Architecture and protection of a basic internet service
Follow this guide to deploy and configure the infrastructure of a basic internet service with multiple VMs. You will connect to the infrastructure from a remote site. To restrict access to the VMs, you will configure security groups. A network load balancer will distribute the load across web app servers.
This diagram illustrates networking between the remote site and basic internet service:
Remote site:
remote-net
network withsubnet-1
(10.129.0.0/24
).- Test VM running Linux Ubuntu named
vm-1
residing insubnet-1
. This VM is used to health-check the cloud site infrastructure.
Note
You can also use your PC as the remote site. To do this, you need to know the local machine's subnet CIDR and external IP address it uses to access the internet.
Cloud site:
- Network named
network
with the following subnets:subnet-a
(192.168.5.0/24
),subnet-b
(192.168.15.0/24
), andsubnet-d
(192.168.25.0/24
). - IPsec instance (gateway) named
vpn
residing insubnet-a
. The IPsec gateway serves to provide an IPsec connection to the remote site and allow networking between cloud VMs. - Route table with
vpn-route
(static route) directing traffic from the remote sitesubnet-1
towards the cloud site VMs via the main IPsec gateway. - Drupal VMs of the basic internet service:
web-node-a
,web-node-b
, andweb-node-d
residing insubnet-a
,subnet-b
, andsubnet-d
, respectively. vpn-sg
security group used by thevpn
VM to manage traffic in the IPSec tunnel. Theweb-service-sg
security group allows traffic between theweb-node-a
,web-node-b
, andweb-node-d
VMs.web-service-lb
load balancer distributing incoming traffic acrossweb-node-a
,web-node-b
, andweb-node-d
.
To create the infrastructure of an internet service:
If you no longer need the infrastructure, delete the created resources.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of support for the new infrastructure includes:
- Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
- Fee for using public static IP addresses (see Yandex Virtual Private Cloud pricing).
- Fee for using a network load balancer (see Yandex Network Load Balancer pricing).
Set up a remote site
At this stage, you will create and set up an infrastructure for your remote site. This comprises a network, a subnet, and a VM to access the infrastructure of the basic internet service.
Note
You can use your PC as the remote site. To do this, find out your PC's subnet CIDR and external IP address it uses to access the internet.
If you are going to use your PC as the remote site, skip this section and go to Set up a cloud site.
Create a network and subnet
-
Create a network named
remote-net
. When creating your network, disable the Create subnets option. -
Create a subnet for your remote site test VM with the following parameters:
- Name:
subnet-1
. - Zone:
ru-central1-b
. - Network:
remote-net
. - CIDR:
10.129.0.0/24
.
- Name:
Create a test VM
Create a VM you will use to connect to the basic internet service infrastructure from the outside.
-
In the management console
, select the folder to create your VM in. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, select the Ubuntu 22.04 LTS OS Login image.
-
Under Location, select the
ru-central1-b
availability zone. -
Under Network settings:
- In the Subnet field, select
subnet-1
. - In the Public IP field, select
Auto
.
- In the Subnet field, select
-
Under Access, select Access by OS Login to connect and manage access to the new VM using OS Login in Yandex Cloud Organization.
With OS Login, you can connect to VMs using SSH keys and SSH certificates via a standard SSH client or YC CLI. OS Login allows you to rotate the SSH keys used to access the VM, providing the most secure access option.
-
Under General information, specify the VM name:
vm-1
. -
Click Create VM.
-
Get the public IP address of the new VM:
-
Wait until the status of
vm-1
changes toRunning
and click the row with this VM. -
In the VM overview page that opens, copy the value in the Public IPv4 address field under Network interface.
You will need the remote VM's public IP address later when creating a security group.
-
Set up a cloud site
Create and set up a cloud network
-
In the management console
, go to the folder where you want to deploy the infrastructure. -
In the list of services, select Virtual Private Cloud.
-
Create a cloud network named
network
. When creating your network, disable the Create subnets option. -
In
network
, create subnets with the following parameters:-
To connect the
web-node-a
VM and thevpn
IPSec instance:- Name:
subnet-a
. - Zone:
ru-central1-a
. - Network:
network
. - CIDR:
192.168.5.0/24
.
- Name:
-
To connect the
web-node-b
VM:- Name:
subnet-b
. - Zone:
ru-central1-b
. - Network:
network
. - CIDR:
192.168.15.0/24
.
- Name:
-
To connect the
web-node-d
VM:- Name:
subnet-d
. - Zone:
ru-central1-d
. - Network:
network
. - CIDR:
192.168.25.0/24
.
- Name:
-
Reserve two static public IP addresses
For your internet service to run, you need two static public IP addresses: one to be assigned to the VPN gateway and the other to the network load balancer.
- In the management console
, go to the folder with the IP addresses to reserve. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
IP addresses. - Click Reserve address.
- In the window that opens, select the
ru-central1-a
availability zone and click ** Reserve**. - Repeat steps 4 to 5 and reserve a static public IP address in the
ru-central1-b
availability zone.
Create and configure security groups
To distribute traffic between network segments, create security groups and set up rules for receiving and sending traffic.
Create a security group for the VPN gateway
For your VPN to work properly, allow inbound and outbound traffic to UDP ports 500
and 4500
from an external network. This is required for using the IPsec tunnel. You also need to allow traffic between the subnets of your virtual network and the network at the remote site.
-
In the management console
, go to the folder where you want to create the security group. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
Enter a name for the security group:
vpn-sg
. -
In the Network field, select
network
, which you created earlier. -
Under Rules, create rules based on the table below:
Traffic
directionDescription
Port range
Protocol
Source /
Destination nameCIDR blocks
Incoming
udp500
500
UDP
CIDR
<remote_VM_public_IP_address>/32
Incoming
udp4500
4500
UDP
CIDR
<remote_VM_public_IP_address>/32
Incoming
internal
0-65535
Any
CIDR
192.168.5.0/24
192.168.15.0/24
192.168.25.0/24
10.129.0.0/24
1
Outgoing
udp500
500
UDP
CIDR
<remote_VM_public_IP_address>/32
Outgoing
udp4500
4500
UDP
CIDR
<remote_VM_public_IP_address>/32
Outgoing
intersubnet
0-65535
Any
CIDR
192.168.5.0/24
192.168.15.0/24
192.168.25.0/24
10.129.0.0/24
1
1 To use a local PC as your test VM, specify here the CIDR for the subnet this PC resides in.
-
Click Create.
Create a security group for the internet service's VMs
-
In the management console
, go to the folder where you want to create the security group. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
Enter a name for the security group:
web-service-sg
. -
In the Network field, select
network
, which you created earlier. -
Under Rules, create rules based on the table below:
Traffic
directionDescription
Port range
Protocol
Source /
Destination nameCIDR blocks /
Security groupIncoming
ssh
22
TCP
CIDR
0.0.0.0/0
Incoming
anyself
0-65535
Any
Security group
Current
Incoming
healthchecks
80
TCP
Load balancer healthchecks
—
Outgoing
self
0-65535
Any
Security group
Current
-
Click Create.
Create and configure VMs on the cloud site
Create VMs for the service in all availability zones
-
In the management console
, select the folder where you want to create your VMs. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, go to the Marketplace tab and select the Drupal 10 image.
-
Under Location, select the
ru-central1-a
availability zone. -
Under Network settings:
- Select the
subnet-a
subnet. - In the Public IP field, select
No address
. - Select the
web-service-sg
security group.
- Select the
-
Under Access:
-
Select the SSH key connection option.
-
In the Login field, enter a name for the user.
Alert
Do not use
root
or other usernames reserved by the OS. To perform operations requiring superuser permissions, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Select an expiration date for the key.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
-
-
Under General information, specify the VM name:
web-node-a
. -
Click Create VM.
-
Repeat steps 4 to 10 to create the
web-node-b
andweb-node-d
VMs. Create the VMs in theru-central1-b
andru-central1-d
availability zones and connect them tosubnet-b
andsubnet-d
, respectively.
Create an IPSec instance for remote access
To provide secure access to your resources, create an IPSec instance.
-
In the management console
, go to the folder where you want to create your VM. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, go to the Marketplace tab and select the IPSec instance image.
-
Under Location, select the
ru-central1-a
availability zone. -
Under Network settings:
- Select the
subnet-a
subnet. - In the Public IP field, select
List
. In the list that opens, select the IP address that you reserved. - Select the
vpn-sg
security group.
- Select the
-
Under Access, select SSH key and specify the VM access data:
- Under Login, enter the username. Do not use
root
or other names reserved by the OS. To perform operations requiring superuser permissions, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, enter the username. Do not use
-
Under General information, specify the VM name:
vpn
. -
Click Create VM.
-
Wait until the status of the new
vpn
VM changes toRunning
and copy the value from the Internal IPv4 field in the row with this VM.You will need the gateway's internal address when configuring the static route.
Configure VPN routing
Configure routing between the remote site's subnet and IPSec instance.
Create a route table
Create a route table and add static routes:
- In the management console
, go to the folder where you want to configure routing. - In the list of services, select Virtual Private Cloud.
- Select the
network
you created earlier. - In the left-hand panel, select
Routing tables. - Click Create routing table.
- Specify the route table name:
vpn-route
. - Under Static routes, click Add a route.
- In the window that opens:
-
In the Destination prefix field, enter
10.129.0.0/24
.If you want to use a local PC as your test VM, specify its subnet CIDR.
-
In the Next hop field, enter the internal IP address of the IPSec gateway.
-
Click Add.
-
- Click Create a routing table.
Link the route table to all subnets
To use static routes, link the route table to all the subnets in the cloud site’s network
.
- In the management console
, go to the folder where you need to configure routing. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
Subnets. - In the
subnet-a
row, click and select Link routing table. - In the window that opens, select the created
vpn-route
table in the Route table field. - Click Link.
- Repeat steps 4 to 6 to link the
vpn-route
route table tosubnet-b
andsubnet-d
.
Create a network load balancer
The network load balancer will distribute the internet service's incoming traffic across the VMs in the target group.
To create a network load balancer:
-
In the management console
, go to the folder where you need to create the load balancer. -
In the list of services, select Network Load Balancer.
-
Click Create a network load balancer.
-
Enter the load balancer name:
web-service-lb
. -
In the Public address field, select
List
and specify a static public address. -
Under Listeners, click Add listener. In the window that opens:
- Enter the listener name:
web-service-lb-listener
. - In the Port field, specify
80
. - In the Target port field, specify
80
. - Click Add.
- Enter the listener name:
-
Under Target groups, click Add target group.
-
In the Target group field, select
Create target group. In the window that opens:- Enter the target group name:
web-tg
. - Select the
web-node-a
,web-node-b
, andweb-node-d
VMs. - Click Create.
- Enter the target group name:
-
Select the new
web-tg
target group.
-
-
In this target group section:
- Click Configure.
- In the Type field of the window that opens, select
TCP
and click Apply.
-
Click Create.
Test the infrastructure
Test the infrastructure and make sure that the internet service VMs do not receive any external traffic:
-
Run the following command on the remote computer:
curl <public_IP_address_of_network_load_balancer>
Make sure you get no response from the server. This means network traffic to your Drupal servers is denied.
-
Add two new incoming traffic rules to the
web-service-sg
security group:Description
Port range
Protocol
Source /
Destination nameCIDR blocks
http-external-vm
80
TCP
CIDR
<remote_VM_public_IP_address>/32
https-external-vm
443
TCP
CIDR
<remote_VM_public_IP_address>/32
These rules allow access to the VMs in the network load balancer’s target group from the remote site's VM public address.
-
Once again, run this command on the remote computer:
curl <public_IP_address_of_network_load_balancer>
Make sure the Drupal homepage HTML code is returned in response. This means the rules you added to the security group allowed network access to the Drupal VMs from the remote computer's IP address.
How to delete the resources you created
To stop paying for the deployed resources:
- Delete the VM instances.
- Delete the network load balancer.
- Delete the static public IP addresses you reserved.
- If required, delete the route table, security groups, subnets, and networks.