Creating a resource
To create a resource:
-
In the management console
, select the folder where you want to create a resource. -
Select Cloud CDN.
-
Click Create resource.
-
Configure the basic CDN resource settings:
Tip
You can set CDN resource parameters from a configuration of another CDN resource. To do this, in the Copy a configuration field, select an existing CDN resource. Keep in mind the following:
- You can migrate the Domain name parameter from the CDN resource of one CDN provider to another. The name must be unique across the resources of a single provider.
- Copying parameters between resources of different providers creates a copy of the origin group in the provider of the new resource.
- If the original resource has an uploaded TLS certificate, it will be reused in the new resource. You do not need to upload it again.
-
Under Content:
-
Enable or disable Enable access to content.
-
In the Content query field, select
From one origin
orFrom origin group
:- When requesting
From one origin
content, select the Origin type:Server
,Bucket
, orL7 load balancer
, and specify the origin. - When requesting content
From origin group
, select an origin group or create a new one:- Click Create.
- Specify Group name.
- Configure Origin:
- Specify the Origin type:
Server
,Bucket
, orL7 load balancer
. - Specify an origin.
- Select the Priority:
Active
orBackup
.
- Specify the Origin type:
- Add other origins if needed.
- Click Create. In the Origin group field, you will see the name of the created origin group.
Note
If the CDN resource is from one CDN provider and the selected existing origin group is from another, a duplicate origin group will be created for the CDN resource provider.
For more information, see Origins and origin groups.
- When requesting
-
In the Origin request protocol field, select a protocol for the origins.
-
In the Domain name field, specify the primary domain name you will use in your website links to CDN-hosted content, e.g.,
cdn.example.com
.You can add multiple Domain names. Names may include characters other than ASCII
, e.g., Cyrillic or Punycode . The first name is considered the primary domain name.Alert
You cannot change the primary domain name used for content distribution after creating a CDN resource.
-
Optionally, add labels:
- Click Add label.
- Enter a label in
key: value
format. - Press Enter.
-
-
Under Additional settings:
-
In the Redirect clients field, select
Don't use
orHTTPS to HTTP
.To enable redirecting clients from HTTP to HTTPS, create a CDN resource without a redirect and get a TLS certificate for your domain name. Next, in the CDN resource settings, select the
HTTP to HTTPS
client redirect method. -
In the Certificate type field, select one of the options:
Don't use
: Resource will only be available over HTTP.Use from Certificate Manager
: Select a certificate. The resource will be available over HTTP and HTTPS.
Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.
The certificate must be located in the same folder as your CDN resource.
Learn more about configuring TLS certificates for HTTPS connections.
-
In the Host header field, select the value (
Primary domain name
orMatch client
) or opt forCustom
and enter the Header value.Learn more about the
Host
header in CDN server requests to origins. -
Optionally, to enable request redirection on a CDN resource, do the following:
-
Enable Redirect requests.
-
In the Rewrite rule field, set a rule, e.g.,
/(.*) /new-folder/$1
.A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.
You can use regular expressions in the rule.
For more information, see Rewrite rule.
-
In the Flag field, specify the required flag:
break
: Terminates the processing of the current set of directives.last
: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.redirect
: Returns a temporaryredirect
with the302
status code to the user. This flag is used if the replacement string does not start withhttp://
,https://
, or$scheme
.permanent
: Returns a permanentredirect
with the301
status code to the user.
-
-
Optionally, to restrict access to resource content with secure tokens, enable Access via secure token:
-
Specify a Secret key that is a string of 6 to 32 characters. You will need a secret key to generate pre-signed URLs.
You can view the secret key you saved in the management console or using the
yc cdn resource list
CLI command. -
Use the Limit access by IP address field to restrict access to content by IP address:
Only trusted IP addresses
: Access to files will be allowed only from a specific IP address of the content recipient. The IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL.No restrictions
: Access to files will be allowed from any IP address.
-
-
Optionally, to restrict access to resource content using an IP-based access policy, enable IP-based access:
-
Select the type of access policy:
Block all except
: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified below.Allow all except
: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified below.
-
In the List of IP addresses field, specify the list of IP addresses excluded from the above access policy.
You must specify IP addresses with a subnet prefix in CIDR notation
separated by commas. For example,192.168.3.2/32, 192.168.17.0/24
.
-
-
Optionally, to set a CDN provider, enable Select provider and specify the one you need.
The default provider is
Yandex Cloud CDN
.Warning
When creating each CDN resource and each origin group, they get assigned a specific provider. You cannot change the assigned provider.
-
-
Click Continue.
-
Optionally, under Caching, do the following:
Tip
You can configure these settings later, if required.
-
Under CDN:
- Enable CDN caching.
- Select the setting type:
Same as origin
orCustom settings
. - Select the cache lifetime from the list.
- Optionally, for the
Custom settings
setting type, set the cache lifetime for the required HTTP response codes.
-
Under Browser:
- Enable Browser caching.
- Select the cache lifetime from the list.
-
Under Additional settings:
- Select the option to ignore Cookies.
- Select the option to ignore the Query parameters.
-
For CDN servers to compress content before sending it to clients, select GZip.
The content will be sent in
gzip
format with theContent-Encoding
HTTP header. From origins, only uncompressed content will be requested. -
If you want files larger than 10 MB to be requested and cached in parts, each part no larger than 10 MB, select Segmentation of large files.
For segmentation to work, content origins must support partial GET requests with the
Range
header.
-
-
Click Continue.
-
Under HTTP headers and methods:
Tip
You can configure these settings later, if required.
-
Under Origin request headers:
- In the Header field, click Add.
- Enter names and values of the headers you need.
-
Under Client response headers:
- In the Header field, click Add.
- Enter names and values of the headers you need.
Learn more about configuring HTTP headers for requests and responses.
-
Under CORS when responding to client requests:
- In the Access-Control-Allow-Origin header field, specify whether to add this header to responses.
- When adding a header, select the values of the
Origin
header that allow access to the content. To grant access only to specific origins, selectSame as Origin if on the list
, specify the origin domain names and click Add domain name.
-
Under Client request methods, select Allowed methods from the drop-down list.
-
-
Click Create and continue.
-
Optionally, under Advanced, do the following:
Tip
You can configure these settings later, if required.
-
Under Log export settings, enable log export.
-
Under Origin shielding settings, enable shielding and select the location you need in the Location field.
-
-
Click Continue.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
-
View the description of the CLI command to create a resource:
yc cdn resource create --help
-
Get a list of origin groups in the folder:
yc cdn origin-group list --format yaml
Result:
- id: "90209" folder_id: s0mefo1der7p******** name: test-group-1 use_next: true origins: - id: "561547" origin_group_id: "90209" source: www.example2.com enabled: true backup: true - id: "561546" origin_group_id: "90209" source: www.example1.com enabled: true - id: "90208" folder_id: b1g86q4m5ve******** name: test-group use_next: true origins: - id: "561545" origin_group_id: "90208" source: www.a2.com enabled: true backup: true - id: "561544" origin_group_id: "90208" source: www.a1.com enabled: true
-
Create a resource:
yc cdn resource create <resource_domain_name> \ --origin-group-id <origin_group_ID> \ --origin-protocol <origin_protocol>
- Instead of
--origin-group-id
, you can specify the origin domain name using the--origin-custom-source
flag. - The possible
--origin-protocol
values areHTTP
,HTTPS
, andMATCH
(same as the client's).
To configure a TLS certificate for a CDN resource, use these parameters:
-
--dont-use-ssl-cert
: Do not use a certificate. The resource will be available only over HTTP. -
--cert-manager-ssl-cert-id
: Certificate ID. The resource will be available over HTTP and HTTPS.Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.
The certificate must be located in the same folder as your CDN resource.
To enable request redirects on a CDN resource, use these parameters:
-
--rewrite-body
: Rewrite rule, e.g.,--rewrite-body '/(.*) /new-folder/$1'
.A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.
You can use regular expressions in the rule.
For more information, see Rewrite rule.
-
--rewrite-flag
: Flag. The possible values are:break
: Terminates the processing of the current set of directives.last
: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.redirect
: Returns a temporaryredirect
with the302
status code to the user. This flag is used if the replacement string does not start withhttp://
,https://
, or$scheme
.permanent
: Returns a permanentredirect
with the301
status code to the user.
-
To add labels, use the
--add-labels
parameter, e.g.,--add-labels key1=value1
.
If you want to restrict access to resource content with secure tokens, use the following parameters:
--secure-key
: Secret key, a string of 6 to 32 characters.--enable-ip-url-signing
: Optional parameter that restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address.
See also Setting up access via a secure token.
If you want to restrict access to resource content using an IP address access policy, use the following parameters:
-
--acl-excepted-values
: IP address for which access to the content will be allowed or denied. For the address, specify the subnet prefix in CIDR notation , e.g.,192.168.3.2/32
or2a03:d000:2980:7::8/128
.You can only provide one IP address in the
--acl-excepted-values
parameter. To provide multiple addresses, set the--acl-excepted-values
parameter for each address. -
--policy-type
: Policy type. The possible values are as follows:allow
: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in the--acl-excepted-values
parameter.deny
: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in the--acl-excepted-values
parameter.
For more information about the
yc cdn resource create
command, see the CLI reference. - Instead of
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the relevant documentation on the Terraform
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the properties of the CDN resource to create:
resource "yandex_cdn_resource" "my_resource" { cname = "<domain_name>" active = true origin_protocol = "https" origin_group_id = <origin_group_ID> secondary_hostnames = ["<additional_domain_name_1>", "additional_domain_name_2"] ssl_certificate { type = "certificate_manager" certificate_manager_id = "<certificate_ID>" } options { redirect_http_to_https = true secure_key = "<secret_key>" enable_ip_url_signing = true ip_address_acl { excepted_values = ["<IP_address_1>", "<IP_address_2>", ..., "<IP_address_n>"] policy_type = "<policy_type>" } } }
Where:
-
cname
: Primary domain name used for content distribution. This is a required parameter. -
active
: Optional flag for content availability to end users, wheretrue
means the CDN content is available to clients, andfalse
means that the content not available. The default value istrue
. -
origin_protocol
: Optional origin protocol. The default value ishttp
. -
origin_group_id
: Origin group ID. This is a required parameter. Use the ID from the description of the origin group in theyandex_cdn_origin_group
resource. -
secondary_hostnames
: Optional additional domain names. -
ssl_certificate
: Optional SSL certificate parameters:-
type
: Certificate type. The possible values are:-
not_used
: Certificate is not used. This is a default value. -
certificate_manager
: Custom certificate. Specify the certificate ID in thecertificate_manager_id
parameter.Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.
The certificate must be located in the same folder as your CDN resource.
-
-
certificate_manager_id
: Custom certificate ID in Certificate Manager.
-
-
options
: Optional additional parameters of the CDN resource:-
redirect_http_to_https
: Parameter to redirect clients from HTTP to HTTPS,true
orfalse
. This parameter is available if an SSL certificate is used. -
secure_key
: Secret key, that is a string of 6 to 32 characters, which is required to restrict access to a resource using secure tokens. -
enable_ip_url_signing
: Optional parameter that enables restricting access to a CDN resource by IP address using secure tokens. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address. -
ip_address_acl
: IP-based access policy parameters:-
ip_address_acl
: List of IP addresses for which access to the resource content will be allowed or denied. Separate IP addresses by commas. For each address, specify the subnet prefix in CIDR notation , e.g.,192.168.3.2/32
or2a03:d000:2980:7::8/128
. -
policy_type
: Policy type. The possible values are as follows:allow
: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in theip_address_acl.excepted_values
parameter.deny
: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in theip_address_acl.excepted_values
parameter.
-
-
For more information about the
yandex_cdn_resource
properties in Terraform, see the provider documentation . -
-
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new CDN resource using the management console
or this CLI command:yc cdn resource list
-
Use the create REST API method for the Resource resource or the ResourceService/Create gRPC API call.
You can restrict access to the resource with secure tokens and an IP-based access policy.
Once the CDN resource is created, get the CDN provider's domain name and create a CNAME resource record for the specified name in your DNS hosting settings, e.g., in Yandex Cloud DNS. For more information, see Domain names for content distribution.
Sample resource record:
cdn.example.com. CNAME 328938ed********.a.yccdn.cloud.yandex.net
The new resource will start running properly after the CNAME record that you created on your DNS hosting (see Host names) is propagated across DNS servers. This may take several hours.
Note
Do not use an ANAME resource record with domain names for content distribution; otherwise, the end user will get a response from a CDN server not linked to the user geolocation. The response will always be the same for all users.
For a CDN resource with the EdgeCDN provider, you can configure advanced settings. For a complete description of its features, see the CDN provider's API documentation
Examples
Create a resource with HTTP:
yc cdn resource create testexample.com \
--origin-group-id 90209 \
--origin-protocol HTTP
Result:
id: s0me1dkfjq********
...
cname: testexample.com
active: true
...
origin_group_id: "90209"
origin_group_name: test-group-1
origin_protocol: HTTP
ssl_certificate:
type: DONT_USE
status: READY