Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating an L7 load balancer with DDoS protection using the management console or CLI

Written by
Updated at August 14, 2025

To create an L7 load balancer with DDoS protection using the Yandex Cloud management console or CLI:

  1. Get your cloud ready.
  2. Create a cloud network.
  3. Create security groups.
  4. Create an instance group.
  5. Reserve a static public IP address.
  6. Create a backend group.
  7. Create an HTTP router.
  8. Create an L7 load balancer.
  9. Test the load balancer.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The infrastructure support cost for a DDoS-protected load balancer includes:

Prepare a service account

Alert

When creating instance groups, keep the limits in mind. To ensure Instance Groups runs properly, don't manually modify or delete any of the resources it created: target group Application Load Balancer, VMs, or disks. Instead of this, change or delete the entire group.

By default, all operations in Instance Groups are performed on behalf of a service account. If you don't have a service account, create one.

To be able to create, update, and delete VMs in the group, as well as integrate the group with an Application Load Balancer L7 load balancer, assign the editor role to the service account.

Create a cloud network

All resources you create in the tutorial will belong to the same cloud network.

To create a network:

  1. In the management console, select Virtual Private Cloud.
  2. Click Create network.
  3. Enter ddos-network as the network name.
  4. In the Advanced field, select Create subnets.
  5. Click Create network.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a cloud network in the default folder:

    yc vpc network create \
  --name ddos-network

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create subnets in each availability zone by specifying the cloud network ID using the --network-name flag:

    yc vpc subnet create \
  --name ddos-network-ru-a \
  --network-name ddos-network \
  --zone ru-central1-a \
  --range 192.168.0.0/24

    yc vpc subnet create \
  --name ddos-network-ru-b \
  --network-name ddos-network \
  --zone ru-central1-b \
  --range 192.168.1.0/24

    yc vpc subnet create \
  --name ddos-network-ru-d \
  --network-name ddos-network \
  --zone ru-central1-d \
  --range 192.168.2.0/24

    For more information about the yc vpc subnet create command, see the CLI reference.

Create security groups

Security groups include rules that allow the load balancer to receive inbound traffic and redirect it to the VMs so they can receive it. In this tutorial, we will create two security groups: one for the load balancer and another one for all VMs.

To create security groups:

  1. In the management console, select Virtual Private Cloud.

  2. In the left-hand panel, select Security groups.

  3. Create a security group for the load balancer:

    1. Click Create security group.

    2. Specify the security group Name: ddos-sg-balancer.

    3. Select Network ddos-network.

    4. Under Rules, create the following rules using the instructions below the table:

      Traffic
      direction      		 Description Port range Protocol Source /
      destination      		 Add
      Outbound any All Any CIDR 0.0.0.0/0
      Inbound ext-http 80 TCP CIDR 0.0.0.0/0
      Inbound ext-https 443 TCP CIDR 0.0.0.0/0
      Inbound healthchecks 30080 TCP Load balancer healthchecks

      1. Select the Egress or Ingress tab.

      2. Click Add.

      3. In the Port range field of the window that opens, specify a single port or a range of ports open for inbound or outbound traffic.

      4. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.

      5. In the Destination name or Source field, select the rule purpose:

        • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and subnet masks traffic will come to or from. To add multiple CIDRs, click Add.
        • Security group: Rule will apply to the VMs from the current group or the selected security group.
        • Load balancer healthchecks: Rule allowing a load balancer to health-check VMs.

      6. Click Save. Repeat these steps to create all rules from the table.

    5. Click Save.

  4. Similarly, create a security group for the VM named ddos-sg-vms with the same ddos-network and the following rules:

    Traffic
    direction    		 Description Port range Protocol Source CIDR blocks
    Inbound balancer 80 TCP Security group ddos-sg-balancer
    Inbound ssh 22 TCP CIDR 0.0.0.0/0

To create a security group for your load balancer, run this command:

yc vpc security-group create \
  --name ddos-sg-balancer \
  --rule "direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0]" \
  --rule "direction=ingress,port=80,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
  --rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
  --rule "direction=ingress,port=30080,protocol=tcp,predefined=loadbalancer_healthchecks" \
  --network-name ddos-network

To create a security group for your VM, run this command:

yc vpc security-group create \
  --name ddos-sg-vms \
  --rule "direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
  --rule "direction=ingress,port=80,protocol=tcp,security-group-id=<security_group_ID>" \
  --network-name ddos-network

Where security-group-id is the ddos-sg-balancer security group ID.

For more information about the yc vpc security-group create command, see the CLI reference.

Create an instance group

Your application backends will be deployed on the VM instance from the target group. The VM target group will be connected to the load balancer, thus enabling requests to the backend endpoints of your application. A minimum configuration instance group is sufficient for this tutorial.

To create an instance group:

  1. In the management console, select Compute Cloud.

  2. In the left-hand panel, select Instance groups. Click Create group of virtual machines.

  3. Under Basic parameters:

    • Enter the instance group Name: ddos-group.
    • Select the service account from the list or create a new one. To be able to create, update, and delete VMs in the group, as well as integrate the group with an Application Load Balancer L7 load balancer, assign the editor role to the service account.

  4. Under Allocation, select multiple availability zones to ensure the fault tolerance of your hosting.

  5. Under Instance template, click Define to configure the base VM instance:

    • Under General information, enter a Description for the template.

    • Under Boot disk image, open the Marketplace tab and click Show all Marketplace products. Select LEMP and click Use.

    • Under Disks and file storages, specify:

      • Type: HDD
      • Disk Size: 3 GB

    • Under Computing resources, specify:

      • Platform: Intel Cascade Lake
      • vCPU: 2
      • Guaranteed vCPU performance: 5%
      • RAM: 1 GB

    • Under Network settings:

      • Select the cloud network named ddos-network and its subnets.
      • In the Public address field, select Auto.
      • Select the ddos-sg-vms security group.

    • Under Access, specify the VM access credentials:

      • Under Login, enter the username.
      • In the SSH key field, paste the contents of the public key file.

      To establish an SSH connection, you need to create a key pair. For more information, see Creating an SSH key pair.

    • Click Save.

  6. Under Scaling, specify the instance group Size: 2.

  7. Under Integration with Application Load Balancer, select Create target group and enter tg-ddos as the group name. Read more about target groups.

  8. Click Create.

  1. Get the resource IDs required to create an instance group using the following commands:

  2. Create a YAML file named specification.yaml.

  3. Add to it the description of the base instance configuration:

    name: ddos-group
service_account_id: <service_account_ID> // The service account must have the editor role.
description: "DDoS alb scenario"
instance_template:
    platform_id: standard-v3
    resources_spec:
        memory: 1g
        cores: 2
        core_fraction: 5
    boot_disk_spec:
        mode: READ_WRITE
        disk_spec:
            image_id: <image_ID>
            type_id: network-hdd
            size: 3g
    network_interface_specs:
        - network_id: <cloud_network_ID>
          subnet_ids:
            - <subnet_ID_in_ru-central1-a>
            - <subnet_ID_in_ru-central1-b>
            - <subnet_ID_in_ru-central1-d>
          primary_v4_address_spec: {}
          security_group_ids:
            - <security_group_ID>
deploy_policy:
    max_unavailable: 1
    max_expansion: 0
scale_policy:
    fixed_scale:
        size: 2
allocation_policy:
    zones:
        - zone_id: ru-central1-a
        - zone_id: ru-central1-b
        - zone_id: ru-central1-d
application_load_balancer_spec:
    target_group_spec:
        name: tg-ddos

    Where security_group_ids is the ddos-sg-vms security group ID.

  4. Create an instance group in the default folder:

    yc compute instance-group create \
  --file specification.yaml

    Result:

    done (25s)
id: cl1qjhlcdofg********
folder_id: b1g86q4m5vej********
created_at: "2021-08-30T19:25:02.031Z"
name: ddos-group
description: DDoS scenario
instance_template:
  platform_id: standard-v2
  resources_spec:
    memory: "1073741824"
    cores: "2"
    core_fraction: "5"
  boot_disk_spec:
    mode: READ_WRITE
    disk_spec:
      type_id: network-hdd
      size: "3221225472"
      image_id: fd8r6kq84o7b********
  network_interface_specs:
  - network_id: enp3srbi9u49********
    subnet_ids:
    - e9b17pi15695********
    - e2lt87g1rlig********
    - b0c7kl8riq24********
    primary_v4_address_spec: {}
    security_group_ids:
    - enpi08rif04d********
  scheduling_policy: {}
scale_policy:
  fixed_scale:
    size: "2"
deploy_policy:
  max_unavailable: "1"
  startup_duration: 0s
  strategy: PROACTIVE
allocation_policy:
  zones:
  - zone_id: ru-central1-a
  - zone_id: ru-central1-b
  - zone_id: ru-central1-d
load_balancer_state: {}
managed_instances_state:
  target_size: "2"
service_account_id: aje2stn6id9k********
status: ACTIVE
application_load_balancer_spec:
  target_group_spec:
    name: first-target-group
application_load_balancer_state:
  target_group_id: ds78imh0ds2e********

    For more information about the yc compute instance-group create command, see the CLI reference.

Reserve a static public IP address

Note

You cannot do this using the CLI.

To protect a load balancer against DDoS attacks, reserve a static public IP address with the DDoS protection option enabled:

  1. In the management console, select Virtual Private Cloud.
  2. In the left-hand panel, select IP addresses and click Reserve address.
  3. Select the availability zone where you want to reserve the IP address.
  4. Enable DDoS protection.
  5. Click ** Reserve**.

Create a backend group

You must link the target group created along with the instance group to the backend group that defines traffic allocation settings.

For the backends, the groups will implement health checks: the load balancer will periodically send health check requests to the VMs and expect a response over a certain period.

To create a backend group:

  1. In the management console, select Application Load Balancer.
  2. In the left-hand panel, select Backend groups. Click Create backend group.
  3. Enter the backend group Name: ddos-backend-group.
  4. Under Backends, click Add.
  5. Enter the backend Name: backend-1.
  6. In the Target groups field, select the tg-ddos group.
  7. Specify the Port the backend VMs will use to receive inbound traffic from the load balancer: 80.
  8. Click Add health check.
  9. Specify the Port the backend VMs will use to accept health check connections: 80.
  10. Specify the Path the load balancer will use for health checks: /.
  11. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a backend group:

    yc alb backend-group create ddos-backend-group

    Result:

    id: a5dg2cv4ngne********
name: ddos-backend-group
folder_id: aoerb349v3h4********
created_at: "2021-08-08T20:46:21.688940670Z"

    For more information about the yc alb backend-group create command, see the CLI reference.

  2. Add a backend and a health check to the group:

    yc alb backend-group add-http-backend \
  --backend-group-name ddos-backend-group \
  --name backend-1 \
  --weight 1 \
  --port 80 \
  --target-group-id=<target_group_ID> \
  --http-healthcheck timeout=1s,interval=1s,port=80,path=/

    Where:

    • --backend-group-name: Backend group name.
    • --name: Backend name.
    • --weight: Backend weight.
    • --port: Port.
    • --target-group-id: Target group ID.
    • --http-healthcheck: Resource health check properties.
      • port: Port.
      • timeout: Timeout.
      • interval: Interval.
      • host: Host address.
      • path: Path.

    Result:

    done (21s)
id: ds7fea2pggr2********
name: ddos-backend-group
folder_id: b1g86q4m5vej********
http:
backends:
- name: backend-1
  backend_weight: "1"
  port: "80"
  target_groups:
    target_group_ids:
    - ds78ate00f8e********
  healthchecks:
  - timeout: 1s
    interval: 1s
    healthcheck_port: "80"
    http:
      path: /
created_at: "2021-08-08T07:59:22.922603189Z"

    For more information about the yc alb backend-group add-http-backend command, see the CLI reference.

Create an HTTP router

The backend group should be linked to an HTTP router that defines the HTTP routing rules.

To create an HTTP router and add a route to it:

  1. In the management console, select Application Load Balancer.
  2. In the left-hand panel, select HTTP routers. Click Create HTTP router.
  3. Specify the HTTP router Name: ddos-router.
  4. Click Add virtual host.
  5. Specify the virtual host Name: ddos-host.
  6. Specify the Authority value: alb-with-ddos.com.
  7. Click Add route.
  8. Enter route-1 as the Name.
  9. In the Path field, select Starts with and specify the / path.
  10. In the Action field, keep Routing.
  11. From the Backend group list, select the group you created earlier.
  12. Do not change the other settings. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Run this command:

    yc alb http-router create ddos-router

    Result:

    id: a5dcsselagj4********
name: ddos-router
folder_id: aoerb349v3h4********
created_at: "2021-08-08T21:04:59.438292069Z"

    For more information about the yc alb http-router create command, see the CLI reference.

  2. Create a virtual host by specifying the HTTP router name:

    yc alb virtual-host create ddos-host \
  --http-router-name ddos-router
  --authority alb-with-ddos.com

    For more information about the yc alb virtual-host create command, see the CLI reference.

  3. Add a route by specifying the router name and the routing settings:

    yc alb virtual-host append-http-route route-1 \
  --virtual-host-name ddos-host \
  --http-router-name ddos-router \
  --prefix-path-match / \
  --backend-group-name ddos-backend-group \
  --request-timeout 60s

    Result:

    done (1s)
 name: ddos-host
 routes:
 - name: route-1
   http:
     match:
       path:
         prefix_match: /
     route:
       backend_group_id: ds7fea2pggr2********
       timeout: 60s

    For more information about the yc alb virtual-host append-http-route command, see the CLI reference.

Create a load balancer

To create a load balancer:

  1. In the management console, select Application Load Balancer.

  2. In the left-hand menu, select Load balancers.

  3. Click Create L7 load balancer.

  4. Enter the load balancer name: ddos-protect-alb.

  5. Under Network settings, select ddos-network and the ddos-sg-balancer security group.

  6. Under Allocation, select the subnets for the load balancer nodes in each availability zone and enable traffic.

  7. Under Listeners, click Add listener. Configure the listener settings:

    1. Specify the listener name: ddos-listener.
    2. Under Public IP address, enable traffic.
    3. Set the port to 80.
    4. Select the List type and specify the previously reserved IP address with DDoS protection.

  8. In the HTTP router field, select ddos-router.

  9. Click Create.

  1. Create a load balancer with nodes in the cloud network subnets:

    yc alb load-balancer create ddos-protect-alb \
  --network-name ddos-network \
  --location subnet-name=ddos-network-ru-a,zone=ru-central1-a \
  --location subnet-name=ddos-network-ru-b,zone=ru-central1-b \
  --location subnet-name=ddos-network-ru-d,zone=ru-central1-d

    For more information about the yc alb load-balancer create command, see the CLI reference.

  2. Add a listener:

    yc alb load-balancer add-listener ddos-protect-alb \
  --listener-name ddos-listener \
  --http-router-id <HTTP_router_ID> \
  --external-ipv4-endpoint port=80, address=<IP_address_with_DDoS_protection>

    For more information about the yc alb load-balancer add-listener command, see the CLI reference.

After creating the load balancer, test it.

Test the load balancer

Check that the service is available on the alb-with-ddos.com host. To do this, run the following command:

curl \
  --header "Host: alb-with-ddos.com" \
  http://<L7_load_balancer_IP_address>

Result:

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
  body {
    width: 35em;
    margin: 0 auto;
    font-family: Tahoma, Verdana, Arial, sans-serif;
  }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

How to delete the resources you created

To shut down the hosting and stop paying for the resources you created:

  1. Delete the non-billable resources that prevent the deletion of billable resources:

    1. Delete the ddos-protect-alb L7 load balancer.
    2. Delete the HTTP router named ddos-router.
    3. Delete ddos-backend-group.

  2. Delete the instance group named ddos-group.

  3. Delete the static public IP address you reserved.

See also

Previous
Overview
Next
Terraform