Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Deploying a web application on Yandex BareMetal servers with an L7 load balancer and Yandex Smart Web Security protection

Written by
Updated at August 8, 2025

In this tutorial, you will deploy a web application on Yandex BareMetal servers. To evenly distribute load across the application hosts, you will configure an L7 load balancer in Yandex Application Load Balancer. A Yandex Smart Web Security profile will ensure protection of your web application from bots, DDoS, and web attacks. A Yandex Cloud Interconnect routing instance will provide a private connection between the Yandex Virtual Private Cloud cloud network and the Yandex BareMetal private network.

You can see the solution architecture in the diagram below:

Where:

  • BareMetal infrastructure components:

    • Private subnet in the ru-central1-m4 server pool: subnet-m4.
    • Virtual network segment (VRF), my-vrf.
    • Two BareMetal servers, alb-back-0 and alb-back-1, hosting the deployed application in the ru-central1-m4 server pool.

  • Cloud Interconnect Routing Instance for connectivity between the Virtual Private Cloud and BareMetal networks.

  • Virtual Private Cloud infrastructure components:

    • Cloud network, sample-network.
    • Subnets named vpc-subnet-a and vpc-subnet-b in the ru-central1-a and ru-central1-b availability zones, respectively.
    • L7 load balancer from Application Load Balancer , demo-alb-bms.
    • Smart Web Security profile, sws-demo-profile.
    • vm-validator VM for connectivity checks between the Virtual Private Cloud and BareMetal networks.

To deploy a web application on Yandex BareMetal servers with an L7 load balancer and Yandex Smart Web Security protection:

  1. Get your cloud ready.
  2. Set up your VPC environment.
  3. Create a routing instance.
  4. Set up your BareMetal environment.
  5. Configure an L7 load balancer.
  6. Set up protection against bots, DDoS, and web attacks.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a linked billing account with an ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost for deploying a web application on BareMetal servers with an L7 load balancer and Smart Web Security protection includes:

Traffic transmitted via Yandex Cloud Interconnect between private Yandex BareMetal and Yandex Virtual Private Cloud addresses in either direction is not billable.

Set up your VPC environment

Configure the infrastructure on the Virtual Private Cloud side. In this step, you will create a cloud network, subnets, required security groups, and a VM.

Create a cloud network

  1. In the management console, select the folder where you are going to create your infrastructure.
  2. In the list of services, select Virtual Private Cloud.
  3. At the top right, click Create network.
  4. In the Name field, specify sample-network.
  5. In the Advanced field, disable Create subnets.
  6. Click Create network.

Create subnets

  1. In the management console, select the folder where you are deploying your cloud infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Subnets.

  4. At the top right, click Create subnet.

  5. In the Name field, specify vpc-subnet-a.

  6. In the Zone field, select ru-central1-a.

  7. In the Network field, select sample-network.

  8. In the CIDR field, specify 192.168.6.0/24.

    Warning

    To successfully configure network connectivity between BareMetal subnets and on-premise or VPC subnets, their CIDR address ranges must not match or overlap.

  9. Click Create subnet.

  10. Similarly, in sample-network, create a subnet named vpc-subnet-b with CIDR 192.168.11.0/24 in the ru-central1-b availability zone.

Create security groups

  1. In the management console, select the folder where you are deploying your cloud infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups and click Create security group.

  4. In the Name field, specify vpc-ingress-sg.

  5. In the Network field, select sample-network you created earlier.

  6. Under Rules, create the following traffic management rules:

    Traffic
    direction    		 Description Port range Protocol Source /
    Destination name    		 CIDR blocks /
    Security group
    Inbound http 80 TCP CIDR 0.0.0.0/0
    Inbound https 443 TCP CIDR 0.0.0.0/0
    Inbound ssh 22 TCP CIDR 0.0.0.0/0
    Egress any All Any CIDR 0.0.0.0/0

  7. Click Create.

  8. Similarly, in sample-network, create a security group named alb-sg with the following rules:

    Traffic
    direction    		 Description Port range Protocol Source /
    Destination name    		 CIDR blocks /
    Security group
    Inbound http 80 TCP CIDR 0.0.0.0/0
    Inbound healthchecks 30080 TCP Load balancer healthchecks
    Outbound any All Any CIDR 0.0.0.0/0

Create a VM

  1. In the management console, select the folder to create the infrastructure in.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines and click Create virtual machine.

  4. Under Boot disk image, select the Ubuntu 24.04 image.

  5. Under Location, select the ru-central1-a availability zone.

  6. Under Network settings:

    • In the Subnet field, select the vpc-subnet-a subnet you created earlier.
    • In the Public IP address field, select Auto.
    • In the Security groups field, select vpc-ingress-sg.

  7. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, enter the username: yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  8. Under General information, specify the VM name: vm-validator.

  9. Click Create VM.

Create a routing instance

To set up network connectivity between BareMetal subnets and Virtual Private Cloud subnets, you need to create a routing instance resource. To create a Routing Instance, contact support.

If your folder already has Cloud Interconnect network connectivity (VPC-to-On-Prem) configured, you can either use the existing Routing Instance or request a new additional Routing Instance to be created for standalone network connectivity.

Make sure you have a routing instance in your folder

  1. If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  2. Make sure you have a routing instance in your default folder:

    Run this command:

    yc cloudrouter routing-instance list

    If your folder already contains a routing instance, the command will output something like this:

    +----------------------+-------------------------------------------+--------+-----------------------+
|          ID          |                    NAME                   | STATUS | PRIVATE CONNECTION ID |
+----------------------+-------------------------------------------+--------+-----------------------+
| cf35oot8f0eu******** | ajeol2afu1js********-enpcfncr6uld******** | ACTIVE | cf395uf8dg7h********  |
+----------------------+-------------------------------------------+--------+-----------------------+

  3. If you already have a Routing Instance, you may skip the next step and proceed to setting up your BareMetal environment.

    If you do not have a Routing Instance or you want to build additional dedicated network connectivity, request a new Routing Instance.

Request a new routing instance

Contact support to create a routing instance in your folder.

Fill out your request as follows:

Subject: [CIC for BareMetal] Creating a routing instance.

Request text:
Please create a routing instance in the specified cloud folder with the following parameters:

folder_id: <folder_ID>

vpc:
  vpc_net_id: <network_ID>
    vpc_subnets:
      ru-central1-a: [CIDR_a1, CIDR_a2, ..., CIDR_an]
      ru-central1-b: [CIDR_b1, CIDR_b2, ..., CIDR_bn]
      ru-central1-d: [CIDR_d1, CIDR_d2, ..., CIDR_dn]

Where:

  • folder_id: Folder ID.

  • vpc_net_id: Cloud network ID.

  • vpc_subnets: List of announced address prefixes for each availability zone. For example, for the VPC subnet you created earlier, you will specify ru-central1-b: [192.168.11.0/24].

    You may announce aggregated address prefixes.

Note

It may take up to 24 hours for the support to create a routing instance. With that done, you will be able to get the ID of the new routing instance by running the yc cloudrouter routing-instance list Yandex Cloud CLI command.

Set up your BareMetal environment

Configure the BareMetal infrastructure. In this step, you will create a virtual network segment (VRF) and private subnet, configure a private connection to the cloud network, and lease two BareMetal servers.

Create a VRF segment and a private subnet

Create a VRF segment and a private subnet in the ru-central1-m4 server pool:

  1. In the management console, select the folder where you are deploying your infrastructure.
  2. In the list of services, select BareMetal.
  3. Create a virtual routing and forwarding segment:
    1. In the left-hand panel, select VRF and click Create VRF.
    2. In the Name field, name your VRF segment: my-vrf.
    3. Click Create VRF.
  4. Create a private subnet:
    1. In the left-hand panel, select Private subnets and click Create subnet.
    2. In the Pool field, select the ru-central1-m4 server pool.
    3. In the Name field, enter the subnet name: subnet-m4.
    4. Enable IP addressing and routing.
    5. In the Virtual network segment (VRF) field, select my-vrf.
    6. In the CIDR field, specify 172.28.4.0/24.
    7. In the Default gateway field, keep the default value, 172.28.4.1.
    8. Enable the Assigning IP addresses via DHCP option and in the IP address range field that appears, leave the default values, 172.28.4.1-172.28.4.254.
    9. Click Create subnet.

Configure a private connection to your cloud network

Create a Cloud Interconnect private connection in BareMetal:

  1. In the management console, select the folder where you want to create your private connection.

  2. In the list of services, select BareMetal.

  3. In the left-hand panel, select VRF and then select the virtual network segment you need.

  4. Under Private connection to cloud networks, click Configure connection, and in the window that opens:

    1. In the Setup method field, select Enter ID and paste the Routing Instance private connection ID to the Connection ID field.

      You can also select the Choose from folder option. In this case, select the Routing Instance you need from the list that opens.

      As a result, you will see the CIDR blocks of Virtual Private Cloud subnets that will be advertised over Cloud Interconnect.

      Warning

      To successfully configure network connectivity between BareMetal subnets and on-premise or VPC subnets, their CIDR address ranges must not match or overlap.

    2. To create a private connection for the specified CIDR subnets, click Save.

As a result, the VRF information page will display the newly created connection ID and its status under Private connection to cloud networks.

Note

Setting up a private connection may take up to two business days. During this period, the connection status will display as Creating. Once the connection is created, its status will change to Ready.

Private cloud netweork connections may show one of the following statuses:

  • CREATING: Connection creation in progress.
  • READY: Connection is up and ready to use.
  • ERROR: Connection failure. Contact support.
  • DELETING: Connection deletion in progress.
  • UPDATING: Connection settings update in progress.

Lease BareMetal servers

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select BareMetal and click Lease server.

  3. Under Configuration, click the Pool filter and select the ru-central1-m4 server pool.

  4. Under Configuration, select the appropriate server configuration.

  5. (Optional) Under Disk, configure disk partitioning:

    1. Click Configure disk layout.

    2. Specify the partitioning parameters. To create a new partition, click Add partition.

      To build RAID arrays and configure disk partitions yourself, click Remove RAID.

    3. Click Save.

  6. Under Image, select the Debian 11 image.

  7. In the Lease duration field, select your lease period: 1 day.

    When this period expires, server lease will automatically be renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.

  8. Under Private network, in the Private subnet field, select the subnet-m4 subnet you created earlier.

  9. Under Public network, select From ephemeral subnet in the Public address field.

  10. Under Access:

    1. In the Password field, select one of the following options to create a root password:

      • To generate a new root password, select New password and click Generate.

        Warning

        This option requires you to maintain password security. Save the password you generated in a secure location. Yandex Cloud does not store it, and you will not be able to retrieve it once the server is deployed.

      • To use the root password saved in a Yandex Lockbox secret, select Lockbox secret.

        In the Name, Version, and Key fields, select the secret containing your password, its version, and its key, respectively.

        If you do not have a Yandex Lockbox secret, click Create to create it.

        Choose the Custom secret type to specify a custom password or Generated to generate password automatically.

    2. In the Public SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  11. Under Server information, in the Name field, enter the server name: alb-back-0.

  12. Click Lease server.

  13. Similarly, lease one more server, alb-back-1, in the ru-central1-m4 server pool.

Note

Server setup and OS installation may take up to 45 minutes. The server will have the Provisioning status during this time. After OS installation is complete, the server status will change to Ready.

Deploy your web application

In this step, you will deploy your web application on BareMetal servers. The web application will use the following server resources:

  • /opt/mygoapp: Web server's working directory.
  • /opt/mygoapp/server: Web server's executable.
  • /etc/systemd/system/mygoapp.service: Configuration file to manage the web server via systemd.

To deploy your web application on the server:

  1. Connect to the alb-back-0 BareMetal server over SSH:

    ssh root@<server_public_IP_address>

    You can look up the server's public IP address in the management console: see the BareMetal server info on the Overview page. You can find the address in the Public address field under Public network.

    You will perform all further actions under this step in the server terminal.

  2. Prepare your working directory:

    mkdir -p /opt/mygoapp && cd /opt/mygoapp

  3. Download the web server's executable:

    wget https://storage.yandexcloud.net/yc-public-share/server

  4. Set the execute permission for the file you downloaded:

    chmod +x server

  5. Create a new service in systemd:

    1. Open the service configuration file:

      nano /etc/systemd/system/mygoapp.service

    2. Paste the following into the file you opened:

      [Unit]
Description=Simple Web Server on Go
After=network.target
[Service]
Type=simple
WorkingDirectory=/opt/mygoapp
ExecStart=/opt/mygoapp/server
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

    3. Save the changes and close the file.

  6. Initialize the service you created:

    systemctl daemon-reload

  7. Run the service:

    systemctl start mygoapp.service

  8. Test your web application. To do this, on your local computer, paste the alb-back-0 server's public IP address into the browser's address bar.

    Your browser will open a page with the host name and information about the web server’s running time since startup.

    Web application source code
    package main

import (
  "context"
  "fmt"
  "net/http"
  "os"
  "os/signal"
  "syscall"
  "time"
  "github.com/gorilla/handlers"
)

var (
  hostname    string
  htmlContent []byte
)

const (
  serverTimeout  = 5 * time.Second
  cacheDuration  = 86400 * 30 // 30 days in seconds
  htmlTemplate = `
<!DOCTYPE html>
<html lang="en">
<head>
    <!-- Minified CSS -->
    <style>*{margin:0;padding:0;box-sizing:border-box;font-family:'Segoe UI',system-ui,sans-serif}body{min-height:100vh;display:flex;justify-content:center;align-items:center;background:linear-gradient(135deg,#1a1a1a,#2d2d2d);color:#fff;padding:20px}.container{background:rgba(255,255,255,0.1);backdrop-filter:blur(10px);border-radius:20px;padding:40px;box-shadow:0 8px 32px rgba(0,0,0,0.3);text-align:center;max-width:600px;width:100%%;transition:transform .3s ease}.server-name{font-size:1.8rem;margin-bottom:30px;color:#0f0;font-weight:600;text-shadow:0 0 10px rgba(0,255,136,0.3)}.datetime{font-size:2.5rem;letter-spacing:2px;margin-bottom:20px}.date{font-size:1.5rem;opacity:.8}@media (max-width:768px){.container{padding:25px;border-radius:15px}.server-name{font-size:1.4rem}.datetime{font-size:2rem}.date{font-size:1.2rem}}@media (max-width:480px){.datetime{font-size:1.6rem}}</style>
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title>Server Info & Time</title>
</head>
<body>
    <div class="container">
        <div class="server-name">Server Hostname: %s</div>
        <div class="datetime" id="datetime"></div>
        <div class="date" id="date"></div>
    </div>
    <script>
        // Minified JavaScript
        const e=()=>{const e=new Date;document.getElementById("datetime").textContent=e.toLocaleTimeString("en-US",{timeZone:"Europe/Moscow",hour12:!1,hour:"2-digit",minute:"2-digit",second:"2-digit"}),document.getElementById("date").textContent=e.toLocaleDateString("en-US",{timeZone:"Europe/Moscow",weekday:"long",year:"numeric",month:"long",day:"numeric"})};e(),setInterval(e,1e3);
    </script>
</body>
</html>`
)

func init() {
  // Initializing the host at startup
  var err error
  if hostname, err = os.Hostname(); err != nil {
    hostname = "Unavailable"
  }
  
  // Pre-generating HTML
  htmlContent = []byte(fmt.Sprintf(htmlTemplate, hostname))
}

func main() {
  // Configuring handlers
  mux := http.NewServeMux()
  mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Content-Type", "text/html; charset=utf-8")
    w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d", cacheDuration))
    w.Write(htmlContent)
  })

  // Middleware
  chain := handlers.CompressHandler(
    handlers.CombinedLoggingHandler(os.Stdout, mux),
  )

  // Server configuration
  server := &http.Server{
    Addr:         ":80",
    Handler:      chain,
    ReadTimeout:  serverTimeout,
    WriteTimeout: serverTimeout,
    IdleTimeout:  serverTimeout * 2,
  }

  // Graceful shutdown
  ctx, stop := signal.NotifyContext(context.Background(), 
    os.Interrupt, syscall.SIGTERM)
  defer stop()

  go func() {
    <-ctx.Done()
    shutdownCtx, cancel := context.WithTimeout(
      context.Background(), 5*time.Second)
    defer cancel()
    server.Shutdown(shutdownCtx)
  }()

  fmt.Println("Server started")
  if err := server.ListenAndServe(); err != http.ErrServerClosed {
    fmt.Printf("Server error: %v\n", err)
  }
}

  9. Similarly, deploy your web application on the alb-back-1 server.

Test network connectivity

Make sure the previously created private connection to the cloud network is Ready and test network connectivity between the vm-validator VM in the Virtual Private Cloud network and servers in the BareMetal private subnet:

  1. Connect to the vm-validator VM over SSH:

    ssh yc-user@<VM_public_IP_address>

    You can look up the VM's public IP address in the management console: see the Public IPv4 address section's Network field on the VM information page.

    You will perform all further actions under this step in the VM terminal.

  2. Ping the alb-back-0 server by its private IP address:

    ping <server_private_IP_address> -s 1024 -c 3

    You can look up the server's private IP address in the management console: see the BareMetal server info on the Overview page. You can find the address in the Private network field under Private IP address.

    Result:

    PING 172.28.4.11 (172.28.4.11) 1024(1052) bytes of data.
1032 bytes from 172.28.4.11: icmp_seq=1 ttl=58 time=3.77 ms
1032 bytes from 172.28.4.11: icmp_seq=2 ttl=58 time=3.83 ms
1032 bytes from 172.28.4.11: icmp_seq=3 ttl=58 time=3.80 ms

--- 172.28.4.11 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 3.767/3.800/3.830/0.025 ms

  3. Similarly, ping the alb-back-1 server by its private IP address.

Save the private IP addresses of the BareMetal servers as you will need them to configure an L7 load balancer.

Configure an L7 load balancer

After you create the Virtual Private Cloud and BareMetal infrastructure components and test network connectivity between them, configure an L7 load balancer to manage user traffic to your web application.

Create a target group for the L7 load balancer

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Application Load Balancer.

  3. In the left-hand panel, select Target groups and click Create target group.

  4. In the Name field, enter a name for the target group: bms-target-group.

  5. Under Targets:

    1. In the IP address field, enter the alb-back-0 server's private IP address you saved earlier.
    2. In the IP address row, enable the Outside VPC option and click Add target resource.
    3. Repeat the previous two steps to add the alb-back-1 server's private IP address to your target group.

  6. Click Create.

Create a backend group

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Application Load Balancer.

  3. In the left-hand panel, select Backend groups and click Create backend group.

  4. In the Name field, enter a name for the backend group: bms-backend-group.

  5. In the Type field, select HTTP.

  6. Under Backends, click Add and do the following in the New backend form that opens:

    1. In the Name field, specify the backend name: bms-backend.

    2. In the Target groups field, select the bms-target-group target group you created earlier.

    3. In the HTTP health check section, do the following:

      1. Set the Timeout, s to 3.
      2. Set the Interval to 10.
      3. Under Path, specify the root path, /.
      4. In the HTTP codes field, select the 200 response code.

    Leave the other parameters unchanged.

  7. Click Create.

Create an HTTP router

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Application Load Balancer.

  3. In the left-hand panel, select HTTP routers and click Create HTTP router.

  4. In the Name field, enter a name for the HTTP router: http-80.

  5. Under Virtual hosts, click Add virtual host and do the following in the New virtual host form that opens:

    1. In the Name field, enter http-vh for the virtual host's name and click Add route.
    2. In the New route form that opens, enter main-route-80 as the route's name in the Name field.
    3. In the HTTP methods field, select GET.
    4. In the Backend group field, select the bms-backend-group backend group created in the previous step.
    5. Leave all other parameters unchanged and click Create at the bottom of the page.

Create an L7 load balancer

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Application Load Balancer.

  3. Click Create L7 load balancer and select Manual.

  4. In the Name field, enter a name for the load balancer: demo-alb-bms.

  5. In the Network field, select sample-network.

  6. In the Security groups field, select From list and then the alb-sg security group from the list that opens.

  7. Under Allocation, leave only the ru-central1-a and ru-central1-b availability zones with the vpc-subnet-a and vpc-subnet-b subnets, respectively.

  8. If you do not want load balancer logs saved to a log group, disable Write logs.

  9. In the Listeners section, click Add listener and in the form that opens:

    1. In the Name field, enter a name for the listener: alb-bms-listener.
    2. In the HTTP router field, select the http-80 HTTP router you created earlier.

  10. Leave all other parameters unchanged and click Create at the bottom of the page.

  11. Wait for the load balancer status to change to Active and copy its public IP address from the IP addresses field.

  12. On your local computer, paste the load balancer's IP address into your browser's address bar. If everything is configured correctly, the browser will open your web application deployed on the BareMetal servers.

Set up protection against bots, DDoS, and web attacks

Once you make sure your L7 load balancer works correctly, set up a Smart Web Security profile to protect your web application against bots, DDoS, and web attacks.

Create an ARL profile

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Smart Web Security.

  3. In the left-hand panel, select ARL profiles and click Create ARL profile.

  4. In the Name field, specify the ARL profile name: arl-profile-demo.

  5. Click Add rule and in the window that opens:

    1. In the Name field, specify the rule name: permit-50-rps-in.
    2. Set the Priority to 10.
    3. Set the Request limit to 50 requests in 1 second.
    4. Leave all the other parameters unchanged and click Save rule.

  6. Click Create.

Create a WAF profile

  1. In the management console, select the folder where you are deploying your infrastructure.
  2. In the list of services, select Smart Web Security.
  3. In the left-hand panel, select WAF profiles and click Create WAF profile.
  4. In the Name field, specify the WAF profile name: waf-profile-demo.
  5. By default, the WAF profile uses the OWASP Core Rule Set. Click the row with the rule set to view the rules it includes.
  6. Click Create.

Create a security profile

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Smart Web Security.

  3. In the left-hand panel, select Security profiles.

  4. Click Create profile and select From scratch.

  5. In the Name field, specify the security profile name: sws-demo-profile.

  6. In the ARL profile field, select the previously created profile, arl-profile-demo.

  7. Create a new Web Application Firewall rule:

    1. Click Add rule.

    2. In the Name field, specify the rule name: waf-rule.

    3. Set the Priority to 200.

    4. Under Rule type, select Web Application Firewall. In the list that opens, select the waf-profile-demo rule you created earlier.

      This will apply rules from the WAF profile to the new rule. The system will redirect suspicious requests to Yandex SmartCaptcha.

    5. Click Add.

    The rule will appear in the list of rules under Security rules.

  8. Create a new Smart Protection rule:

    1. Click Add rule once again.

    2. In the Name field, specify the rule name: smart-rule.

    3. Set the Priority to 300.

    4. Under Rule type, select Smart Protection.

      The new rule will send traffic for automatic processing by machine learning and behavioral analysis algorithms. The system will redirect suspicious requests to Yandex SmartCaptcha for additional verification.

    5. Click Add.

    The rule will appear in the list of rules under Security rules.

  9. Click Create profile.

Apply protection to your hosts

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Smart Web Security.

  3. In the left-hand panel, select Security profiles and select sws-demo-profile you created earlier.

  4. In the top panel, click Connect to host and in the window that opens:

    1. Select demo-alb-bms.
    2. Select http-80 as the HTTP router.
    3. Select the http-vh virtual host.
    4. Click Connect.

    Information about the connected virtual host will appear on the Connected hosts tab of the Smart Web Security profile overview page.

You have deployed a web application on two BareMetal servers, configured distribution of user traffic with an L7 load balancer in Application Load Balancer, and implemented protection of your application by means of a Smart Web Security profile.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM.

  2. Delete the L7 load balancer; then delete the HTTP router, backend group, and the load balancer's target group one by one.

  3. Delete the Smart Web Security profile; then delete the WAF profile and ARL profile.

  4. You cannot delete BareMetal servers. Instead, cancel the renewal of their lease.

  5. If you had left the L7 load balancer logging feature on, delete the log group.

  6. Optionally, delete the security groups, subnets, and cloud network one by one.

  7. Delete the private connection if you no longer need it:

    1. In the management console, select the folder where you created the infrastructure.
    2. In the list of services, select BareMetal.
    3. In the left-hand panel, click VRF and select my-vrf.
    4. Under Private connection to cloud networks, click and select Disable connection.
    5. In the window that opens, confirm the deletion.

    The connection status will change to Deleting. Once all links are deleted, the connection will disappear from the list.

Previous
Yandex Object Storage integration with Nextcloud
Next
Overview