Creating an L7 load balancer with DDoS protection using Terraform
To create an L7 load balancer with DDoS protection using Terraform:
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost for a DDoS-protected load balancer includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a public static IP address (see Yandex Virtual Private Cloud pricing).
- Fee for filtering incoming traffic to a public IP address with DDoS protection (see Yandex Virtual Private Cloud pricing).
- Fee for using computing resources of the L7 load balancer (see Application Load Balancer pricing).
Create an infrastructure
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
To create an infrastructure using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, Step 1).
-
Prepare a file with the infrastructure description:
Ready-made configurationManually-
Clone the repository with configuration files:
git clone https://github.com/yandex-cloud-examples/yc-alb-ddos-protection.git
-
Go to the directory with the repository. Make sure it contains the following files:
alb-with-ddos-protection.tf
: New infrastructure configuration.alb-with-ddos-protection.auto.tfvars
: User data.
-
Create a folder for the file with the infrastructure description.
-
In the folder, create a configuration file named
alb-with-ddos-protection.tf
:alb-with-ddos-protection.tf
variable "folder_id" { type = string } variable "vm_user" { type = string } variable "ssh_key_path" { type = string } locals { network_name = "ddos-network" subnet_name1 = "subnet-1" subnet_name2 = "subnet-2" sa_name = "ig-sa" sg_balancer_name = "ddos-sg-balancer" sg_vm_name = "ddos-sg-vms" vm_name = "ddos-group" tg_name = "tg-ddos" address_name = "ddos-addr" abg_name = "ddos-backend-group" backend_name = "backend-1" router_name = "ddos-router" vh_name = "ddos-host" authority_domain = ["alb-with-ddos.com"] route_name = "route-1" alb_name = "ddos-protect-alb" listener_name = "ddos-listener" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" version = ">= 0.47.0" } } } provider "yandex" { folder_id = var.folder_id } resource "yandex_iam_service_account" "ig-sa" { name = local.sa_name } resource "yandex_resourcemanager_folder_iam_member" "editor" { folder_id = var.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.ig-sa.id}" } resource "yandex_vpc_network" "ddos-network" { name = local.network_name } resource "yandex_vpc_subnet" "subnet-1" { name = local.subnet_name1 zone = "ru-central1-a" network_id = yandex_vpc_network.ddos-network.id v4_cidr_blocks = ["192.168.1.0/24"] } resource "yandex_vpc_subnet" "subnet-2" { name = local.subnet_name2 zone = "ru-central1-b" network_id = yandex_vpc_network.ddos-network.id v4_cidr_blocks = ["192.168.2.0/24"] } resource "yandex_vpc_security_group" "ddos-sg-balancer" { name = local.sg_balancer_name network_id = yandex_vpc_network.ddos-network.id egress { protocol = "ANY" description = "any" v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" description = "ext-http" v4_cidr_blocks = ["0.0.0.0/0"] port = 80 } ingress { protocol = "TCP" description = "ext-https" v4_cidr_blocks = ["0.0.0.0/0"] port = 443 } ingress { protocol = "TCP" description = "healthchecks" predefined_target = "loadbalancer_healthchecks" port = 30080 } } resource "yandex_vpc_security_group" "ddos-sg-vms" { name = local.sg_vm_name network_id = yandex_vpc_network.ddos-network.id ingress { protocol = "TCP" description = "balancer" security_group_id = yandex_vpc_security_group.ddos-sg-balancer.id port = 80 } ingress { protocol = "TCP" description = "ssh" v4_cidr_blocks = ["0.0.0.0/0"] port = 22 } } resource "yandex_compute_image" "lemp" { source_family = "lemp" } resource "yandex_compute_instance_group" "ddos-group" { name = local.vm_name folder_id = var.folder_id service_account_id = yandex_iam_service_account.ig-sa.id instance_template { platform_id = "standard-v2" service_account_id = yandex_iam_service_account.ig-sa.id resources { core_fraction = 5 memory = 1 cores = 2 } boot_disk { mode = "READ_WRITE" initialize_params { image_id = yandex_compute_image.lemp.id type = "network-hdd" size = 3 } } network_interface { network_id = yandex_vpc_network.ddos-network.id subnet_ids = [yandex_vpc_subnet.subnet-1.id,yandex_vpc_subnet.subnet-2.id] nat = true security_group_ids = [yandex_vpc_security_group.ddos-sg-vms.id] } metadata = { user-data = "#cloud-config\nusers:\n - name: ${var.vm_user}\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh_authorized_keys:\n - ${file("${var.ssh_key_path}")}" } } scale_policy { fixed_scale { size = 2 } } allocation_policy { zones = ["ru-central1-a", "ru-central1-b"] } deploy_policy { max_unavailable = 1 max_expansion = 0 } application_load_balancer { target_group_name = local.tg_name } } resource "yandex_vpc_address" "ddos-addr" { name = local.address_name external_ipv4_address { zone_id = "ru-central1-a" ddos_protection_provider = "qrator" } } resource "yandex_alb_backend_group" "ddos-backend-group" { name = local.abg_name http_backend { name = local.backend_name port = 80 target_group_ids = [yandex_compute_instance_group.ddos-group.application_load_balancer.0.target_group_id] healthcheck { timeout = "10s" interval = "2s" healthcheck_port = 80 http_healthcheck { path = "/" } } } } resource "yandex_alb_http_router" "ddos-router" { name = local.router_name } resource "yandex_alb_virtual_host" "ddos-host" { name = local.vh_name http_router_id = yandex_alb_http_router.ddos-router.id authority = local.authority_domain route { name = local.route_name http_route { http_route_action { backend_group_id = yandex_alb_backend_group.ddos-backend-group.id } } } } resource "yandex_alb_load_balancer" "ddos-protect-alb" { name = local.alb_name network_id = yandex_vpc_network.ddos-network.id security_group_ids = [yandex_vpc_security_group.ddos-sg-balancer.id] allocation_policy { location { zone_id = "ru-central1-a" subnet_id = yandex_vpc_subnet.subnet-1.id } location { zone_id = "ru-central1-b" subnet_id = yandex_vpc_subnet.subnet-2.id } } listener { name = local.listener_name endpoint { address { external_ipv4_address { address = yandex_vpc_address.ddos-addr.external_ipv4_address[0].address } } ports = [ 80 ] } http { handler { http_router_id = yandex_alb_http_router.ddos-router.id } } } }
-
In the folder, create a user data file named
alb-with-ddos-protection.auto.tfvars
:alb-with-ddos-protection.auto.tfvars
folder_id = "<folder_ID>" vm_user = "<VM_username>" ssh_key_path = "<path_to_public_SSH_key>"
For more information about the parameters of resources used in Terraform, see the provider documentation:
- Service account: yandex_iam_service_account
. - Role: yandex_resourcemanager_folder_iam_member
. - Network: yandex_vpc_network
. - Subnets: yandex_vpc_subnet
. - Security groups: yandex_vpc_security_group
. - Image: yandex_compute_image
. - Instance group: yandex_compute_instance_group
. - Static public IP address: yandex_vpc_address
. - Backend group: yandex_alb_backend_group
. - HTTP router: yandex_alb_http_router
. - Virtual host: yandex_alb_virtual_host
. - L7 load balancer: yandex_alb_load_balancer
.
-
-
In the
alb-with-ddos-protection.auto.tfvars
file, set the following user-defined parameters:folder_id
: Folder ID.vm_user
: VM username.ssh_key_path
: Path to the file with a public SSH key to authenticate the user on the VM. For more information, see Creating an SSH key pair.
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
After creating the infrastructure, test it.
Test the load balancer
Check that the service is available on the alb-with-ddos.com
host. To do this, run the following command:
curl \
--header "Host: alb-with-ddos.com" \
http://<L7_load_balancer_IP_address>
Result:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
How to delete the resources you created
To stop paying for the resources you created:
-
Open the
tls-termination-config.tf
configuration file and delete the description of the new infrastructure from it. -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-