gateway and the other to the network load balancer.

  1. In the management console, go to the folder with the IP addresses to reserve.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-a availability zone and click ** Reserve**.
  6. Repeat steps 4 to 5 and reserve a static public IP address in the ru-central1-b availability zone.

Create and configure security groups

To distribute traffic between network segments, create security groups and set up rules for receiving and sending traffic.

Create a security group for the VPN gateway

For your VPN to work properly, allow inbound and outbound traffic to UDP ports 500 and 4500 from an external network. This is required for using the IPsec tunnel. You also need to allow traffic between the subnets of your virtual network and the network at the remote site.

  1. In the management console, go to the folder where you want to create the security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Enter the security group name: vpn-sg.

  6. In the Network field, select network, which you created earlier.

  7. Under Rules, create rules based on the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    Incoming

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Incoming

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Incoming

    internal

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    Outgoing

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outgoing

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outgoing

    intersubnet

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    1 To use a local PC as your test VM, specify here the CIDR for the subnet this PC resides in.

  8. Click Create.

Create a security group for the internet service's VMs

  1. In the management console, go to the folder where you want to create the security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Enter the security group name: web-service-sg.

  6. In the Network field, select network, which you created earlier.

  7. Under Rules, create rules based on the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks /
    Security group

    Incoming

    ssh

    22

    TCP

    CIDR

    0.0.0.0/0

    Incoming

    anyself

    0-65535

    Any

    Security group

    Current

    Incoming

    healthchecks

    80

    TCP

    Load balancer healthchecks

    Outgoing

    self

    0-65535

    Any

    Security group

    Current

  8. Click Create.

Create and configure VMs on the cloud site

Create VMs for the service in all availability zones

  1. In the management console, select the folder where you want to create your VMs.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, go to the Marketplace tab and select the Drupal 10 image.

  6. Under Location, select the ru-central1-a availability zone.

  7. Under Network settings:

    • Select the subnet-a subnet.
    • In the Public IP field, select No address.
    • Select the web-service-sg security group.

  8. Under Access:

    • Select the SSH key connection option.

    • In the Login field, enter a name for the user.

      Alert

      Do not use root or other usernames reserved by the OS. To perform operations requiring superuser permissions, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new one:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Select an expiration date for the key.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added SSH key will only be saved to the user profile of the created VM.

  9. Under General information, specify the VM name: web-node-a.

  10. Click Create VM.

  11. Repeat steps 4 to 10 to create the web-node-b and web-node-d VMs. Create the VMs in the ru-central1-b and ru-central1-d availability zones and connect them to subnet-b and subnet-d, respectively.

Create an IPSec instance for remote access

To provide secure access to your resources, create an IPSec instance.

  1. In the management console, go to the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, go to the Marketplace tab and select the IPSec instance image.

  6. Under Location, select the ru-central1-a availability zone.

  7. Under Network settings:

    • Select thesubnet-a subnet.
    • In the Public IP field, select List. In the list that opens, select the IP address that you reserved.
    • Select the vpn-sg security group.

  8. Under Access:

    • Select the SSH key connection option.

    • In the Login field, enter a name for the user.

      Alert

      Do not use root or other usernames reserved by the OS. To perform operations requiring superuser permissions, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new one:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Select an expiration date for the key.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added SSH key will only be saved to the user profile of the created VM.

  9. Under General information, specify the VM name: vpn.

  10. Click Create VM.

  11. Wait until the status of the new vpn VM changes to Running and copy the value from the Internal IPv4 field in the row with this VM.

    You will need the gateway's internal address when configuring the static route.

Configure VPN routing

Configure routing between the remote site's subnet and IPSec instance.

Create a route table

Create a route table and add static routes:

  1. In the management console, go to the folder where you want to configure routing.
  2. In the list of services, select Virtual Private Cloud.
  3. Select the network you created earlier.
  4. In the left-hand panel, select Routing tables.
  5. Click Create routing table.
  6. Specify the route table name: vpn-route.
  7. Under Static routes, click Add a route.
  8. In the window that opens:

    • In the Destination prefix field, enter 10.129.0.0/24.

      If you want to use a local PC as your test VM, specify its subnet CIDR.

    • In the Next hop field, enter the internal IP address of the IPSec gateway.

    • Click Add.

  9. Click Create a routing table.

Link the route table to all subnets

To use static routes, link the route table to all the subnets in the cloud site’s network.

  1. In the management console, go to the folder where you need to configure routing.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select Subnets.
  4. In the subnet-a row, click and select Link routing table.
  5. In the window that opens, select the created vpn-route table in the Route table field.
  6. Click Link.
  7. Repeat steps 4 to 6 to link the vpn-route route table to subnet-b and subnet-d.

Create a network load balancer

The network load balancer will distribute the internet service's incoming traffic across the VMs in the target group.

To create a network load balancer:

  1. In the management console, go to the folder where you need to create the load balancer.

  2. In the list of services, select Network Load Balancer.

  3. Click Create a network load balancer.

  4. Enter the load balancer name: web-service-lb.

  5. In the Public address field, select List and specify a static public address.

  6. Under Listeners, click Add listener. In the window that opens:

    1. Enter the listener name: web-service-lb-listener.
    2. In the Port field, specify 80.
    3. In the Target port field, specify 80.
    4. Click Add.

  7. Under Target groups, click Add target group.

    1. In the Target group field, select Create target group. In the window that opens:

      1. Enter the target group name: web-tg.
      2. Select the web-node-a, web-node-b, and web-node-d VMs.
      3. Click Create.

    2. Select the new web-tg target group.

  8. In this target group section:

    1. Click Configure.
    2. In the Type field of the window that opens, select TCP and click Apply.

  9. Click Create.

Test the infrastructure

Test the infrastructure and make sure that the internet service VMs do not receive any external traffic:

  1. Run the following command on the remote computer:

    curl <public_IP_address_of_network_load_balancer>

    Make sure you get no response from the server. This means network traffic to your Drupal servers is denied.

  2. Add two new incoming traffic rules to the web-service-sg security group:

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    http-external-vm

    80

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    https-external-vm

    443

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    These rules allow access to the VMs in the network load balancer’s target group from the remote site's VM public address.

  3. Once again, run this command on the remote computer:

    curl <public_IP_address_of_network_load_balancer>

    Make sure the Drupal homepage HTML code is returned in response. This means the rules you added to the security group allowed network access to the Drupal VMs from the remote computer's IP address.

How to delete the resources you created

To stop paying for the deployed resources:

  1. Delete the VM instances.
  2. Delete the network load balancer.
  3. Delete the static public IP addresses you reserved.
  4. If required, delete the route table, security groups, subnets, and networks.
Previous
All tutorials
Next
Configuring a fault-tolerant architecture in Yandex Cloud