Terminating TLS connections using the management console
- Prepare your cloud
- Required paid resources
- Create a cloud network
- Reserve a static public IP address
- Create security groups
- Import the site's TLS certificate into Certificate Manager
- Create an instance group for the site
- Create a backend group
- Create and configure an HTTP router
- Create an L7 load Balancer
- Configure the site's DNS
- Test the hosting
- How to delete the resources you created
- See also
To create an infrastructure for terminating TLS connections using the management console:
- Prepare your cloud.
- Create a cloud network.
- Reserve a static public IP address.
- Create security groups.
- Import the site's TLS certificate into Certificate Manager.
- Create an instance group for the site.
- Create a backend group.
- Create and configure an HTTP router.
- Create an L7 load balancer.
- Configure the site's DNS.
- Test the hosting.
We will use the my-site.com
domain name as an example.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of supporting the infrastructure for terminating TLS connections includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a public static IP address (see Yandex Virtual Private Cloud pricing).
- Fee for using computing resources of the L7 load balancer (see Application Load Balancer pricing).
- Fee for public DNS queries and DNS zones if using Yandex Cloud DNS (see Cloud DNS pricing).
Create a cloud network
All the resources created in the use case will belong to the same cloud network.
To create a network:
- In the management console
, select Virtual Private Cloud. - Click Create network.
- Enter a Name for the network:
mysite-network
. - In the Advanced field, select Create subnets.
- Click Create network.
Reserve a static public IP address
For your virtual hosting to run, you need to assign a static public IP address to the L7 load balancer.
To reserve an IP address:
- In the management console
, select Virtual Private Cloud. - Open the IP addresses tab. Click Reserve address.
- In the window that opens, select the
ru-central1-a
availability zone. Click ** Reserve**.
Create security groups
Security groups include rules that allow the load balancer to receive incoming traffic and redirect it to the VMs so they can receive the traffic. In this use case, we will create two security groups: one for the load balancer and another one for all VMs.
To create security groups:
-
In the management console
, select Virtual Private Cloud. -
Open the Security groups tab.
-
Create a security group for the load balancer:
- Click Create security group.
- Enter a Name for the security group:
mysite-sg-balancer
. - Select the Network:
mysite-network
. - Under Rules, create the following rules using the instructions below the table:
Traffic
directionDescription Port range Protocol Source /
destinationCIDR blocks Outgoing
any
All
Any
CIDR
0.0.0.0/0
Incoming
ext-http
80
TCP
CIDR
0.0.0.0/0
Incoming
ext-https
443
TCP
CIDR
0.0.0.0/0
Incoming
healthchecks
30080
TCP
Load balancer healthchecks
— - Select the Egress or Ingress tab.
- Click Add rule.
- In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
- In the Protocol field, specify the appropriate protocol or leave
Any
to allow traffic transmission over any protocol. - In the Destination name or Source field, select the purpose of the rule:
CIDR
: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.Security group
: Rule will apply to the VMs from the current group or the selected security group.Load balancer healthchecks
: Rule allowing a load balancer to health check VMs.
- Click Save. Repeat the steps to create all the rules from the table.
- Click Save.
-
In the same way, create a security group named
mysite-sg-vms
for the VM and a network namedmysite-network
with the following rules:Traffic
directionDescription Port range Protocol Source /
destinationCIDR blocks Incoming
balancer
80
TCP
Security group
mysite-sg-balancer
Incoming
ssh
22
TCP
CIDR
0.0.0.0/0
Import the site's TLS certificate into Certificate Manager
For users to access the site using the secure HTTPS protocol (HTTP over TLS), the site must have a TLS certificate issued. For use in the L7 load balancer, import the certificate into Certificate Manager.
If your website does not have a certificate, you can use Certificate Manager to get one from Let's Encrypt®. This does not require additional steps after creating a certificate. It is imported automatically.
To import an existing certificate for my-site.com
:
- In the management console
, select Certificate Manager. - Click Add certificate and select the User certificate option.
- Enter a Name for the certificate:
mysite-cert
. - In the Certificate field, click Add certificate. Upload the File with your certificate or enter its Content and click Add.
- If your certificate is issued by a third-party certificate authority, click Add chain in the Intermediate certificate chain field. Upload the File with the certificate chain or enter its Content and click Add.
- In the Private key field, click Add private key. Upload the File with the key or enter its Content and click Add.
- Click Create.
Create an instance group for the site
To create an instance group for my-site.com
:
-
In the management console
, select Compute Cloud. -
Open the Instance groups tab. Click Create group of virtual machines.
-
Specify a VM group name:
mysite-ig
. -
Under Allocation, select multiple availability zones to ensure fault tolerance of your hosting.
-
Under Instance template, click Define.
-
Under Boot disk image, open the Marketplace tab and click Show all Marketplace products. Select LEMP and click Use.
-
Under Computing resources:
- Choose a VM platform.
- Specify the required number of vCPUs and the amount of RAM.
This minimum configuration is enough for functional website testing:
- Platform:
Intel Cascade Lake
- Guaranteed vCPU performance:
5%
- vCPU:
2
- RAM:
1 GB
-
Under Network settings, select the Network named
mysite-network
that you created earlier and its subnets. -
Select the previously created
mysite-sg-vms
security group. -
Specify the VM access data:
-
Enter the username in the Login field.
-
In the SSH key field, paste the contents of the public key file.
You need to create a key pair for the SSH connection yourself. To learn how, see Connecting to a VM via SSH.
Alert
Once created, the VM gets an IP address and a host name (FQDN) for connections. If you selected No address in the Public address field, you will not be able to access the VM from the internet.
-
-
Click Save.
-
Under Scaling, enter the Size of the instance group: 2.
-
Under Integration with Application Load Balancer, select Create target group and specify
mysite-tg
as the instance group name. You can read more about target groups here. -
Click Create.
Create a backend group
You must link the target group created with the VM group to the backend group that defines traffic allocation settings.
For the backends, groups will implement health checks: the load balancer will periodically send health check requests to the VMs and expect a response after a certain delay.
To create a backend group for my-site.com
:
- In the management console
, select Application Load Balancer. - Open the Backend groups tab. Click Create backend group.
- Enter a Name for the backend group:
my-site-bg
. - Under Backends, click Add.
- Enter a Name for the backend:
mysite-backend
. - In the Target groups field, select the
mysite-tg
group. - Specify the Port that the backend VMs will use to receive incoming traffic from the load balancer:
80
. - Click Add health check.
- Specify the Port that the backend VMs will use to accept health check connections:
80
. - Enter the Path to be accessed by the load balancer for health checks:
/
. - Click Create.
Create and configure an HTTP router
The backend group should be linked to an HTTP router that defines routing rules.
To create an HTTP router:
- In the management console
, select Application Load Balancer. - Open the HTTP routers tab. Click Create HTTP router.
- Enter a Name for the HTTP router:
mysite-router
. - Click Add virtual host.
- Enter a Name for the virtual host:
mysite-host
. - In the Authority field, specify the site domain name:
my-site.com
. - Click Add route.
- Enter a Name for the route:
mysite-route
. - In the Backend group field, select the
my-site-bg
group. - Click Create.
Create an L7 load Balancer
- In the management console
, select Application Load Balancer. - Click Create L7 load balancer.
- Enter a Name for the load balancer:
mysite-alb
. - Under Network settings, select the
mysite-sg-balancer
security group that you previously created. - Create a listener to redirect HTTP requests to HTTPS:
- Under Listeners, click Add listener.
- Enter a Name for the listener:
listener-http
. - Under Public IP address, select the
List
type and the IP address you reserved earlier. - In the Protocol field, select
Redirect to HTTPS
.
- Create an HTTPS request listener:
- Click Add listener again.
- Enter a Name for the listener:
listener-https
. - Under Public IP address, select the
List
type and the IP address you reserved earlier. - In the Protocol field, select
HTTPS
. - Under Main listener, select the
mysite-cert
certificate and themysite-router
HTTP router. - Add an SNI match for
my-site.com
: - Click Add SNI match.
- Specify the Name for the SNI match:
mysite-sni
. - In the Server names field, enter
my-site.com
. - Select the
mysite-cert
certificate and themysite-router
HTTP router.
- Click Create.
Configure the site's DNS
The my-site.com
domain name must be mapped to the L7 load balancer IP address using DNS records. To do this:
-
In the management console
, select Application Load Balancer. -
Copy the IP address of the load balancer that you created.
-
On the site of your DNS hosting provider, go to the DNS settings.
-
Create or edit the A record for
my-site.com
so that it points to the copied IP address:my-site.com. A <L7_load_balancer_IP_address>
If you use Yandex Cloud DNS, follow this guide to configure the record:
Configuring DNS records for Cloud DNS
To get access to public zone domain names, you need to delegate the domain. Specify the addresses of the
ns1.yandexcloud.net
andns2.yandexcloud.net
servers in your personal dashboard at your registrar.- In the management console
, select Cloud DNS. - If you do not have a public DNS zone, create one:
- Click Create zone.
- Enter a Name for the zone:
tls-termination-dns
. - In the Zone field, enter the site's domain name with a trailing dot:
my-site.com.
. - Select a Type of the zone:
Public
. - Click Create.
- Create a record in the zone:
- In the list of zones, click
tls-termination-dns
. - Click Create record.
- Leave the Name field empty so that the record matches the
my-site.com
domain name (rather than a name with a subdomain, such aswww.my-site.com
). - Select the record Type: A.
- In the Data field, paste the copied IP address of the load balancer.
- Click Create.
- In the list of zones, click
- In the management console
After configuring DNS, test the hosting.
Test the hosting
To test the hosting:
-
Create the website home page, i.e., the
index.html
file.Example of the index.html file
<!DOCTYPE html> <html> <head> <title>My site</title> </head> <body> <h1>This is my site</h1> </body> </html>
-
Upload the
index.html
file to each VM:-
Go to the VM page of the management console
. In the Network section, find the VM's public IP address. -
Connect to the VM over SSH.
-
Grant your user write access to the
/var/www/html
directory:UbuntuCentOSsudo chown -R "$USER":www-data /var/www/html
sudo chown -R "$USER":apache /var/www/html
-
Upload the website files to the VM via SCP
.Linux/macOSWindowsUse the
scp
command-line utility:scp -r <path_to_file_directory> <VM_username>@<VM_IP_address>:/var/www/html
Use WinSCP
to copy the local file directory to/var/www/html
on the VM.
-
-
Open the website at
http://my-site.com
in your browser. A redirect tohttps://my-site.com
should occur with the TLS certificate from Certificate Manager already enabled.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the
mysite-alb
L7 load balancer. - Delete the
mysite-router
HTTP router. - Delete the
my-site-bg
backend group. - Delete the
mysite-ig
instance group. - Delete the static public IP address you reserved.
- If you used Cloud DNS, delete the DNS records and delete the DNS zone.