Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Integrating an L7 load balancer with Cloud CDN and Object Storage using the management console

Written by
Updated at March 6, 2026

Note

To implement this solution, you will need a domain. We will use the example.com domain name as an example.

To set up integration of an L7 load balancer with Yandex Cloud CDN and Yandex Object Storage using the management console, Yandex Cloud CLI, or API:

  1. Get your cloud ready.
  2. Create and configure a public DNS zone.
  3. Add a certificate to Certificate Manager.
  4. Create a cloud network and subnets.
  5. Create a security group.
  6. Create a bucket in Object Storage.
  7. Upload the file of your service to the bucket.
  8. Create an Application Load Balancer backend group.
  9. Create an HTTP router and a virtual host.
  10. Create an L7 load balancer.
  11. Create a CDN resource.
  12. Create a CNAME resource record for the CDN resource.
  13. Test the service.

If you no longer need the resources you created, delete them.

Supported tools

You can use various supported tools to perform these steps. You can complete most of the steps in this tutorial using any standard tool, such as the management console, Yandex Cloud CLI, and Yandex Cloud API. Each step lists its respective supported tools.

Some steps do not support certain tools: currently, you cannot create an Application Load Balancer backend group with buckets as backends via the Yandex Cloud CLI.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

We will use a folder named example-folder in our example.

The infrastructure support costs include:

Create and configure a public DNS zone

Note

This guide describes a scenario where Yandex Cloud DNS handles domain management.

If you do not want to delegate management of your domain to Yandex Cloud, you can complete the required DNS setup using tools provided by your domain administrator. To create resource records, use your domain administrator’s tutorials or contact their support.

To configure a public DNS zone in the Yandex Cloud infrastructure:

  1. Delegate your domain to Cloud DNS. To do this, in your domain registrar's account, specify the addresses of these DNS servers in your domain settings: ns1.yandexcloud.net and ns2.yandexcloud.net.

  2. Create a public DNS zone in Yandex Cloud DNS.

    1. In the management console, select example-folder.

    2. Go to Cloud DNS.

    3. Click Create zone.

    4. Specify the zone settings consistent with your domain:

      1. Zone: Domain zone. Its name must end with a trailing dot. For example, example.com. matches the example.com domain. To create a domain name with non-Latin characters, use the Punycode encoding.
      2. Type: Public.
      3. Name: my-domain-zone.

    5. Click Create.

    If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

    Run this command:

    yc dns zone create \
  --name my-domain-zone \
  --zone <domain_name> \
  --public-visibility

    Where --zone is your domain name, e.g., example.com.. The --zone parameter value must end with a trailing dot. For example, example.com. matches the example.com domain.

    Result:

    id: dns6b0mdas5r********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T10:42:16.017Z"
name: my-domain-zone
zone: example.com.
public_visibility: {}

    For more information about the yc dns zone create command, see the CLI reference.

    To create a public DNS zone, use the create REST API method for the DnsZone resource or the DnsZoneService/Create gRPC API call.

Add a certificate to Certificate Manager

Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.

The certificate must be located in the same folder as your CDN resource.

This guide describes a scenario where the CDN resource is issued a new Let's Encrypt® certificate.

  1. Add a Let's Encrypt® certificate for your domain to Certificate Manager:

    1. In the management console, select example-folder.
    2. Go to Certificate Manager.
    3. Click Add certificate and select Let's Encrypt certificate.
    4. In the window that opens, specify mymanagedcert in the Name field.
    5. In the Domains field, enter a name for your domain, e.g., example.com.
    6. Select the domain rights check type for DNS.
    7. Click Create.

    Run this command:

    yc certificate-manager certificate request \
  --name mymanagedcert \
  --challenge dns \
  --domains <domain_name>

    Where <domain_name> is your domain name, e.g., example.com.

    Result:

    id: fpq7t9dpi4o0********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T11:00:15.952968372Z"
name: mymanagedcert
type: MANAGED
domains:
  - example.com
status: VALIDATING
updated_at: "2026-02-05T11:00:15.952968372Z"

    For more information about the yc certificate-manager certificate request command, see the CLI reference.

    Save the ID (id) of the certificate you created, as you will need it when creating a CDN resource.

    To add a certificate, use the requestNew REST API method for the Certificate resource or the CertificateService/RequestNew gRPC API call.

    A new certificate with the Validating status will appear in the certificate list. This status means that a Let's Encrypt® certificate was requested and you need to pass a domain rights check for it to be successfully processed.

  2. To successfully issue the certificate, pass a domain rights check:

    1. In the management console, select example-folder.
    2. Go to Certificate Manager.
    3. From the list of certificates, select mymanagedcert.
    4. In the window that opens, under Check rights for domains, select CNAME record and click Create record in the section with your domain below.
    5. In the window that opens, confirm creating the resource record.

    Checking rights for a domain may take from a few minutes to a few days. Wait until the check is complete. As a result, the certificate will be issued and get the Issued status.

    1. Get the values of the resource record required for validation:

      yc certificate-manager certificate get \
  --name mymanagedcert \
  --full

      Result:

      id: fpq7t9dpi4o0********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T11:00:15.952Z"
name: mymanagedcert
type: MANAGED
domains:
  - example.com
status: VALIDATING
updated_at: "2026-02-05T11:00:15.952Z"
challenges:
  - domain: example.com
    type: DNS
    created_at: "2026-02-05T11:00:15.952968372Z"
    updated_at: "2026-02-05T11:00:19.659820021Z"
    status: PENDING
    message: Create a record in your DNS provider.
    dns_challenge:
      name: _acme-challenge.example.com.
      type: CNAME
      value: fpq7t9dpi4o0********.cm.yandexcloud.net.
  - domain: example.com
    type: DNS
    created_at: "2026-02-05T11:00:15.952968372Z"
    updated_at: "2026-02-05T11:00:19.659820021Z"
    status: PENDING
    message: Create a record in your DNS provider.
    dns_challenge:
      name: _acme-challenge.example.com.
      type: TXT
      value: 77LcWo8-Qx4sHJuFDoNCpptLZkyWVW5A2dY********

      For more information about the yc certificate-manager certificate get command, see the CLI reference.

      Save the value of the value field from the CNAME type section under challenges.dns_challenge. You will need this value in the next step.

    2. Create a CNAME resource record to pass a domain rights check:

      yc dns zone add-records \
  --name my-domain-zone \
  --record "_acme-challenge 600 CNAME <dns_challenge_value>"

      Where <dns_challenge_value> is the value you saved in the previous step, required for the domain rights check using a CNAME record.

      Result:

      +--------+------------------------------+-------+------------------------------------------+-----+
| ACTION |             NAME             | TYPE  |                   DATA                   | TTL |
+--------+------------------------------+-------+------------------------------------------+-----+
| +      | _acme-challenge.example.com. | CNAME | fpq7t9dpi4o0********.cm.yandexcloud.net. | 600 |
+--------+------------------------------+-------+------------------------------------------+-----+

      For more information about the yc dns zone add-records command, see the CLI reference.

      Checking rights for a domain may take from a few minutes to a few days. Wait until the check is complete. As a result, the certificate will be issued and get the Issued status.

    3. Make sure that the certificate status has switched to Issued:

      yc certificate-manager certificate get \
  --name mymanagedcert

      Result:

      id: fpq7t9dpi4o0********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T11:00:15.952Z"
name: mymanagedcert
type: MANAGED
domains:
  - example.com
status: ISSUED
issuer: CN=R12,O=Let's Encrypt,C=US
subject: CN=example.com
serial: 57bc7967996d73d63d9d52e337c********
updated_at: "2026-02-05T13:29:23.658Z"
issued_at: "2026-02-05T13:29:23.658Z"
not_after: "2026-05-06T12:30:49Z"
not_before: "2026-02-05T12:30:50Z"

      Save the certificate ID you got as you will need it later to create the CDN resource.

    To get the information required to pass the domain rights check, use the get REST API method for the Certificate resource or the CertificateService/Get gRPC API call with the view=FULL parameter.

    To create a CNAME resource record in a DNS zone, use the updateRecordSets REST API method for the DnsZone resource or the DnsZoneService/UpdateRecordSets gRPC API call.

    Note

    For a successful DNS domain rights check based on a CNAME record, make sure the _acme-challenge subdomain of the domain name you are checking has no other resource records except CNAME. For example, for the _acme-challenge.example.com. domain name, there should only be a CNAME record and no TXT record.

    If your domain is managed from outside Yandex Cloud, to create the resource record for the domain rights check, use tools provided by your domain administrator. For more information, see Domain rights check.

Create a cloud network and subnets

All resources will belong to the same cloud network.

  1. In the management console, select example-folder.
  2. Go to Virtual Private Cloud.
  3. At the top right, click Create network.
  4. In the Name field, specify example-network.
  5. In the Advanced field, select Create subnets.
  6. Click Create network.

  1. Create a network named example-network:

    yc vpc network create example-network

    Result:

      id: enpqm699f18v********
  folder_id: b1gt6g8ht345********
  created_at: "2026-02-05T11:57:02Z"
  name: example-network
  default_security_group_id: enp4qvbg2ri1********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create subnets in all availability zones:

    • ru-central1-a:

      yc vpc subnet create example-subnet-ru-central1-a \
  --zone ru-central1-a \
  --network-name example-network \
  --range 192.168.1.0/24

      Result:

      id: e9b0fo0hvhpd********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T12:00:21Z"
name: example-subnet-ru-central1-a
network_id: enpqm699f18v********
zone_id: ru-central1-a
v4_cidr_blocks:
  - 192.168.1.0/24

      Save the subnet ID you got as you will need it later to create an L7 load balancer.

    • ru-central1-b:

      yc vpc subnet create example-subnet-ru-central1-b \
  --zone ru-central1-b \
  --network-name example-network \
  --range 192.168.2.0/24

      Result:

      id: e2lo05oe9slo********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T12:02:02Z"
name: example-subnet-ru-central1-b
network_id: enpqm699f18v********
zone_id: ru-central1-b
v4_cidr_blocks:
  - 192.168.2.0/24

      Save the subnet ID you got as you will need it later to create an L7 load balancer.

    • ru-central1-d:

      yc vpc subnet create example-subnet-ru-central1-d \
  --zone ru-central1-d \
  --network-name example-network \
  --range 192.168.3.0/24

      Result:

      id: fl8bpb6lnu80********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T12:03:23Z"
name: example-subnet-ru-central1-d
network_id: enpqm699f18v********
zone_id: ru-central1-d
v4_cidr_blocks:
  - 192.168.3.0/24

      Save the subnet ID you got as you will need it later to create an L7 load balancer.

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. To create example-network, use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.
  2. To create example-subnet-ru-central1-a, example-subnet-ru-central1-b, and example-subnet-ru-central1-d in three availability zones, use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create a security group

Security groups contain rules that allow the L7 load balancer to receive incoming traffic and send it to backend buckets.

To create security groups:

  1. In the management console, select example-folder.

  2. Go to Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. At the top right, click Create security group.

  5. In the Name field, specify example-sg.

  6. In the Network field, select example-network.

  7. Under Rules, create the following rules using the instructions below:

    Traffic
    direction    		 Description Port range Protocol Source /
    destination    		 CIDR blocks
    Egress any All Any CIDR 0.0.0.0/0
    Ingress ext-http 80 TCP CIDR 0.0.0.0/0
    Inbound ext-https 443 TCP CIDR 0.0.0.0/0
    Inbound healthchecks 30080 TCP Load balancer healthchecks

  8. Click Create.

Run this command:

yc vpc security-group create example-sg \
  --network-name example-network \
  --rule "direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0]" \
  --rule "direction=ingress,port=80,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
  --rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
  --rule "direction=ingress,port=30080,protocol=tcp,predefined=loadbalancer_healthchecks"

Result:

id: enp9dpfa774h********
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T12:29:47Z"
name: example-sg
network_id: enpqm699f18v********
status: ACTIVE
rules:
  - id: enpa11mk1r50********
    direction: EGRESS
    protocol_name: ANY
    protocol_number: "-1"
    cidr_blocks:
      v4_cidr_blocks:
        - 0.0.0.0/0
  - id: enp4aob2uiam********
    direction: INGRESS
    ports:
      from_port: "80"
      to_port: "80"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 0.0.0.0/0
  - id: enpn8onb4lda********
    direction: INGRESS
    ports:
      from_port: "443"
      to_port: "443"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 0.0.0.0/0
  - id: enp6j82kiu2p********
    direction: INGRESS
    ports:
      from_port: "30080"
      to_port: "30080"
    protocol_name: TCP
    protocol_number: "6"
    predefined_target: loadbalancer_healthchecks

Save the security group ID as you will need it later to create an L7 load balancer.

For more information about the yc vpc security-group create command, see the CLI reference.

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

To add a rule for load balancer health checks, use the loadbalancer_healthchecks parameter in under predefinedTarget for the REST API or under SecurityGroupRuleSpec.target.predefined_target for the gRPC API.

Create an Object Storage bucket

  1. In the management console, select example-folder.
  2. Go to Object Storage.
  3. At the top right, click Create bucket.
  4. In the ** Name** field, enter a unique name for the bucket.
  5. In the Read objects and Read object list fields, select For all.
  6. Click Create bucket.

Run this command, specifying the unique bucket name:

yc storage bucket create \
  --name <bucket_name> \
  --public-read \
  --public-list

Result:

name: my-cdn-bucket
folder_id: b1gt6g8ht345********
anonymous_access_flags:
  read: true
  list: true
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
created_at: "2026-02-05T12:35:03.639102Z"
resource_id: e3e8qar9vrim********

Use the create REST API method for the Bucket resource or the BucketService/Create gRPC API call.

Upload the file of your service to the bucket

  1. Create a file named index.html with the following contents:

    <!DOCTYPE html>
<html>
  <head>
    <title>My service</title>
  </head>
  <body>
    <p>The service is working</p>
  </body>
</html>

  2. Upload the file to the bucket:

    1. In the management console, select example-folder.
    2. Go to Object Storage.
    3. Select the previously created bucket.
    4. Click Upload and select the index.html file for uploading.
    5. In the window that opens, click Upload.

    Upload the index.html file to the bucket:

    yc storage s3api put-object \
  --bucket <bucket_name> \
  --key index.html \
  --content-type "text/html" \
  --body <local_path_to_file>

    Where:

    • --bucket: Name of the bucket you created earlier.
    • --body: Local path to the HTML file created earlier, e.g., ./index.html.

    Result:

    etag: '"2f613d0f35668e1d98fa9c6b********"'
request_id: a809736f********

    For more information about the yc storage s3api put-object command, see the CLI reference.

    Use the upload REST API method.

Create an Application Load Balancer backend group

  1. In the management console, select example-folder.
  2. Go to Application Load Balancer.
  3. In the left-hand panel, select Backend groups.
  4. At the top right, click Create backend group.
  5. In the Name field, specify example-bg.
  6. In the Type field, select HTTP as the backend group type.
  7. Under Backends, click Add and set up the backend:
    1. In the Name field, specify example-backend.
    2. In the Weight field, specify 100.
    3. In the Type field, select Bucket as the backend type.
    4. In the Bucket field, select the bucket you created earlier.
  8. Click Create.

If you are going to complete the next steps in the Yandex Cloud CLI, copy the ID of the example-bg backend group as you will need it later.

Currently, the Yandex Cloud CLI does not support creating a backend group with the bucket backend type. Use the management console or API to create the backend group.

Use the create REST API method for the BackendGroup resource or the BackendGroupService/Create gRPC API call.

Create an HTTP router and a virtual host

  1. In the management console, select example-folder.

  2. Go to Application Load Balancer.

  3. In the left-hand panel, select HTTP routers.

  4. At the top right, click Create HTTP router.

  5. In the Name field, specify example-router.

  6. Create a virtual host named example-vh:

    1. Under Virtual hosts, click Add virtual host.
    2. In the Name field, specify example-vh.
    3. In the Authority field, specify your domain name, e.g., example.com.
    4. Click Add route.
    5. In the Name field, specify example-route.
    6. In the Path field, select Starts with and specify the / path.
    7. From the HTTP methods list, select GET.
    8. In the Action field, keep Routing.
    9. From the Backend group list, select example-bg.

  7. Do not change the other settings. Click Create.

  1. Create an HTTP router example-router:

    yc alb http-router create example-router

    Result:

    id: ds78i77j8lg0********
name: example-router
folder_id: b1gt6g8ht345********
created_at: "2026-02-05T13:09:27.917359782Z"

    For more information about the yc alb http-router create command, see the CLI reference.

  2. Create a virtual host named example-vh:

    yc alb virtual-host create example-vh \
  --http-router-name example-router \
  --authority <domain_name>

    Where <domain_name> is your domain name, e.g., example.com.

    Result:

    done (1s)
name: example-vh
authority:
  - example.com

    For more information about the yc alb virtual-host create command, see the CLI reference.

  3. Create a route named example-route in the example-vh virtual host:

    yc alb virtual-host append-http-route example-route \
  --http-router-name example-router \
  --virtual-host-name example-vh \
  --prefix-path-match "/" \
  --backend-group-name example-bg

    Result:

    done (1s)
name: example-vh
authority:
  - example.com
routes:
  - name: example-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7glpil29lb********

    For more information about the yc alb virtual-host append-http-route command, see the CLI reference.

  1. To create the example-router HTTP router, use the create REST API method for the HttpRouter resource or the HttpRouterService/Create gRPC API call.
  2. To create the example-vh virtual host associated with the router, use the create REST API method for the VirtualHost resource or the VirtualHostService/Create gRPC API call.

Create an L7 load balancer

  1. In the management console, select example-folder.

  2. Go to Application Load Balancer.

  3. At the top right, click Create L7 load balancer and select Manual.

  4. In the Name field, specify example-balancer.

  5. Under Network settings:

    1. In the Network field, select example-network.
    2. In the Security groups field, select From list and then, from the list that opens, the example-sg security group you created earlier.

  6. Under Allocation, select the three subnets for the load balancer nodes (example-subnet-ru-central1-a, example-subnet-ru-central1-b, and example-subnet-ru-central1-d) and enable traffic to these subnets.

  7. Under Listeners, click Add listener and set up the listener:

    1. In the Name field, specify example-listener.
    2. Under Public IP address:
      • In the Port field, specify 80.
      • In the Type field, select Automatically.

  8. In the HTTP router field, select example-router.

  9. Click Create.

  1. Create a load balancer named example-balancer:

    yc alb load-balancer create example-balancer \
  --network-name example-network \
  --security-group-id <example-sg_security_group_ID> \
  --location zone=ru-central1-a,subnet-id=<example-subnet-ru-central1-a_ID> \
  --location zone=ru-central1-b,subnet-id=<example-subnet-ru-central1-b_ID> \
  --location zone=ru-central1-d,subnet-id=<example-subnet-ru-central1-d_ID>

    Where:

    • --security-group-id: Security group ID you saved when creating the security group.
    • subnet_id: Subnet IDs in three availability zones you saved when creating the subnets.

    Result:

    done (7m17s)
id: ds790ardig7r********
name: example-balancer
folder_id: b1gt6g8ht345********
status: ACTIVE
region_id: ru-central1
network_id: enpqm699f18v********
allocation_policy:
  locations:
    - zone_id: ru-central1-a
      subnet_id: e9b0fo0hvhpd********
    - zone_id: ru-central1-b
      subnet_id: e2lo05oe9slo********
    - zone_id: ru-central1-d
      subnet_id: fl8bpb6lnu80********
security_group_ids:
  - enp9dpfa774h********
created_at: "2026-02-05T13:30:25.695763710Z"

    For more information about the yc alb load-balancer create command, see the CLI reference.

  2. Add a listener to the load balancer:

    yc alb load-balancer add-listener \
  --name example-balancer \
  --listener-name example-listener \
  --external-ipv4-endpoint port=80 \
  --http-router-name example-router

    Result:

    done (9m53s)
id: ds790ardig7r********
name: example-balancer
folder_id: b1gt6g8ht345********
status: ACTIVE
region_id: ru-central1
network_id: enpqm699f18v********
listeners:
  - name: example-listener
    endpoints:
      - addresses:
          - external_ipv4_address:
              address: 158.160.***.***
        ports:
          - "80"
    http:
      handler:
        http_router_id: ds78i77j8lg0********
allocation_policy:
  locations:
    - zone_id: ru-central1-a
      subnet_id: e9b0fo0hvhpd********
    - zone_id: ru-central1-b
      subnet_id: e2lo05oe9slo********
    - zone_id: ru-central1-d
      subnet_id: fl8bpb6lnu80********
security_group_ids:
  - enp9dpfa774h********

    Save the listener IP address (the address field value), as you will need it later to create a CDN resource.

    For more information about the yc alb load-balancer add-listener command, see the CLI reference.

To create an L7 load balancer, use the create REST API method for the LoadBalancer resource or the LoadBalancerService/Create gRPC API call.

Create a CDN resource

  1. In the management console, select example-folder.

  2. Go to Cloud CDN.

  3. Click Create resource.

  4. Configure the basic CDN resource settings:

    • Under Content:

      • Enable Enable access to content.

      • In the Content query field, select From one origin.

      • In the Origin type field, select L7 load balancer and then, in the field that appears, example-balancer.

      • In the IP address field, select the IP address assigned to the load balancer (the only one in the list).

      • In the Origin request protocol field, select HTTP.

      • In the Domain name field, specify your domain name, e.g., example.com.

        Alert

        The specified domain name will become the primary one, and you will not be able to edit it after you create a CDN resource.

    • Under Additional settings:

      • In the Redirect clients field, select HTTP to HTTPS.
      • In the Certificate type field, specify Use from Certificate Manager and select the mymanagedcert certificate you previously created for your domain name.
      • In the Host header field, select Match client.

  5. Click Continue.

  6. Keep the default settings for Caching, HTTP headers and methods, and Additional and click Continue.

  1. Create an origin group named example-origin-group, specifying the load balancer IP address you saved earlier:

    yc cdn origin-group create --name "example-origin-group" \
  --origin source=<load_balancer_IP_address>:80,enabled=true

    Result:

    id: "12756795849********"
folder_id: b1gt6g8ht345********
name: example-origin-group
use_next: true
origins:
  - id: "68784"
    origin_group_id: "12756795849********"
    source: 158.160.***.***:80
    enabled: true
    provider_type: ourcdn
provider_type: ourcdn

    Save the origin group ID (the origin_group_id field value), as you will need it later to create a CDN resource.

    For more information about the yc cdn origin-group create command, see the CLI reference.

  2. Create a CDN resource:

    yc cdn resource create \
  --cname <domain_name> \
  --origin-group-id <origin_group_ID> \
  --origin-protocol http \
  --cert-manager-ssl-cert-id <certificate_ID> \
  --forward-host-header

    Where:

    • --cname: Your domain's name, e.g., example.com.
    • --origin-group-id: Origin group ID you got in the previous step.
    • --cert-manager-ssl-cert-id: ID of the mymanagedcert certificate you created earlier.

    Result:

    id: bc8rpt67l6dl********
folder_id: b1gt6g8ht345********
cname: example.com
created_at: "2026-02-05T14:05:24.913996Z"
updated_at: "2026-02-05T14:05:24.913996Z"
active: true
options:
  edge_cache_settings:
    enabled: true
    default_value: "86400"
  browser_cache_settings: {}
  query_params_options:
    ignore_query_string:
      enabled: true
      value: true
  slice: {}
  host_options:
    forward_host_header:
      enabled: true
      value: true
  static_headers:
    enabled: true
  stale: {}
  allowed_http_methods:
    enabled: true
    value:
      - GET
      - HEAD
      - OPTIONS
  static_request_headers:
    enabled: true
  custom_server_name: {}
  ignore_cookie:
    enabled: true
    value: true
  secure_key:
    type: DISABLE_IP_SIGNING
origin_group_id: "12756795849********"
origin_group_name: example-origin-group
origin_protocol: HTTP
ssl_certificate:
  type: CM
  status: READY
  data:
    cm:
      id: fpq7t9dpi4o0********
provider_type: ourcdn
provider_cname: d88c6ee6********.topology.gslb.yccdn.ru

    Save the new resource id and provider_cname as you will need them later.

    For more information about the yc cdn resource create command, see the CLI reference.

  3. Enable client redirects for the CDN resource, specifying the ID you saved in the previous step:

    yc cdn resource update <CDN_resource_ID> \
  --redirect-http-to-https

    For more information about the yc cdn resource update command, see the CLI reference.

To create a CDN resource, use the create REST API method for the Resource resource or the ResourceService/Create gRPC API call.

Create a CNAME resource record for the CDN resource

  1. Get the CDN provider domain name value.

  2. In the management console, select example-folder.

  3. Go to Cloud DNS and select the DNS zone you created earlier.

  4. Click Create record.

  5. Specify the record settings:

    • In the Name field, select Matches zone name (@).
    • In the Type field, select the CNAME record type.
    • In the Data field, specify the domain name value of the CDN provider.

  6. Click Create.

  1. Create a CNAME resource record in Cloud DNS:

    yc dns zone add-records \
  --name my-domain-zone \
  --record "@ 600 CNAME <cname_value>"

    Where <cname_value> is the CNAME provider value you got ealier.

    Result:

    +--------+--------------+-------+-----------------------------------------+-----+
| ACTION |     NAME     | TYPE  |                  DATA                   | TTL |
+--------+--------------+-------+-----------------------------------------+-----+
| +      | example.com. | CNAME | d88c6ee6********.topology.gslb.yccdn.ru | 600 |
+--------+--------------+-------+-----------------------------------------+-----+

    For more information about the yc dns zone add-records command, see the CLI reference.

To get the CNAME record value for a CDN resource, use the getProviderCName REST API method for the Resource resource or the ResourceService/GetProviderCName gRPC API call.

To create a CNAME resource record in a DNS zone, use the updateRecordSets REST API method for the DnsZone resource or the DnsZoneService/UpdateRecordSets gRPC API call.

It may take a few hours to update DNS records on the DNS servers. After that, you can check the health of the service.

If your domain is managed from outside Yandex Cloud, to create the resource record for the CDN resource, use tools provided by your domain administrator. For more information, see Domain rights check.

Test the service

To test the service, open https://example.com/index.html in your browser (with your domain name in place of example.com). If everything is configured correctly, you should see a page with the following content:

<!DOCTYPE html>
<html>
  <head>
    <title>My service</title>
  </head>
  <body>
    <p>The service is working</p>
  </body>
</html>

How to delete the resources you created

To shut down the infrastructure and stop paying for the resources you created:

  1. If you set up CNAME records in Cloud DNS, delete example-dns-zone.
  2. Delete the CDN resource with example.com as its primary domain name.
  3. Delete the example-balancer L7 load balancer.
  4. Delete all objects from the bucket.
  5. Delete the bucket.
  6. Delete the example-subnet-ru-central1-a, example-subnet-ru-central1-b, and example-subnet-ru-central1-d subnets.
  7. Delete the example-sg security group.
  8. Delete example-network.
  9. Delete the mymanagedcert certificate if you no longer need it.

See also

Previous
Overview
Next
Terraform