Creating an L7 load balancer with DDoS protection using Terraform

To create an L7 load balancer with DDoS protection using Terraform:

1. Get your cloud ready.
2. Create your infrastructure.
3. Test the load balancer.

If you no longer need the resources you created, delete them.

Get your cloud readyGet your cloud ready

Sign up for Yandex Cloud and create a billing account:

1. Navigate to the management console and log in to Yandex Cloud or create a new account.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

Required paid resourcesRequired paid resources

The infrastructure support cost for a DDoS-protected load balancer includes:

• Fee for continuously running VMs (see Yandex Compute Cloud pricing).
• Fee for using a public static IP address (see Yandex Virtual Private Cloud pricing).
• Fee for filtering incoming traffic to a public IP address with DDoS protection (see Yandex Virtual Private Cloud pricing).
• Fee for using computing resources of the L7 load balancer (see Application Load Balancer pricing).

Create your infrastructureCreate your infrastructure

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

To create an infrastructure with Terraform:

1. Install Terraform, get the authentication credentials, and specify the Yandex Cloud provider source (see Configure your provider, Step 1).

2. Prepare the infrastructure description file:

   Ready-made configuration

   Manually

   1. Clone the repository with configuration files:

      git clone https://github.com/yandex-cloud-examples/yc-alb-ddos-protection.git
      

   2. Navigate to the repository directory. Make sure it contains the following files:

      • alb-with-ddos-protection.tf: New infrastructure configuration.
      • alb-with-ddos-protection.auto.tfvars: User data.

   1. Create a folder for the infrastructure description file.

   2. In the folder, create a configuration file named alb-with-ddos-protection.tf:

      alb-with-ddos-protection.tf

      variable "folder_id" {
        type = string
      }
      
      variable "vm_user" {
        type = string
      }
      
      variable "ssh_key_path" {
        type = string
      }
      
      locals {
        network_name     = "ddos-network"
        subnet_name1     = "subnet-1"
        subnet_name2     = "subnet-2"
        sa_name          = "ig-sa"
        sg_balancer_name = "ddos-sg-balancer"
        sg_vm_name       = "ddos-sg-vms"
        vm_name          = "ddos-group"
        tg_name          = "tg-ddos"
        address_name     = "ddos-addr"
        abg_name         = "ddos-backend-group"
        backend_name     = "backend-1"
        router_name      = "ddos-router"
        vh_name          = "ddos-host"
        authority_domain = ["alb-with-ddos.com"]
        route_name       = "route-1"
        alb_name         = "ddos-protect-alb"
        listener_name    = "ddos-listener"
      }
      
      terraform {
        required_providers {
          yandex = {
            source  = "yandex-cloud/yandex"
            version = ">= 0.47.0"
          }
        }
      }
      
      provider "yandex" {
        folder_id = var.folder_id
      }
      
      resource "yandex_iam_service_account" "ig-sa" {
        name = local.sa_name
      }
      
      resource "yandex_resourcemanager_folder_iam_member" "editor" {
        folder_id = var.folder_id
        role      = "editor"
        member    = "serviceAccount:${yandex_iam_service_account.ig-sa.id}"
      }
      
      resource "yandex_vpc_network" "ddos-network" {
        name = local.network_name
      }
      
      resource "yandex_vpc_subnet" "subnet-1" {
        name           = local.subnet_name1
        zone           = "ru-central1-a"
        network_id     = yandex_vpc_network.ddos-network.id
        v4_cidr_blocks = ["192.168.1.0/24"]
      }
      
      resource "yandex_vpc_subnet" "subnet-2" {
        name           = local.subnet_name2
        zone           = "ru-central1-b"
        network_id     = yandex_vpc_network.ddos-network.id
        v4_cidr_blocks = ["192.168.2.0/24"]
      }
      
      resource "yandex_vpc_security_group" "ddos-sg-balancer" {
        name       = local.sg_balancer_name
        network_id = yandex_vpc_network.ddos-network.id
      
        egress {
          protocol       = "ANY"
          description    = "any"
          v4_cidr_blocks = ["0.0.0.0/0"]
        }
      
        ingress {
          protocol       = "TCP"
          description    = "ext-http"
          v4_cidr_blocks = ["0.0.0.0/0"]
          port           = 80
        }
      
        ingress {
          protocol       = "TCP"
          description    = "ext-https"
          v4_cidr_blocks = ["0.0.0.0/0"]
          port           = 443
        }
      
        ingress {
          protocol          = "TCP"
          description       = "healthchecks"
          predefined_target = "loadbalancer_healthchecks"
          port              = 30080
        }
      }
      
      resource "yandex_vpc_security_group" "ddos-sg-vms" {
        name       = local.sg_vm_name
        network_id = yandex_vpc_network.ddos-network.id
      
        ingress {
          protocol          = "TCP"
          description       = "balancer"
          security_group_id = yandex_vpc_security_group.ddos-sg-balancer.id
          port              = 80
        }
      
        ingress {
          protocol       = "TCP"
          description    = "ssh"
          v4_cidr_blocks = ["0.0.0.0/0"]
          port           = 22
        }
      }
      
      resource "yandex_compute_image" "lemp" {
        source_family = "lemp"
      }
      
      resource "yandex_compute_instance_group" "ddos-group" {
        name               = local.vm_name
        folder_id          = var.folder_id
        service_account_id = yandex_iam_service_account.ig-sa.id
        instance_template {
          platform_id        = "standard-v2"
          service_account_id = yandex_iam_service_account.ig-sa.id
          resources {
            core_fraction = 5
            memory        = 1
            cores         = 2
          }
      
          boot_disk {
            mode = "READ_WRITE"
            initialize_params {
              image_id = yandex_compute_image.lemp.id
              type     = "network-hdd"
              size     = 3
            }
          }
      
          network_interface {
            network_id         = yandex_vpc_network.ddos-network.id
            subnet_ids         = [yandex_vpc_subnet.subnet-1.id,yandex_vpc_subnet.subnet-2.id]
            nat                = true
            security_group_ids = [yandex_vpc_security_group.ddos-sg-vms.id]
          }
      
          metadata = {
            user-data = "#cloud-config\nusers:\n  - name: ${var.vm_user}\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh_authorized_keys:\n      - ${file("${var.ssh_key_path}")}"
          }
        }
      
        scale_policy {
          fixed_scale {
            size = 2
          }
        }
      
        allocation_policy {
          zones = ["ru-central1-a", "ru-central1-b"]
        }
      
        deploy_policy {
          max_unavailable = 1
          max_expansion   = 0
        }
      
        application_load_balancer {
          target_group_name = local.tg_name
        }
      }
      
      resource "yandex_vpc_address" "ddos-addr" {
        name = local.address_name
      
        external_ipv4_address {
          zone_id                  = "ru-central1-a"
          ddos_protection_provider = "qrator"
        }
      }
      
      resource "yandex_alb_backend_group" "ddos-backend-group" {
        name = local.abg_name
      
        http_backend {
          name             = local.backend_name
          port             = 80
          target_group_ids = [yandex_compute_instance_group.ddos-group.application_load_balancer.0.target_group_id]
          healthcheck {
            timeout          = "10s"
            interval         = "2s"
            healthcheck_port = 80
            http_healthcheck {
              path = "/"
            }
          }
        }
      }
      
      resource "yandex_alb_http_router" "ddos-router" {
        name   = local.router_name
      }
      
      resource "yandex_alb_virtual_host" "ddos-host" {
        name           = local.vh_name
        http_router_id = yandex_alb_http_router.ddos-router.id
        authority      = local.authority_domain
        route {
          name = local.route_name
          http_route {
            http_route_action {
              backend_group_id = yandex_alb_backend_group.ddos-backend-group.id
            }
          }
        }
      }
      
      resource "yandex_alb_load_balancer" "ddos-protect-alb" {
        name               = local.alb_name
        network_id         = yandex_vpc_network.ddos-network.id
        security_group_ids = [yandex_vpc_security_group.ddos-sg-balancer.id]
      
        allocation_policy {
          location {
            zone_id   = "ru-central1-a"
            subnet_id = yandex_vpc_subnet.subnet-1.id
          }
      
          location {
            zone_id   = "ru-central1-b"
            subnet_id = yandex_vpc_subnet.subnet-2.id
          }
        }
      
        listener {
          name = local.listener_name
          endpoint {
            address {
              external_ipv4_address {
                address = yandex_vpc_address.ddos-addr.external_ipv4_address[0].address
              }
            }
            ports = [ 80 ]
          }
          http {
            handler {
              http_router_id = yandex_alb_http_router.ddos-router.id
            }
          }
        }
      }
      

   3. In the folder, create a user data file named alb-with-ddos-protection.auto.tfvars:

      alb-with-ddos-protection.auto.tfvars

      folder_id    = "<folder_ID>"
      vm_user      = "<VM_username>"
      ssh_key_path = "<path_to_public_SSH_key>"
      

   Learn more about the properties of Terraform resources in the relevant Terraform guides:

   • Service account: yandex_iam_service_account.
   • Role: yandex_resourcemanager_folder_iam_member.
   • Network: yandex_vpc_network.
   • Subnets: yandex_vpc_subnet.
   • Security groups: yandex_vpc_security_group.
   • Image: yandex_compute_image.
   • Instance group: yandex_compute_instance_group.
   • Static public IP address: yandex_vpc_address.
   • Backend group: yandex_alb_backend_group.
   • HTTP router: yandex_alb_http_router.
   • Virtual host: yandex_alb_virtual_host.
   • L7 load balancer: yandex_alb_load_balancer.

3. In the alb-with-ddos-protection.auto.tfvars file, set the following user-defined properties:

   • folder_id: Folder ID.
   • vm_user: VM user name.
   • ssh_key_path: Path to the public SSH key to authenticate the user on the VM. For more information, see Creating an SSH key pair.

4. Create the resources:

   1. In the terminal, go to the directory where you edited the configuration file.

   2. Make sure the configuration file is correct using this command:

      terraform validate
      

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.
      

   3. Run this command:

      terraform plan
      

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

   4. Apply the changes:

      terraform apply
      

   5. Type yes and press Enter to confirm the changes.

After creating the infrastructure, test it.

Test the load balancerTest the load balancer

Check that the service is available on the alb-with-ddos.com host. To do this, run the following command:

curl \
  --header "Host: alb-with-ddos.com" \
  http://<L7_load_balancer_IP_address>

Result:

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
  body {
    width: 35em;
    margin: 0 auto;
    font-family: Tahoma, Verdana, Arial, sans-serif;
  }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

How to delete the resources you createdHow to delete the resources you created

To stop paying for the resources you created:

1. Open the alb-with-ddos-protection.tf file and delete your infrastructure description from it.

2. Apply the changes:

   1. In the terminal, go to the directory where you edited the configuration file.

   2. Make sure the configuration file is correct using this command:

      terraform validate
      

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.
      

   3. Run this command:

      terraform plan
      

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

   4. Apply the changes:

      terraform apply
      

   5. Type yes and press Enter to confirm the changes.

See alsoSee also

• Creating an L7 load balancer with DDoS protection using the management console or CLI