API Gateway protection with Smart Web Security
Yandex API Gateway supports integration with Yandex Smart Web Security. This allows you to set up DDoS and bot protection for an API gateway at OSI application level (L7).
With Smart Web Security security profiles, you can configure protection using various conditions. For example, you can set a request limit with request grouping based on various parameters or block requests based on user IP address. To do this:
- Get your cloud ready.
- Create an ARL profile and Smart Web Security security profile.
- Create an API gateway.
- Test the new resources.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or register a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Create an ARL profile and Smart Web Security security profile
-
Create an ARL profile named
arl-profile. -
Add to it a rule with a request limit and request grouping based on the
tokenparameter. Specify the following parameters:- Name:
query-limit-rule - Priority:
999900 - Request grouping: By property
- Property:
Query params - Group by:
token - Request limit per group:
1per1 minute
- Name:
-
Create a security profile named
sws-profileusing a preset template. When creating it, select the previously createdarl-profilein the ARL profile field. -
To set up blocking based on user IP address, add a rule with the following parameters to the Smart Web Security security profile:
-
Name:
ip-block-rule -
Priority:
999700 -
Rule type: Basic
-
Action: Allow
-
Conditions for traffic:
- Traffic: On condition.
- Conditions:
IP. - Conditions for IP:
Matches or falls within the range. - IP matches or falls within the range: Specify your IP address.
-
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.
-
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the api-gw-sws-integration.tf configuration file to the same working directory.
This file describes:
- ARL profile that sets a request limit and request grouping by the
tokenparameter. - Smart Web Security security profile that uses the ARL profile and, in addition, sets blocking based on IP address.
- API gateway configured to work with the Smart Web Security security profile.
- ARL profile that sets a request limit and request grouping by the
-
Specify the following parameters in the local variables section of the
api-gw-sws-integration.tffile:arl_name: ARL profile name.folder_id: ID of the folder the ARL profile will be created in.sws_name: Smart Web Security profile name.allowed_ips: List of IP addresses allowed to access the API gateway.api-gw-name: API gateway name.
-
Check that the Terraform configuration files are correct using this command:
terraform validateIf there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run this command to view the planned changes:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
-
If everything looks correct, apply the changes:
-
Run this command:
terraform apply -
Confirm updating the resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.
-
Create an API gateway
Create an API gateway named my-gateway. When creating it, add the following specification to the Specification field:
openapi: "3.0.0"
x-yc-apigateway:
smartWebSecurity:
securityProfileId: <SWS_security_profile_ID>
info:
version: 1.0.0
title: Protected application
license:
name: MIT
paths:
/:
get:
x-yc-apigateway-integration:
type: dummy
content:
'*': "This application is protected by SWS!"
httpCode: 200
Leave the other parameters unchanged.
-
In the
api-gw-sws-integration.tffile:-
In the
securityProfileIdparameter of the API gateway specification, specify the ID of the Smart Web Security security profile you created earlier. -
In the local variable section, specify
create-api-gw = 1.
-
-
Check that the Terraform configuration files are correct using this command:
terraform validateIf there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run this command to view the planned changes:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
-
If everything looks correct, apply the changes:
-
Run this command:
terraform apply -
Confirm updating the resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.
-
Test the new resources
Test the Smart Web Security settings:
Testing the request limit
-
Send a GET request to the API gateway:
curl <API_gateway_service_domain>The result will be as follows:
This application is protected by SWS! -
Repeat the request straight away. In response, you will get a web page with error code 429. This means the request limit kicked in and blocked your request.
-
Wait for a minute and repeat the request. The response must be the same as the first time:
This application is protected by SWS!
Testing the request grouping
-
Send a GET request to the API gateway with the
token=tokenparameter:curl <API_gateway_service_domain>?token=tokenThe result will be as follows:
This application is protected by SWS! -
Repeat the request straight away. In response, you will get a web page with error code 429. This means the request limit kicked in and blocked your request.
-
Repeat the request within the same minute but change the
tokenparameter value:curl <API_gateway_service_domain>?token=token2The result will be as follows:
This application is protected by SWS!This means your request got into a new group for which no request limit has been triggered yet. Which is why the request was successfully completed.
Testing the blocking by IP address
-
Send a GET request to the API gateway from an IP address you specified in the Smart Web Security security profile:
curl <API_gateway_service_domain>The result will be as follows:
This application is protected by SWS! -
Send a request from another IP address, e.g., from a cloud VM:
curl --verbose <API_gateway_service_domain>In response, you will get a web page with CAPTCHA. This means Smart Web Security has blocked the request from an IP address not listed as an allowed one.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need, depending on how they were created:
-
In the terminal window, go to the directory containing the infrastructure plan.
Warning
Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.
-
Delete resources:
-
Run this command:
terraform destroy -
Confirm deleting the resources and wait for the operation to complete.
All the resources described in the Terraform manifests will be deleted.
-