Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating an L7 load balancer in Application Load Balancer with a Yandex Smart Web Security profile from the management console

Written by
Updated at September 3, 2025

To create an L7 load balancer with a Smart Web Security profile from the Yandex Cloud management console:

  1. Get your cloud ready.
  2. Set up your infrastructure.
  3. Create a security profile.
  4. Associate the security profile with a virtual host.
  5. Configure DNS.
  6. Test the security profile.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The infrastructure support costs for an L7 load balancer with a Smart Web Security profile include:

Set up your infrastructure

Deploy an Application Load Balancer infrastructure and a VM with a test web server.

Create the following resources:

Save the public IP address of the L7 load balancer: you will need it to test your security profile.

Tip

To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.

Create a security profile

The security profile is the central Smart Web Security component that includes a set of rules, each containing conditions for filtering user requests arriving to the resource being protected.

To create a security profile:

  1. In the management console, select the folder where you want to create a profile.

  2. In the list of services, select Smart Web Security.

  3. Click Create profile and select From a preset template.

    A preset profile includes:

    Tip

    Creating a pre-configured profile with full Smart Protection is preferable. This will ensure the highest level of security for your resource.

  4. Enter a name for the profile, e.g., test-sp1.

  5. In the Action for the default base rule field, select Deny. Therefore, if no other rules are set, all traffic to the protected resource will be denied.

  6. Click Add rule.

  7. In the rule creation window:

    1. Enter a name for the rule, e.g., test-rule1.

    2. Set the rule priority, e.g., 999800. The rule will have higher priority than the preset ones.

      Note

      The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:

      • Basic default rule: 1000000.
      • Smart Protection rule providing full protection: 999900.

    3. Select the Base rule type.

    4. Select the Allow action.

      The rule will describe conditions under which requests will be routed to the test application backend.

    5. In the Conditions field, select IP.

    6. In the IP conditions field that appears, select Matches or belongs to range and set the public IP address of the device from which you are going to send requests to the L7 load balancer, e.g., 158.160.100.200.

    7. Click Add.

      The rule you created will appear under Security rules in the table.

  8. Click Create.

Associate the security profile with the virtual host

  1. In the management console, select the folder where you want to associate a security profile with an Application Load Balancer virtual host.

  2. In the list of services, select Smart Web Security.

  3. Select the test-sp1 profile.

  4. Click Connect to host.

  5. In the window that opens, select:

    • Load balancer test-load-balancer.
    • HTTP router test-http-router.
    • Virtual host test-virtual-host.

  6. Click Connect.

    You will see the associated virtual host under Connected hosts.

Configure DNS

  1. Add a resource A record to your domain's public DNS zone, with values specified as follows:

    This record will redirect the requests you get at your domain to the L7 load balancer's IP address.

    Note

    If your domain is delegated to Yandex Cloud DNS, create a resource record according to this guide. Otherwise, use your domain name registrar's personal account. If you have any questions, refer to the relevant documentation or contact the registrar's support service.

  2. In your server settings, block all connections except those for Yandex Cloud IP addresses.

Test the security profile

  1. Open the terminal on the device whose IP address you specified in the allow rule.

  2. Send a request to the test application backend:

    curl --verbose <public_IP_address_of_L7_load_balancer>

    This command should list the contents of the directory with your test web server.

  3. Repeat the request from a different IP address. As a result, you should see a message about a failure to establish a connection to the server.

Note

Smart protection rules are usually not tested. Such tests would add the properties of suspicious requests, e.g., IP addresses, to a blacklist.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the security profile.
  2. Delete the L7 load balancer.
  3. Delete the HTTP router.
  4. Delete the backend group.
  5. Delete the target group.
  6. Delete the VM.
  7. Delete the DNS zone if created in Yandex Cloud DNS.

See also

Previous
Overview
Next
Terraform