Creating an L7 load balancer with DDoS protection using the management console or CLI
To create an L7 load balancer with DDoS protection using the Yandex Cloud management console or CLI:
- Prepare your cloud.
- Create a cloud network.
- Create security groups.
- Create an instance group.
- Reserve a static public IP address.
- Create a backend group.
- Create an HTTP router.
- Create an L7 load balancer.
- Test the load balancer.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost for a DDoS-protected load balancer includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a public static IP address (see Yandex Virtual Private Cloud pricing).
- Fee for filtering incoming traffic to a public IP address with DDoS protection (see Yandex Virtual Private Cloud pricing).
- Fee for using computing resources of the L7 load balancer (see Application Load Balancer pricing).
Create a cloud network
All resources you create in the tutorial will belong to the same cloud network.
To create a network:
- In the management console
, select Virtual Private Cloud. - Click Create network.
- Name the network:
ddos-network
. - In the Advanced field, select Create subnets.
- Click Create network.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a cloud network in the default folder:
yc vpc network create \ --name ddos-network
For more information about the
yc vpc network create
command, see the CLI reference. -
Create subnets in each availability zone by specifying the cloud network ID using the
--network-name
flag:yc vpc subnet create \ --name ddos-network-ru-a \ --network-name ddos-network \ --zone ru-central1-a \ --range 192.168.0.0/24
yc vpc subnet create \ --name ddos-network-ru-b \ --network-name ddos-network \ --zone ru-central1-b \ --range 192.168.1.0/24
yc vpc subnet create \ --name ddos-network-ru-d \ --network-name ddos-network \ --zone ru-central1-d \ --range 192.168.2.0/24
For more information about the
yc vpc subnet create
command, see the CLI reference.
Create security groups
Security groups include rules that allow the load balancer to receive incoming traffic and redirect it to the VMs so they can receive the traffic. In this use case, we will create two security groups: one for the load balancer and another one for all VMs.
To create security groups:
-
In the management console
, select Virtual Private Cloud. -
In the left-hand panel, select
Security groups. -
Create a security group for the load balancer:
-
Click Create security group.
-
Specify Name for the security group:
ddos-sg-balancer
. -
Select Network
ddos-network
. -
Under Rules, create the following rules using the instructions below the table:
Traffic
directionDescription Port range Protocol Source /
targetAdd CIDR Outgoing
any
All
Any
CIDR
0.0.0.0/0
Incoming
ext-http
80
TCP
CIDR
0.0.0.0/0
Incoming
ext-https
443
TCP
CIDR
0.0.0.0/0
Incoming
healthchecks
30080
TCP
Load balancer healthchecks
— -
Select the Egress or Ingress tab.
-
Click Add rule.
-
In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
-
In the Protocol field, specify the appropriate protocol or leave
Any
to allow traffic transmission over any protocol. -
In the Destination name or Source field, select the purpose of the rule:
CIDR
: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.Security group
: Rule will apply to the VMs from the current group or the selected security group.Load balancer healthchecks
: Rule allowing a load balancer to health check VMs.
-
Click Save. Repeat the steps to create all the rules from the table.
-
-
Click Save.
-
-
Similarly, create a security group for the VM named
ddos-sg-vms
with the sameddos-network
and the following rules:Traffic
directionDescription Port range Protocol Source CIDR blocks Incoming
balancer
80
TCP
Security group
ddos-sg-balancer
Incoming
ssh
22
TCP
CIDR
0.0.0.0/0
To create a security group for your load balancer, run the command:
yc vpc security-group create \
--name ddos-sg-balancer \
--rule "direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0]" \
--rule "direction=ingress,port=80,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
--rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
--rule "direction=ingress,port=30080,protocol=tcp,predefined=loadbalancer_healthchecks" \
--network-name ddos-network
To create a security group for your VM, run the command:
yc vpc security-group create \
--name ddos-sg-vms \
--rule "direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
--rule "direction=ingress,port=80,protocol=tcp,security-group-id=<security_group_ID>" \
--network-name ddos-network
Where security-group-id
is the ddos-sg-balancer
security group ID.
For more information about the yc vpc security-group create
command, see the CLI reference.
Create an instance group
Your application backends will be deployed on the VM instance of the target group. The VM's target group will be connected to the load balancer so that requests can be sent to the backend endpoints of your application. In this scenario, creating an instance group with the minimum configuration is enough.
To create an instance group:
-
In the management console
, select Compute Cloud. -
In the left-hand panel, select
Instance groups. Click Create group of virtual machines. -
Under Basic parameters:
- Enter the instance group Name:
ddos-group
. - Select a service account from the list or create a new one. To be able to create, update, and delete VM instances in the instance group, assign the
editor
role to the service account. By default, all operations in Instance Groups are performed on behalf of a service account.
- Enter the instance group Name:
-
Under Allocation, select multiple availability zones to ensure fault tolerance of your hosting.
-
Under Instance template, click Define to configure a basic instance:
-
Under General information, enter a Description for the template.
-
Under Boot disk image, open the Marketplace tab and click Show all Marketplace products. Select LEMP and click Use.
-
Under Disks, specify:
- Type:
HDD
. - Disk Size:
3 GB
.
- Type:
-
Under Computing resources, specify:
- Platform:
Intel Cascade Lake
. - vCPU:
2
. - Guaranteed vCPU performance:
5%
. - RAM:
1 GB
.
- Platform:
-
Under Network settings:
- Select the
ddos-network
cloud network and its subnets. - In the Public address field, select
Auto
. - Select the
ddos-sg-vms
security group.
- Select the
-
Under Access, specify the data for access to the VM:
- Enter the username into the Login field.
- In the SSH key field, paste the contents of the public key file.
To establish an SSH connection, you need to create a key pair. For more information, see Creating an SSH key pair.
-
Click Save.
-
-
Under Scaling, specify the instance group Size:
2
. -
Under Integration with Application Load Balancer, select Create target group and enter
tg-ddos
as the group name. You can read more about target groups here. -
Click Create.
-
Get the resource IDs required to create an instance group using the following commands:
- yc iam service-account get <service_account_name>: For a service account.
- yc vpc network get ddos-network: For
ddos-network
. - yc vpc subnet get <subnet_name>: For the
ddos-network-ru-a
,ddos-network-ru-b
, andddos-network-ru-d
subnets. - yc compute image get-latest-by-family lemp --folder-id standard-images: For the boot disk image.
- yc vpc security-group get ddos-sg-vms: For the
ddos-sg-vms
security group.
-
Create a YAML file named
specification.yaml
. -
Add to it the description of the base instance configuration:
name: ddos-group service_account_id: <service_account_ID> description: "DDoS alb scenario" instance_template: platform_id: standard-v3 resources_spec: memory: 1g cores: 2 core_fraction: 5 boot_disk_spec: mode: READ_WRITE disk_spec: image_id: <image_ID> type_id: network-hdd size: 3g network_interface_specs: - network_id: <cloud_network_ID> subnet_ids: - <ru-central1-a_zone_subnet_ID> - <ru-central1-b_zone_subnet_ID> - <ru-central1-d_zone_subnet_ID> primary_v4_address_spec: {} security_group_ids: - <security_group_ID> deploy_policy: max_unavailable: 1 max_expansion: 0 scale_policy: fixed_scale: size: 2 allocation_policy: zones: - zone_id: ru-central1-a - zone_id: ru-central1-b - zone_id: ru-central1-d application_load_balancer_spec: target_group_spec: name: tg-ddos
Where
security_group_ids
is theddos-sg-vms
security group ID. -
Create an instance group in the default folder:
yc compute instance-group create \ --file specification.yaml
Result:
done (25s) id: cl1qjhlcdofg******** folder_id: b1g86q4m5vej******** created_at: "2021-08-30T19:25:02.031Z" name: ddos-group description: DDoS scenario instance_template: platform_id: standard-v2 resources_spec: memory: "1073741824" cores: "2" core_fraction: "5" boot_disk_spec: mode: READ_WRITE disk_spec: type_id: network-hdd size: "3221225472" image_id: fd8r6kq84o7b******** network_interface_specs: - network_id: enp3srbi9u49******** subnet_ids: - e9b17pi15695******** - e2lt87g1rlig******** - b0c7kl8riq24******** primary_v4_address_spec: {} security_group_ids: - enpi08rif04d******** scheduling_policy: {} scale_policy: fixed_scale: size: "2" deploy_policy: max_unavailable: "1" startup_duration: 0s strategy: PROACTIVE allocation_policy: zones: - zone_id: ru-central1-a - zone_id: ru-central1-b - zone_id: ru-central1-d load_balancer_state: {} managed_instances_state: target_size: "2" service_account_id: aje2stn6id9k******** status: ACTIVE application_load_balancer_spec: target_group_spec: name: first-target-group application_load_balancer_state: target_group_id: ds78imh0ds2e********
For more information about the
yc compute instance-group create
command, see the CLI reference.
Reserve a static public IP address
Note
You cannot do this using the CLI.
To protect a load balancer against DDoS attacks, reserve a static public IP address with the DDoS protection option:
- In the management console
, select Virtual Private Cloud. - In the left-hand panel, select
IP addresses and click Reserve address. - Select the availability zone where you want to reserve the IP address.
- Enable DDoS protection.
- Click ** Reserve**.
Create a backend group
You must link the target group created with the VM group to the backend group that defines traffic allocation settings.
For the backends, groups will implement health checks: the load balancer will periodically send health check requests to the VMs and expect a response after a certain delay.
To create a backend group:
- In the management console
, select Application Load Balancer. - In the left-hand panel, select
Backend groups. Click Create backend group. - Enter Name of the backend group:
ddos-backend-group
. - Under Backends, click Add.
- Enter the backend Name:
backend-1
. - In the Target groups field, select the
tg-ddos
group. - Specify Port the backend VMs will use to receive incoming traffic from the load balancer:
80
. - Click Add health check.
- Specify Port the backend VMs will use to accept health check connections:
80
. - Specify Path the load balancer will access for health checks:
/
. - Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a backend group:
yc alb backend-group create ddos-backend-group
Result:
id: a5dg2cv4ngne******** name: ddos-backend-group folder_id: aoerb349v3h4******** created_at: "2021-08-08T20:46:21.688940670Z"
For more information about the
yc alb backend-group create
command, see the CLI reference. -
Add a backend and health check to the group:
yc alb backend-group add-http-backend \ --backend-group-name ddos-backend-group \ --name backend-1 \ --weight 1 \ --port 80 \ --target-group-id=<target_group_ID> \ --http-healthcheck timeout=1s,interval=1s,port=80,path=/
Where:
--backend-group-name
: Backend group name.--name
: Backend name.--weight
: Backend weight.--port
: Port.--target-group-id
: Target group ID.--http-healthcheck
: Resource health check parameters.port
: Port.timeout
: Timeout.interval
: Intervalhost
: Host addresspath
: Path.
Result:
done (21s) id: ds7fea2pggr2******** name: ddos-backend-group folder_id: b1g86q4m5vej******** http: backends: - name: backend-1 backend_weight: "1" port: "80" target_groups: target_group_ids: - ds78ate00f8e******** healthchecks: - timeout: 1s interval: 1s healthcheck_port: "80" http: path: / created_at: "2021-08-08T07:59:22.922603189Z"
For more information about the
yc alb backend-group add-http-backend
command, see the CLI reference.
Create an HTTP router
The backend group should be linked to an HTTP router that defines HTTP routing rules.
To create an HTTP router and add a route to it:
- In the management console
, select Application Load Balancer. - In the left-hand panel, select
HTTP routers. Click Create HTTP router. - Specify the HTTP router Name:
ddos-router
. - Click Add virtual host.
- Specify the virtual host Name:
ddos-host
. - Specify the Authority value:
alb-with-ddos.com
. - Click Add route.
- Set Name to
route-1
. - In the Path field, select
Starts with
and specify the/
path. - In the Action field, keep
Routing
. - In the Backend group list, select the group you created earlier.
- Leave all other settings unchanged and click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Run this command:
yc alb http-router create ddos-router
Result:
id: a5dcsselagj4******** name: ddos-router folder_id: aoerb349v3h4******** created_at: "2021-08-08T21:04:59.438292069Z"
For more information about the
yc alb http-router create
command, see the CLI reference. -
Create a virtual host by specifying the name of the HTTP router:
yc alb virtual-host create ddos-host \ --http-router-name ddos-router --authority alb-with-ddos.com
For more information about the
yc alb virtual-host create
command, see the CLI reference. -
Add a route by specifying the router name and the routing parameters:
yc alb virtual-host append-http-route route-1 \ --virtual-host-name ddos-host \ --http-router-name ddos-router \ --prefix-path-match / \ --backend-group-name ddos-backend-group \ --request-timeout 60s
Result:
done (1s) name: ddos-host routes: - name: route-1 http: match: path: prefix_match: / route: backend_group_id: ds7fea2pggr2******** timeout: 60s
For more information about the
yc alb virtual-host append-http-route
command, see the CLI reference.
Create a load balancer
To create a load balancer:
-
In the management console
, select Application Load Balancer. -
In the left-hand menu, select Load balancers.
-
Click Create L7 load balancer.
-
Enter the load balancer name:
ddos-protect-alb
. -
Under Network settings, select
ddos-network
and theddos-sg-balancer
security group. -
Under Allocation, select the subnets for the load balancer nodes in each availability zone and enable traffic.
-
Under Listeners, click Add listener. Set the listener settings:
- Enter the listener name:
ddos-listener
. - Under Public IP address, enable traffic.
- Set the port to
80
. - Select the List type and specify the previously reserved IP address with DDoS protection.
- Enter the listener name:
-
In the HTTP router field, select
ddos-router
. -
Click Create.
-
Create a load balancer with nodes in the cloud network subnets:
yc alb load-balancer create ddos-protect-alb \ --network-name ddos-network \ --location subnet-name=ddos-network-ru-a,zone=ru-central1-a \ --location subnet-name=ddos-network-ru-b,zone=ru-central1-b \ --location subnet-name=ddos-network-ru-d,zone=ru-central1-d
For more information about the
yc alb load-balancer create
command, see the CLI reference. -
Add a listener:
yc alb load-balancer add-listener ddos-protect-alb \ --listener-name ddos-listener \ --http-router-id <HTTP_router_ID> \ --external-ipv4-endpoint port=80, address=<IP_address_with_DDoS_protection>
For more information about the
yc alb load-balancer add-listener
command, see the CLI reference.
After creating the load balancer, test it.
Test the load balancer
Check that the service is available on the alb-with-ddos.com
host. To do this, run the following command:
curl \
--header "Host: alb-with-ddos.com" \
http://<L7_load_balancer_IP_address>
Result:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
How to delete the resources you created
To shut down the hosting and stop paying for the created resources:
-
Delete the non-billable resources that block the deletion of billable resources:
-
Delete the
ddos-group
instance group. -
Delete the static public IP address you reserved.