Architecture and protection of a basic internet service
- Prepare your cloud
- Prepare the network infrastructure
- Reserve two static public IP addresses
- Create VMs for the service in all availability zones
- Create an IPSec instance for remote access
- Configure VPN routing
- Create and configure security groups
- Create a network load balancer
- Test the infrastructure
- How to delete the resources you created
You will deploy and configure the infrastructure of a basic internet service with multiple VMs. Access to VMs will be restricted using security groups. A network load balancer will distribute the load across web app servers.
To create the infrastructure of an internet service:
- Prepare your cloud.
- Prepare the network infrastructure.
- Reserve two static public IP addresses.
- Create VMs for the service in all availability zones.
- Create an IPSec instance for remote access.
- Configure VPN routing.
- Create a route table.
- Link the route table to all subnets.
- Create and configure security groups.
- Assign the security groups to the VMs.
- Create a network load balancer.
- Test the infrastructure.
If you no longer need the infrastructure, delete the created resources.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of internet service support includes:
- Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
- Fee for using public static IP addresses (see Yandex Virtual Private Cloud pricing).
- Fee for using a network load balancer (see Yandex Network Load Balancer pricing).
Prepare the network infrastructure
Before creating a VM:
- Go to the Yandex Cloud management console
and open the folder where you want to perform the operations. - Select Virtual Private Cloud and create a cloud network with subnets named
subnet-a
,subnet-b
, andsubnet-d
in theru-central1-a
,ru-central1-b
, andru-central1-d
availability zones, respectively.
Reserve two static public IP addresses
For your internet service to run, you need two static public IP addresses: one to be assigned to the VPN gateway and the other to the network load balancer.
- In the management console
, select Virtual Private Cloud in the folder where you want to reserve the IP addresses. - In the left-hand panel, select
IP addresses. Click Reserve address. - In the window that opens, select the
ru-central1-b
availability zone. Click ** Reserve**. - Click Reserve address once again.
- In the window that opens, select the
ru-central1-a
availability zone. Click ** Reserve**.
Create VMs for the service in all availability zones
- In the management console
, open your folder and click Create resource in the top-right corner. Select Virtual machine instance. - Enter the VM name:
web-node-a
. - Select the
ru-central1-a
availability zone. - Under Boot disk image, go to the Marketplace tab and select the Drupal image.
- Under Network settings, select the
subnet-a
subnet. In the Public IP field, select No address. - In the Access field, enter the login and SSH key to access the VM. You need to create an SSH key pair yourself.
- Click Create VM.
- Repeat the steps for the VMs named
web-node-b
andweb-node-d
. Create them in theru-central1-b
andru-central1-d
availability zones and connect them tosubnet-b
andsubnet-d
, respectively.
Create an IPSec instance for remote access
To provide secure access to your resources, create an IPSec instance.
- In the management console
, open your folder and click Create resource in the top-right corner. Select Virtual machine instance. - Enter the VM name:
vpn
. - Select the
ru-central1-a
availability zone. - Under Boot disk image, go to the Marketplace tab and select the IPSec instance image.
- Under Network settings, select the
subnet-a
subnet. In the Public IP field, select List. In the list that opens, select the IP address that you reserved. - In the Access field, enter the login and SSH key to access the VM.
- Click Create VM.
Configure VPN routing
Configure routing between the remote network and your IPSec instance. In the example, we will use the 192.168.0.0/24
subnet.
Create a route table
Create a route table and add static routes:
- In the management console
, select Virtual Private Cloud in the folder where you want to configure routing. - Select the network to create the route table in.
- Open the Routing tables tab.
- In the top-right corner, click Create.
- Enter the route table name:
vpn-route
. - Under Static routes, click Add a route.
- In the window that opens, enter the remote site's destination subnet prefix. In this example, it is
192.168.0.0/24
. - In the Next hop field, enter the internal IP address of the IPSec gateway. Click Add.
- Click Create a routing table.
Link the route table to all subnets
To use static routes, link the route table to a subnet. To do this:
- In the management console
, select Virtual Private Cloud in the folder where you want to configure routing. - In the left-hand panel, select
Subnets. - In the line of the subnet you need, click
and select Link routing table. - In the window that opens, select the created table in the Route table field.
- Click Link.
- Link the
vpn-route
route table to all three subnets.
Create and configure security groups
To distribute traffic between network segments, create security groups and set up rules for receiving and sending traffic.
Create a security group for a VPN
For a VPN to work properly, allow traffic to be received and transmitted to UDP ports 500
and 4500
from an external network. This is required for using the IPSec tunnel. You also need to allow traffic between the subnets of your virtual network and the network on the remote site.
- In the management console
, select Virtual Private Cloud in the folder where you want to create a security group. - In the left-hand panel, select
Security groups. - Click Create security group.
- Enter the security group name:
vpn-sg
. - In the Network field, select the network that the security group will refer to.
- Under Rules, create rules for outgoing traffic management: To do this, select the Egress tab.
- Click Add rule. In the window that opens:
- In the Port range field, specify port
500
. - In the Protocol field, select
UDP
. - In the Destination name field, select CIDR.
- In the CIDR blocks field, specify the public address of a remote VPN hub with mask
32
. - Click Save.
- In the Port range field, specify port
- Click Add rule. In the window that opens:
- In the Port range field, specify port
4500
. - In the Protocol field, select
UDP
. - In the Destination name field, select CIDR.
- In the CIDR blocks field, specify the public address of a remote VPN hub with mask
32
. - Click Save.
- In the Port range field, specify port
- Set up rules that allow traffic between the web servers and VMs on the remote site. Click Add rule. In the window that opens:
- In the Port range field, click Select the full range.
- In the Protocol field, select Any.
- In the Destination name field, select CIDR.
- In the CIDR blocks field, specify the internal network CIDR:
10.0.0.0/8
. - Click Add CIDR and specify the remote site CIDR:
192.168.0.0/24
. - Click Save.
- Select the Ingress tab and create similar rules for incoming traffic.
Create a security group for the internet service VMs
Create a security group named web-service-sg
and set up traffic rules.
Rules for outgoing traffic
Allow outgoing connections to other VM instances in the security group:
- Protocol:
Any
- Destination name:
Security group
- Security group:
Current
Rules for incoming traffic
Allow the following incoming connections:
- HTTP connections from multiple test dummy IP addresses:
- Port range:
80
- Protocol:
TCP
- CIDR blocks:
1.1.1.1/32
,85.32.45.45/32
- Port range:
- HTTPS connections from multiple test dummy IP addresses:
- Port range:
443
- Protocol:
TCP
- CIDR blocks:
1.1.1.1/32
,85.32.45.45/32
- Port range:
- TCP connections for SSH access:
- Port range:
22
- Protocol:
TCP
- CIDR blocks:
0.0.0.0/0
- Port range:
- Connections from other VM instances in the security group:
- Protocol:
Any
- Source:
Security group
- Security group:
Current
- Protocol:
- Health checks from the network load balancer:
- Port range:
80
- Protocol:
TCP
- Source:
Load balancer healthchecks
.
- Port range:
Assign the security groups to the VMs
For the security group rules to take effect, assign the groups to the VM network interfaces.
- In the management console
, select Compute Cloud. - Select the
vpn
VM. - Under Network, click
and select Edit. - In the window that opens, select the
vpn-sg
security group. - Click Save.
- Repeat the steps and assign the
web-service-sg
security group to theweb-node-a
,web-node-b
, andweb-node-d
VMs.
Create a network load balancer
The network load balancer will distribute the internet service's incoming traffic across the VMs in the target group.
To create a network load balancer:
- In the management console
, select Network Load Balancer in the folder to create the load balancer in. - Click Create a network load balancer.
- Enter the load balancer name:
web-service-lb
. - In the Public address field, select List and specify a static public address.
- Under Listeners, click Add listener.
- In the window that opens, enter a name for the listener and specify port
80
in the Port and Target port fields. Click Add. - Under Target groups, click Add target group.
- In the Target group field, click
→ Create target group. In the window that opens:- Enter the target group name:
web-tg
. - Select the
web-node-a
,web-node-b
, andweb-node-d
VMs. - Click Create.
- Enter the target group name:
- Select the created target group from the list and change the protocol for the load balancer's health checks to
TCP
in the settings:- Click Configure.
- In the Type field of the window that opens, select TCP and click Apply.
- Click Save.
Test the infrastructure
Test the infrastructure and make sure that traffic to the internet service VMs only comes from the addresses allowed by the rules:
- On your computer, run the command:
curl <network_load_balancer_public_IP_address>
. Make sure no response is received. - Create a security group named
web-service-test-sg
with no rules and assign it to theweb-node-a
,web-node-b
, andweb-node-d
VMs. - In the
web-service-test-sg
security group, create the following rule for incoming traffic:- Port range:
80
- Protocol:
TCP
- Source:
CIDR
- CIDR blocks:
<Your_PC_IP_address>/32
- Port range:
- Run the
curl <network_load_balancer_public_IP_address>
command again on your PC. Make sure the Drupal homepage HTML code is returned in response. - Delete the test security group.
How to delete the resources you created
To shut down the infrastructure and stop paying for the deployed resources, delete the VMs and the load balancer you created:
vpn
web-node-a
web-node-b
web-node-d
web-service-lb
Release and delete the static public IP addresses you reserved.