Contact UsGet started

Integrating an L7 load balancer with Cloud CDN and Object Storage

Written by
Updated at May 7, 2025

In this tutorial, we will use a Yandex Object Storage bucket as the L7 load balancer backend enabled by Yandex Application Load Balancer. User requests are transmitted to the load balancer via the Yandex Cloud CDN content delivery network that reduces content delivery time.

We will use the cdn.yandexcloud.example domain name as an example.

You can use various supported tools to perform these steps.

To build an architecture for integrating an L7 load balancer with CDN and Object Storage:

  1. Get your cloud ready.
  2. Add a certificate to Certificate Manager
  3. Create a cloud network and subnets.
  4. Create a bucket in Object Storage.
  5. Upload the file of your service to the bucket.
  6. Create a security group.
  7. Create an Application Load Balancer backend group.
  8. Create an HTTP router and a virtual host.
  9. Create an L7 load balancer.
  10. Create a CDN.
  11. Configure DNS for the service.
  12. Test the service.

If you no longer need the resources you created, delete them.

Supported tools

You can complete most of the steps in this tutorial using any standard tool, such as the management console, Yandex Cloud and AWS CLIs, Terraform, and the Yandex Cloud API. Each step lists its respective supported tools.

Some steps do not support certain tools:

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

We will use a folder named example-folder as an example.

The infrastructure support costs include:

Add a certificate to Certificate Manager

Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.

The certificate must be located in the same folder as your CDN resource.

For a Let's Encrypt® certificate, have your rights checked for the domain specified in the certificate.

Create a cloud network and subnets

All resources belong to the same cloud network.

  1. In the management console, select example-folder.
  2. From the list of services, select Virtual Private Cloud.
  3. At the top right, click Create network.
  4. In the Name field, specify example-network.
  5. In the Advanced field, select Create subnets.
  6. Click Create network.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a network named example-network:

    yc vpc network create example-network

    Result:

    id: enptrcle5q3d********
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T05:25:03Z"
name: example-network
default_security_group_id: enpbsnnop4ak********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create subnets in all availability zones:

    • In ru-central1-a:

      yc vpc subnet create example-subnet-ru-central1-a \
  --zone ru-central1-a \
  --network-name example-network \
  --range 10.1.0.0/16

      Result:

      id: e9bnnssj8sc8********
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T09:27:00Z"
name: example-subnet-ru-central1-a
network_id: enptrcle5q3d********
zone_id: ru-central1-a
v4_cidr_blocks:
- 10.1.0.0/16

    • In ru-central1-b:

      yc vpc subnet create example-subnet-ru-central1-b \
  --zone ru-central1-b \
  --network-name example-network \
  --range 10.2.0.0/16

      Result:

      id: e2lghukd9iqo********
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T09:27:39Z"
name: example-subnet-ru-central1-b
network_id: enptrcle5q3d********
zone_id: ru-central1-b
v4_cidr_blocks:
- 10.2.0.0/16

    • In ru-central1-d:

      yc vpc subnet create example-subnet-ru-central1-d \
  --zone ru-central1-d \
  --network-name example-network \
  --range 10.3.0.0/16

      Result:

      id: b0c3pte4o2kn********
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T09:28:08Z"
name: example-subnet-ru-central1-d
network_id: enptrcle5q3d********
zone_id: ru-central1-d
v4_cidr_blocks:
- 10.3.0.0/16

    For more information about the yc vpc subnet create command, see the CLI reference.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the configuration file, describe the settings for example-network and its example-subnet-ru-central1-a, example-subnet-ru-central1-b, and example-subnet-ru-central1-d subnets:

    resource "yandex_vpc_network" "example-network" {
  name = "example-network"
}

resource "yandex_vpc_subnet" "example-subnet-a" {
  name           = "example-subnet-ru-central1-a"
  zone           = "ru-central1-a"
  network_id     = "${yandex_vpc_network.example-network.id}"
  v4_cidr_blocks = ["10.1.0.0/16"]
}

resource "yandex_vpc_subnet" "example-subnet-b" {
  name           = "example-subnet-ru-central1-b"
  zone           = "ru-central1-b"
  network_id     = "${yandex_vpc_network.example-network.id}"
  v4_cidr_blocks = ["10.2.0.0/16"]
}

resource "yandex_vpc_subnet" "example-subnet-d" {
  name           = "example-subnet-ru-central1-d"
  zone           = "ru-central1-d"
  network_id     = "${yandex_vpc_network.example-network.id}"
  v4_cidr_blocks = ["10.3.0.0/16"]
}

    For more information, see the descriptions of yandex_vpc_network and yandex_vpc_subnet in the Terraform documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

  1. Create the example-network network using the NetworkService/Create gRPC API call or the API create REST API method.
  2. Create example-subnet-ru-central1-a, example-subnet-ru-central1-b, and example-subnet-ru-central1-d in the three availability zones using the SubnetService/Create gRPC API call or the create REST API method.

Create a bucket in Object Storage

  1. In the management console, select example-folder.
  2. From the list of services, select Object Storage.
  3. At the top right, click Create bucket.
  4. In the ** Name** field, enter a name for the bucket.
  5. In the Object read access and Object listing access fields, select Public.
  6. Click Create bucket.

  1. Create a bucket:

    aws --endpoint-url https://storage.yandexcloud.net \
  s3 mb s3://<bucket_name>

    Result:

    make_bucket: s3://<bucket_name>

  2. Enable public access to reading objects and their list:

    aws --endpoint-url https://storage.yandexcloud.net \
  s3api put-bucket-acl \
  --bucket <bucket_name> \
  --acl public-read

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

  1. Describe the settings for creating a service account and access key in the configuration file:

    ...
// Creating a service account
resource "yandex_iam_service_account" "sa" {
  name = "<service_account_name>"
}

// Assigning a role to a service account
resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
  folder_id = "<folder_ID>"
  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
}

// Creating a static access key
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = yandex_iam_service_account.sa.id
  description        = "static access key for object storage"
}

  2. Add the bucket settings to the configuration file:

    ...

resource "yandex_storage_bucket" "<bucket_name>" {
  access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
  secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key
  bucket     = "<bucket_name>"
  acl        = "public-read"
}

    For more information about yandex_storage_bucket, see the Terraform documentation.

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  4. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

Use the create REST API method.

Upload the file of your service to the bucket

  1. Create a file named index.html.

    Sample index.html file
    <!DOCTYPE html>
<html>
  <head>
    <title>My service</title>
  </head>
  <body>
    <p>The service is working</p>
  </body>
</html>

  2. Upload the file to the bucket:

    1. In the management console, select example-folder.
    2. From the list of services, select Object Storage.
    3. Select the bucket.
    4. Click Upload and select the index.html file for uploading.

    1. Upload the index.html file to the bucket:

      aws --endpoint-url https://storage.yandexcloud.net \
  s3 cp v1/index.html s3://<bucket_name>/index.html

      Result:

      upload: v1/index.html to s3://<bucket_name>/index.html

    1. Add to the configuration file the settings of the v1/index.html file being uploaded to the bucket:

      ...

resource "yandex_storage_object" "example-bucket-index" {
  bucket = "<bucket_name>"
  key    = "index.html"
  source = "v1/index.html"
}

      For more information about yandex_storage_object, see the Terraform documentation.

    2. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory where you created the configuration file.

      2. Run a check using this command:

        terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

    3. Deploy the cloud resources.

      1. If the configuration does not contain any errors, run this command:

        terraform apply

      2. Confirm creating the resources.

    Use the upload REST API method.

Create a security group

Security groups contain rules that allow the L7 load balancer to receive incoming traffic and send it to backend buckets.

To create security groups:

  1. In the management console, select example-folder.

  2. From the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. At the top right, click Create security group.

  5. In the Name field, specify example-sg.

  6. In the Network field, select example-network.

  7. Under Rules, create the following rules using the instructions below the table:

    Traffic
    direction    		 Description Port range Protocol Source /
    target    		 CIDR blocks
    Outgoing any All Any CIDR 0.0.0.0/0
    Incoming ext-http 80 TCP CIDR 0.0.0.0/0
    Incoming ext-https 443 TCP CIDR 0.0.0.0/0
    Incoming healthchecks 30080 TCP Load balancer healthchecks

    1. Navigate to the Egress or Ingress tab.

    2. Click Add.

    3. In the Port range field of the window that opens, specify a single port or a port range for traffic to come to or from.

    4. In the Protocol field, specify the required protocol or leave Any.

    5. In the Destination name or Source field, select the rule purpose:

      • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and subnet masks that traffic will come to or from. To add multiple CIDRs, click Add.
      • Load balancer healthchecks: Rule allowing a load balancer to health-check VMs.

    6. Click Save. Repeat these steps to create all rules from the table.

  8. Click Save.

Run the following command:

yc vpc security-group create example-sg \
  --network-name example-network \
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=80,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=30080,protocol=tcp,predefined=loadbalancer_healthchecks

Result:

id: enpd133ngcnr********
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T10:26:16Z"
name: example-sg
network_id: enptrcle5q3d********
status: ACTIVE
rules:
- id: enpkgrpi2gsi********
  direction: EGRESS
  protocol_name: ANY
  protocol_number: "-1"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpgssij0i16********
  direction: INGRESS
  ports:
    from_port: "80"
    to_port: "80"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enp0bft67j9l********
  direction: INGRESS
  ports:
    from_port: "443"
    to_port: "443"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpmorcimu65********
  direction: INGRESS
  ports:
    from_port: "30080"
    to_port: "30080"
  protocol_name: TCP
  protocol_number: "6"
  predefined_target: loadbalancer_healthchecks

For more information about the yc vpc security-group create command, see the CLI reference.

  1. Add the example-sg security group parameters to the configuration file:

    resource "yandex_vpc_security_group" "example-sg" {
  name       = "example-sg"
  network_id = "yandex_vpc_network.example-network.id"

  egress {
    protocol       = "ANY"
    from_port      = 0
    to_port        = 65535
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 80
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 443
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol          = "TCP"
    port              = 30080
    predefined_target = "loadbalancer_healthchecks"
  }
}

    For more information about resource settings in Terraform, see the relevant Terraform documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

Use the SecurityGroupService/Create gRPC API call or the create REST API method.

To add a rule for load balancer health checks, use the loadbalancer_healthchecks parameter in the SecurityGroupRuleSpec.target.predefined_target field for the gRPC API or the predefinedTarget field for the REST API.

Create a Application Load Balancer backend group

  1. In the management console, select example-folder.
  2. From the list of services, select Application Load Balancer.
  3. In the left-hand panel, select Backend groups.
  4. At the top right, click Create backend group.
  5. In the Name field, specify example-bg.
  6. In the Type field, select HTTP as the backend group type.
  7. Under Backends, click Add and set up the backend:
    1. In the Name field, specify example-backend.
    2. In the Weight field, specify 100.
    3. In the Type field, select Bucket as the backend type.
    4. In the Bucket field, select the previously created bucket.
  8. Click Create.

If you are going to complete the next steps in Terraform, copy the ID of the example-bg backend group from the Backend groups tab.

Use the BackendGroupService/Create gRPC API call or the create REST API method.

Create an HTTP router and a virtual host

  1. In the management console, select example-folder.

  2. From the list of services, select Application Load Balancer.

  3. In the left-hand panel, select HTTP routers.

  4. At the top right, click Create HTTP router.

  5. In the Name field, specify example-router.

  6. Create a virtual example-vh host:

    1. Under Virtual hosts, click Add virtual host.
    2. In the Name field, specify example-vh.
    3. In the Authority field, specify cdn.yandexcloud.example.
    4. Click Add route.
    5. In the Name field, specify example-route.
    6. In the Path field, select Starts with and specify the / path.
    7. From the HTTP methods list, select GET.
    8. In the Action field, keep Routing.
    9. From the Backend group list, select example-bg.

  7. Leave all other settings unchanged and click Create.

  1. Create an HTTP router example-router:

    yc alb http-router create example-router

    Result:

    id: ds7qd0vj01dj********
name: example-router
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T10:31:41.027649223Z"

    For more information about the yc alb http-router create command, see the CLI reference.

  2. Create a virtual example-vh host:

    yc alb virtual-host create example-vh \
  --http-router-name example-router \
  --authority cdn.yandexcloud.example

    Result:

    done (1s)
name: example-vh
authority:
- cdn.yandexcloud.example

    For more information about the yc alb virtual-host create command, see the CLI reference.

  3. Create a route named example-route in the example-vh virtual host:

    yc alb virtual-host append-http-route example-route \
  --http-router-name example-router \
  --virtual-host-name example-vh \
  --prefix-path-match "/" \
  --backend-group-name example-bg

    Result:

    done (1s)
name: example-vh
authority:
- cdn.yandexcloud.example
routes:
- name: example-route
  http:
    match:
      path:
        prefix_match: /
    route:
      backend_group_id: ds7pbm5fj2v0********

    For more information about the yc alb virtual-host append-http-route command, see the CLI reference.

  1. Add to the configuration file the settings of the HTTP router named example-router, its virtual hosts, and routes:

    ...

resource "yandex_alb_http_router" "example-router" {
  name = "example-router"
}

resource "yandex_alb_virtual_host" "example-vh" {
  name           = "example-vh"
  http_router_id = ${yandex_alb_http_router.example-router.id}
  authority      = "cdn.yandexcloud.example"
  
  route {
    name = "example-route"
    http_route {
      http_route_action {
        backend_group_id = "<example-bg_backend_group_ID>"
      }
    }
  }  
}

    For more information, see the description of yandex_alb_http_router and yandex_alb_virtual_hostin the Terraform documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

  1. Create the example-router HTTP router using the HttpRouterService/Create gRPC API call or the create REST API method.
  2. Create the example-vh virtual host linked to the router and its route using the VirtualHostService/Create gRPC API call or the create REST API method.

Create an L7 load balancer

  1. In the management console, select example-folder.

  2. From the list of services, select Application Load Balancer.

  3. At the top right, click Create L7 load balancer.

  4. In the Name field, specify example-balancer.

  5. Under Network settings:

    1. In the Network field, select example-network.
    2. In the Security groups field, select example-sg. If you leave this field blank, any incoming and outgoing traffic will be allowed for the load balancer.

  6. Under Allocation, select the three subnets for the load balancer nodes (example-subnet-ru-central1-a, example-subnet-ru-central1-b, and example-subnet-ru-central1-d) and enable traffic to these subnets.

  7. Under Listeners, click Add listener and set up the listener:

    1. In the Name field, specify example-listener.
    2. Under Public IP address:
      • In the Port field, specify 80.
      • In the Type field, select Automatically.

  8. In the HTTP router field, select example-router.

  9. Click Create.

  1. Get the subnet IDs for example-network:

    yc vpc network list-subnets example-network

    Result:

    +----------------------+----------------------------------+----------------------+----------------------+----------------+-------------------+---------------+
|          ID          |               NAME               |      FOLDER ID       |      NETWORK ID      | ROUTE TABLE ID |       ZONE        |     RANGE     |
+----------------------+----------------------------------+----------------------+----------------------+----------------+-------------------+---------------+
| e9bnnssj8sc8******** |   example-subnet-ru-central1-d   | b1g9hv2loamq******** | enptrcle5q3d******** |                |   ru-central1-d   | [10.1.0.0/16] |
| e2lghukd9iqo******** |   example-subnet-ru-central1-b   | b1g9hv2loamq******** | enptrcle5q3d******** |                |   ru-central1-b   | [10.2.0.0/16] |
| b0c3pte4o2kn******** |   example-subnet-ru-central1-a   | b1g9hv2loamq******** | enptrcle5q3d******** |                |   ru-central1-a   | [10.3.0.0/16] |
+----------------------+----------------------------------+----------------------+----------------------+----------------+-------------------+---------------+

    For more information about the yc vpc network list-subnets command, see the CLI reference.

  2. Get the example-sg security group ID:

    yc vpc security-group get example-sg | grep "^id"

    Result:

    id: enpd133ngcnr********

    For more information about the yc vpc security-group get command, see the CLI reference.

  3. Create a load balancer named example-balancer:

    yc alb load-balancer create example-balancer \
  --network-name example-network \
  --security-group-id <example-sg_security_group_ID> \
  --location zone=ru-central1-a,subnet-id=<example-subnet-ru-central1-a_subnet_ID> \
  --location zone=ru-central1-b,subnet-id=<example-subnet-ru-central1-b_subnet_ID> \
  --location zone=ru-central1-d,subnet-id=<example-subnet-ru-central1-c_subnet_ID>

    Result:

    done (3m0s)
id: ds77q7v39b4u********
name: example-balancer
folder_id: b1g9hv2loamq********
status: ACTIVE
region_id: ru-central1
network_id: enptrcle5q3d********
allocation_policy:
  locations:
  - zone_id: ru-central1-d
    subnet_id: b0c3pte4o2kn********
  - zone_id: ru-central1-b
    subnet_id: e2lghukd9iqo********
  - zone_id: ru-central1-a
    subnet_id: e9bnnssj8sc8********
log_group_id: ckg23vr4dlks********
security_group_ids:
- enpd133ngcnr********
created_at: "2022-04-04T10:55:49.134935148Z"

    For more information about the yc alb load-balancer create command, see the CLI reference.

  4. Add a listener to the load balancer:

    yc alb load-balancer add-listener \
  --name example-balancer \
  --listener-name example-listener \
  --external-ipv4-endpoint port=80 \
  --http-router-name example-router

    Result:

    done (43s)
id: ds77q7v39b4u********
name: example-balancer
folder_id: b1g9hv2loamq********
status: ACTIVE
region_id: ru-central1
network_id: enptrcle5q3d********
listeners:
- name: example-listener
  endpoints:
  - addresses:
    - external_ipv4_address:
        address: 84.252.133.149
    ports:
    - "80"
  http:
    handler:
      http_router_id: ds7qd0vj01dj********
allocation_policy:
  locations:
  - zone_id: ru-central1-d
    subnet_id: b0c3pte4o2kn********
  - zone_id: ru-central1-b
    subnet_id: e2lghukd9iqo********
  - zone_id: ru-central1-a
    subnet_id: e9bnnssj8sc8********
log_group_id: ckg23vr4dlks********
security_group_ids:
- enpd133ngcnr********
created_at: "2022-04-04T10:55:49.134935148Z"

    For more information about the yc alb load-balancer add-listener command, see the CLI reference.

  1. Add the settings of the example-balancer L7 load balancer to the configuration file:

    ...

resource "yandex_alb_load_balancer" "example-balancer" {
  name               = "example-balancer"
  network_id         = ${yandex_vpc_network.example-network.id}
  security_group_ids = [ ${yandex_vpc_security_group.example-sg.id} ]

  allocation_policy {
    location {
      zone_id   = "ru-central1-a"
      subnet_id = ${yandex_vpc_subnet.example-subnet-ru-central1-a.id}
    }

    location {
      zone_id   = "ru-central1-b"
      subnet_id = ${yandex_vpc_subnet.example-subnet-ru-central1-b.id}
    }

    location {
      zone_id   = "ru-central1-d"
      subnet_id = ${yandex_vpc_subnet.example-subnet-ru-central1-d.id}
    }
  }

  listener {
    name = "example-listener"
    endpoint {
      address {
        external_ipv4_address {
        }
      }
      ports = [80]
    }
    http {
      handler {
        http_router_id = ${yandex_alb_http_router.example-router.id}
      }
    }
  }
}

    For more information about yandex_alb_load_balancer, see the Terraform documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

Use the LoadBalancerService/Create gRPC API call or the create REST API method.

Create a CDN

  1. In the management console, select example-folder.

  2. From the list of services, select Cloud CDN.

  3. If the CDN provider is not activated yet, click Activate provider. A connection will be established automatically.

    If you do not see the Activate provider button and you can create resources and origin groups, it means that the provider is already activated. Proceed to the next step.

  4. Create a CDN:

    1. At the top right, click Create resource.

    2. Configure the basic CDN settings:

      • Content query: From one origin

      • Origin type: L7 load balancer

      • L7 load balancer: example-balancer

      • IP address: IP address assigned to the load balancer (the only one in the list).

      • Domain name: cdn.yandexcloud.example

        Alert

        The cdn.yandexcloud.example domain name will become the primary one, and you will not be able to edit it after you create a CDN.

      • Under Additional settings:

        • In the Origin request protocol field, select HTTP.
        • In the Redirect clients field, select Don't use.
        • Select End-user access to content.
        • In the Certificate type field, specify Use from Certificate Manager and select a certificate for the cdn.yandexcloud.example domain name.
        • In the Host header field, select Match client.

    3. Click Create.

  5. Enable a client redirect from HTTP to HTTPS:

    1. Select the resource you created earlier.
    2. Make sure the certificate status under Additional settings has changed to Issued.
    3. At the top right, click Edit.
    4. Under Additional settings, select HTTP to HTTPS in the Redirect clients field.
    5. Click Save.

  1. If the CDN provider has not been activated yet, run this command:

    yc cdn provider activate --folder-id <folder_ID> --type gcore

  2. Create example-origin-group by indicating the load balancer’s IP address:

    yc cdn origin-group create --name "example-origin-group" \
  --origin source=<load_balancer_IP_address>:80,enabled=true

    Result:

    id: "90748"
folder_id: b1geoelk7fld********
name: example-origin-group
use_next: true
origins:
- id: "562449"
  origin_group_id: "90748"
  source: 51.250.10.216:80
  enabled: true

    For more information about the yc cdn origin-group create command, see the CLI reference.

  3. Copy origin_group_id from the previous step and create a CDN by running this command:

    yc cdn resource create \
  --cname cdn.yandexcloud.example \
  --origin-group-id <origin_group_ID> \
  --origin-protocol http \
  --cert-manager-ssl-cert-id <certificate_ID> \
  --forward-host-header

    Result:

    id: bc843k2yinvq********
folder_id: b1ge1elk72ld********
cname: cdn.yandexcloud.example
...
active: true
...
...
...

    For more information about the yc cdn resource create command, see the CLI reference.

  4. Enable a client redirect for the resource:

    yc cdn resource update <resource_ID> --redirect-http-to-https

  1. Add the CDN settings to the configuration file:

    ...

resource "yandex_cdn_origin_group" "my_group" {
  name     = "example-origin-group"
  use_next = true
  origin {
   source = "<load_balancer_IP_address>:80"
   backup = false
  }
}

resource "yandex_cdn_resource" "my_resource" {

    cname               = "cdn.yandexcloud.example"
    active              = true
    origin_protocol     = "http"
    origin_group_id     = yandex_cdn_origin_group.my_group.id
    ssl_certificate {
      type                   = "certificate_manager"
      certificate_manager_id = "<certificate_ID>"
    }
    options {
        edge_cache_settings    = "345600"
        browser_cache_settings = "1800"
        ignore_cookie          = true
        ignore_query_params    = false
    }

}

    For more information, see the description of yandex_cdn_origin_group and yandex_cdn_resource in the Terraform documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources by typing yes in the terminal and pressing Enter.

    This will create all resources you need in the specified folder. You can check the new resources and their settings using the management console.

  4. Enable a client redirect for the resource. Add this field at the top of the options section for the CDN at hand:

    ...
options {
  redirect_https_to_http = true
...

  5. Run a check using this command:

    terraform plan

    If you described the configuration correctly, the terminal will display a list of updated resources and their settings. If the configuration contains any errors, Terraform will point them out.

  6. If there are no errors, run this command:

    terraform apply

  7. Confirm updating the resource by typing yes in the terminal and pressing Enter.

This enables a redirect for the resource.

Use the ResourceService/Create gRPC API call or the create REST API method.

Configure DNS for the service

The cdn.yandexcloud.example domain name must be linked to the CDN using DNS records.

To configure DNS:

  1. Get the domain name of the CDN load balancer:

    1. In the management console, select example-folder.
    2. From the list of services, select Cloud CDN.
    3. From the list of CDN resources, select the one with cdn.yandexcloud.example as its primary domain name.
    4. From DNS settings at the bottom of the page, copy the domain name in cl-********.edgecdn.ru format.

  2. On the website of your DNS hosting provider, navigate to the DNS settings.

  3. Create or edit a CNAME record for cdn.yandexcloud.example so that it points to the domain name you copied:

    cdn CNAME cl-********.edgecdn.ru

    Note

    Do not use an ANAME resource record with domain names for content distribution; otherwise, the end user will get a response from a CDN server not linked to the user's geolocation. The response will always be the same for all users.

    If you use Cloud DNS, follow this tutorial to configure the record:

    Configuring DNS records for Cloud DNS

    1. In the management console, select Cloud DNS.

    2. If you do not have a public DNS zone, create one:

      1. Click Create zone.
      2. In the Zone field, enter the website domain name with a trailing dot: yandexcloud.example..
      3. In the Type field, select Public.
      4. In the Name field, specify example-dns-zone.
      5. Click Create.

    3. Create a CNAME record for cdn.yandexcloud.example in the zone:

      1. Select example-dns-zone.
      2. Click Create record.
      3. In the Name field, specify cdn.
      4. In the Type field, specify CNAME.
      5. In the Data field, paste the value you copied in cl-********.edgecdn.ru format.
      6. Click Create.

    1. If you do not have a public DNS zone, create one:

      yc dns zone create \
  --name example-dns-zone \
  --zone yandexcloud.example. \
  --public-visibility

      Result:

      id: dns4rq4taddd********
folder_id: b1g9hv2loamq********
created_at: "2022-04-04T11:03:28.847Z"
name: example-dns-zone
zone: yandexcloud.example.
public_visibility: {}

      For more information about the yc dns zone create command, see the CLI reference.

    2. In the zone, create a CNAME record for cdn.yandexcloud.example with the copied value in cl-********.edgecdn.ru format:

      yc dns zone add-records \
  --name example-dns-zone \
  --record "cdn CNAME cl-********.edgecdn.ru" \

      For more information about the yc dns zone add-records command, see the CLI reference.

    1. Add the example-dns-zone settings and the zone’s CNAME records to the configuration file:

      ...

resource "yandex_dns_zone" "example-dns-zone" {
  zone   = "yandexcloud.example."
  name   = "example-dns-zone"
  public = true
}

resource "yandex_dns_recordset" "example-recordset" {
  zone_id = ${yandex_dns_zone.example-dns-zone.id}
  name    = "cdn"
  type    = "CNAME"
  data    = ["<copied_value_in_cl-********.edgecdn.ru_format>"]
}

      For more information, see the descriptions of yandex_dns_zone and yandex_dns_recordset in the Terraform documentation.

    2. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory where you created the configuration file.

      2. Run a check using this command:

        terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

    3. Deploy the cloud resources.

      1. If the configuration does not contain any errors, run this command:

        terraform apply

      2. Confirm creating the resources.

    1. Create a DNS zone named example-dns-zone using the gRPC API DnsZoneService/Create call or the create REST API method.
    2. Add the cdn CNAME record with the copied cl-********.edgecdn.ru value to the zone using the DnsZoneService/UpdateRecordSets gRPC API call or the updateRecordSets REST API method.

A few hours might be needed to update DNS records on DNS servers. After that, you can check the health of the service.

Test the service

To check service performance, open https://cdn.yandexcloud.example/index.html in your browser. You should see a page with the following content:

<!DOCTYPE html>
<html>
  <head>
    <title>My service</title>
  </head>
  <body>
    <p>The service is working</p>
  </body>
</html>

How to delete the resources you created

To shut down the infrastructure and stop paying for the resources you created:

  1. If you set up CNAME records in Cloud DNS, delete the example-dns-zone DNS zone.
  2. Delete the CDN with cdn.yandexcloud.example as the primary domain name.
  3. Delete the example-balancer L7 load balancer.
  4. Delete all objects from the bucket.
  5. Delete the bucket.
  6. Delete example-subnet-ru-central1-a, example-subnet-ru-central1-b, and example-subnet-ru-central1-d.
  7. Delete example-network.
Previous
Server-side encryption
Next
Blue-green and canary deployment of service versions