Contact UsGet started

Implementing fault-tolerant use cases for network VMs

Written by
Updated at March 4, 2025

In Yandex Cloud, you can deploy a cloud infrastructure using network VMs that provide firewall protection, network security, and traffic routing. With static routing, traffic is routed from subnets to network VMs.

To ensure high availability, we will deploy two NAT VMs in different availability zones, using route-switcher module to automatically switch outbound traffic between them.

This tutorial describes a use case when the route-switcher module provides fault tolerance of a NAT instance, a network VM with preset routing and IP address translation rules. NAT instances help provide internet access for VMs and other cloud resources hosted in Yandex Cloud.

In the flow chart below, NAT-A is the main internet gateway, while NAT-B is a standby one.

Description of the scheme elements
Element name Description
NAT-A, NAT-B NAT instances that provide internet access to cloud resources by translating the resources' internal IP addresses to the NAT instances' public IPs.
VPC: demo Virtual Private Cloud network
private-a Subnet in the ru-central1-a availability zone for hosting resources that require internet access.
public-a, public-b Subnets in the ru-central1-a and ru-central1-b availability zones hosting the NAT instances.
public ip a, public ip b NAT instances’ public IP addresses.
NLB Internal network load balancer required for the route-switcher module to run; it checks whether the NAT instances are available by performing health checks on port TCP 22.

If NAT-A fails, route-switcher will switch outbound traffic to NAT-B by changing its route table’s Next hop value to the NAT-B internal IP address. After that, NAT-B will provide internet access.

Once NAT-A recovers, route-switcher will change the Next hop value to the NAT-A internal IP address, thus rerouting outbound traffic to NAT-A.

In this tutorial, we will create a test infrastructure showing how route-switcher works. Our example will include the following components:

  • nat-a: Main NAT instance.
  • nat-b: Standby NAT instance.
  • test-vm: VM within the infrastructure's internal perimeter that is going to have internet access through the respective NAT instance.
  • route-switcher-lb-...: Network load balancer required for the route-switcher module to run and used to check if the NAT instances are available.
  • route-switcher-...: Cloud function that switches outgoing traffic over to the standby NAT instance if the main one is down.

To deploy the infrastructure and test route-switcher:

  1. Get your cloud ready.
  2. Prepare the environment.
  3. Deploy your resources.
  4. Enable the route-switcher module.
  5. Test the solution for performance and fault tolerance.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost includes:

Configure the CLI profile

  1. If you do not have the Yandex Cloud command line interface yet, install it and sign in as a user.

  2. Create a service account:

    1. In the management console, select the folder where you want to create a service account.
    2. From the list of services, select Identity and Access Management.
    3. Click Create service account.
    4. Specify the service account name, e.g., sa-terraform.
    5. Click Create.

    The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

    To create a service account, run the command below and specify the sa-terraform name:

    yc iam service-account create --name sa-terraform

    Where name is the service account name.

    Result:

    id: ajehr0to1g8b********
folder_id: b1gv87ssvu49********
created_at: "2023-06-20T09:03:11.665153755Z"
name: sa-terraform

    To create a service account, use the ServiceAccountService/Create gRPC API call or the create REST API method for the ServiceAccount resource.

  3. Assign the service account the administrator role for the folder:

    1. On the management console home page, select a folder.
    2. Navigate to the Access bindings tab.
    3. Find the sa-terraform account in the list and click .
    4. Click Edit roles.
    5. In the dialog that opens, click Add role and select the admin role.

    Run this command:

    yc resource-manager folder add-access-binding <folder_ID> \
   --role admin \
   --subject serviceAccount:<service_account_ID>

    To assign a service account a role for a folder, use the setAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

  4. Set up a CLI profile to run operations on behalf of the service account:

    1. Create a service account authorized key and save it to the file:

      yc iam key create \
--service-account-id <service_account_ID> \
--folder-id <service_account_folder_ID> \
--output key.json

      Where:

      • service-account-id: Service account ID.
      • folder-id: ID of the service account folder.
      • output: Name of the authorized key file.

      Result:

      id: aje8nn871qo4********
service_account_id: ajehr0to1g8b********
created_at: "2023-06-20T09:16:43.479156798Z"
key_algorithm: RSA_2048

    2. Create a CLI profile to perform operations under the service account:

      yc config profile create sa-terraform

      Result:

      Profile 'sa-terraform' created and activated

    3. Set the profile configuration:

      yc config set service-account-key key.json

      Where:

      service-account-key: Authorized key file name.

    4. Add your credentials to the environment variables:

      export YC_TOKEN=$(yc iam create-token)

Set up the environment for deploying the resources

  1. Install Terraform.

  2. Install Git with this command:

    sudo apt install git

  3. Clone the yandex-cloud-examples/yc-route-switcher GitHub repository and navigate to the directory containing resources for our example:

    git clone https://github.com/yandex-cloud-examples/yc-route-switcher.git
cd yc-route-switcher/examples

  4. Open the terraform.tfvars file, e.g., using the nano editor:

    nano terraform.tfvars

  5. Edit the following:

    1. Line with the folder ID:

      folder_id = "<folder_ID>"

    2. String with a list of allowed public IP addresses for test-vm access:

      trusted_ip_for_mgmt = ["<workstation_external_IP_address>/32"]

      Where:
      <workstation_external_IP_address> is your computer public IP address.

      To find out the external IP address of your workstation, run:

      curl 2ip.ru

      Result:

      192.240.24.87

Deploy your resources

  1. Initialize Terraform:

    terraform init

  2. Check whether the Terraform configuration files are correct:

    terraform validate

  3. Preview your new cloud resources:

    terraform plan

  4. Create the resources:

    terraform apply

  5. Wait until the command completes and save its output:

    Outputs:
nat-a_public_ip_address = "***.***.129.139"
nat-b_public_ip_address = "***.***.105.234"
path_for_private_ssh_key = "./pt_key.pem"
test_vm_password = <sensitive>
vm_username = "admin"

Enable the route-switcher module

  1. Make sure the NAT gateways are running and available from the internal network:

    1. In the management console, select your infrastructure folder.
    2. Select Network Load Balancer and navigate to the route-switcher-lb-... page.
    3. Open the target group and make sure its resources are Healthy.

  2. Open the route-switcher.tf file, e.g., using the nano editor:

    nano route-switcher.tf

  3. Change the start_module value in the route-switcher module to true.

  4. Start the module with this command:

    terraform apply

    Within five minutes, route-switcher will start its work, providing fault tolerance for outbound NAT traffic.

Test the solution for performance and fault tolerance

Testing the system performance

  1. Connect to the test-vm serial console:

    1. In the management console, select your infrastructure folder.
    2. Select Compute Cloud.
    3. In the VM list, select test-vm.
    4. Navigate to the Serial console tab.
    5. Wait for the operating system to start up completely.

  2. Enter the admin username and password.
    To get the password, run this command in your computer terraform scenario directory:

    terraform output test_vm_password

  3. Make sure test-vm is connected to the internet via the public IP address of nat-a. Run the following command in the serial console:

    curl ifconfig.co

    Compare the IP address you get with nat-a_public_ip_address you saved earlier.

  4. Emulate test VM outbound traffic by running ping:

    ping ya.ru

    Make sure you get ICMP response:

    PING ya.ru (77.88.55.242) 56(84) bytes of data.
64 bytes from ya.ru (77.88.55.242): icmp_seq=1 ttl=56 time=4.67 ms
64 bytes from ya.ru (77.88.55.242): icmp_seq=2 ttl=56 time=3.83 ms
64 bytes from ya.ru (77.88.55.242): icmp_seq=3 ttl=56 time=3.80 ms
64 bytes from ya.ru (77.88.55.242): icmp_seq=4 ttl=56 time=3.78 ms

  5. Make sure the Next hop value in the route table for the demo network matches the internal IP address of nat-a.

Testing the system fault tolerance

  1. Emulate a system failure by stopping the main NAT gateway:

    1. In the management console, select your infrastructure folder.
    2. Select Compute Cloud.
    3. Select the nat-a VM from the list, click , and select Stop.
    4. In the window that opens, click Stop.

    1. See the description of the CLI command for stopping a VM:

      yc compute instance stop --help

    2. Stop the VM:

      yc compute instance stop nat-a

    Use the stop REST API method for the Instance resource or the InstanceService/Stop gRPC API call.

  2. Monitor the loss of packets sent by ping.
    After the main NAT instance is disabled, there may be a traffic loss for around one minute, and then the traffic should recover.

  3. Make sure internet access is now provided via the public IP address of nat-b. To do this, in the serial console, stop the ping command and run the following one:

    curl ifconfig.co

    Compare the IP address with the nat-b_public_ip_address value from the resulting output.

  4. Check that the route-switcher has changed the Next hop value in the route table for the demo network and it now matches the internal IP address of nat-b.

  5. Enable outgoing traffic from the test VM using the ping command.

  6. Run the main NAT instance by emulating system recovery:

    1. In the management console, select your infrastructure folder.
    2. Select Compute Cloud.
    3. Select the nat-a VM from the list, click , and select Stop.
    4. In the window that opens, click Start.

    1. See the description of the instance stop CLI command:

      yc compute instance start --help

    2. Stop the VM:

      yc compute instance start nat-a

    Use the start REST API method for the Instance resource or the InstanceService/Start gRPC API call.

  7. Monitor the ping utility output. While the NAT-A instance is being recovered, there may be no loss of sent packets.

  8. Make sure internet access is provided via the public IP address of nat-a again. To do this, in the serial console, stop the ping command and run the following one:

    curl ifconfig.co

    Compare the IP address with the nat-a_public_ip_address value from the resulting output.

  9. Check that the route-switcher has changed the Next hop value in the route table for the demo network and it matches the internal IP address of nat-a again.

How to delete the resources you created

To stop paying for the resources you created, run this command:

terraform destroy

Warning

Terraform will permanently delete all the resources you created, e.g., networks, subnets, VMs, load balancer, etc.

Previous
Setting up a UserGate firewall
Next
Implementing a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point NGFW