Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Terminating TLS connections using the management console

Written by
Updated at August 14, 2025

To create an infrastructure for terminating TLS connections using the management console:

  1. Get your cloud ready.
  2. Create a cloud network.
  3. Reserve a static public IP address.
  4. Create security groups.
  5. Import the website's TLS certificate into Certificate Manager.
  6. Create an instance group for the website.
  7. Create a backend group.
  8. Create and configure an HTTP router.
  9. Create an L7 load balancer.
  10. Configure the website DNS.
  11. Test the hosting.

We will use the my-site.com domain name as an example.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The cost of supporting the infrastructure for terminating TLS connections includes:

Create a cloud network

All resources created in this tutorial will belong to the same cloud network.

To create a network:

  1. In the management console, select Virtual Private Cloud.
  2. Click Create network.
  3. Specify the network Name: mysite-network.
  4. In the Advanced field, select Create subnets.
  5. Click Create network.

Reserve a static public IP address

For your virtual hosting to run, you need to assign a static public IP address to the L7 load balancer.

To reserve an IP address:

  1. In the management console, select Virtual Private Cloud.
  2. Open the IP addresses tab. Click Reserve address.
  3. In the window that opens, select the ru-central1-a availability zone. Click ** Reserve**.

Create security groups

Security groups include rules that allow the load balancer to receive inbound traffic and redirect it to the VMs so they can receive it. In this tutorial, we will create two security groups: one for the load balancer and another one for all VMs.

To create security groups:

  1. In the management console, select Virtual Private Cloud.

  2. Open the Security groups tab.

  3. Create a security group for the load balancer:

    1. Click Create security group.
    2. Specify the security group Name: mysite-sg-balancer.
    3. Select Network mysite-network.
    4. Under Rules, create the following rules using the instructions below the table:
    Traffic
    direction    		 Description Port range Protocol Source /
    target    		 CIDR blocks
    Outbound any All Any CIDR 0.0.0.0/0
    Inbound ext-http 80 TCP CIDR 0.0.0.0/0
    Inbound ext-https 443 TCP CIDR 0.0.0.0/0
    Inbound healthchecks 30080 TCP Load balancer healthchecks
    1. Select the Egress or Ingress tab.
    2. Click Add.
    3. In the Port range field of the window that opens, specify a single port or a range of ports open for inbound or outbound traffic.
    4. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
    5. In the Destination name or Source field, select the rule purpose:
      • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and subnet masks traffic will come to or from. To add multiple CIDRs, click Add.
      • Security group: Rule will apply to the VMs from the current group or the selected security group.
      • Load balancer healthchecks: Rule allowing a load balancer to health-check VMs.
    6. Click Save. Repeat these steps to create all rules from the table.
    7. Click Save.

  4. In the same way, create a security group named mysite-sg-vms for the VMs. Place it in mysite-network and set the following rules:

    Traffic
    direction    		 Description Port range Protocol Source /
    target    		 CIDR blocks
    Inbound balancer 80 TCP Security group mysite-sg-balancer
    Inbound ssh 22 TCP CIDR 0.0.0.0/0

Import the website's TLS certificate into Certificate Manager

For users to access the website using the secure HTTPS protocol (HTTP over TLS), the website must have a TLS certificate issued. For use in the L7 load balancer, import the certificate into Certificate Manager.

If your website does not have a certificate, you can use Certificate Manager to get one from Let's Encrypt®. This does not require additional steps after creating a certificate. It is imported automatically.

To import an existing certificate for my-site.com:

  1. In the management console, select Certificate Manager.
  2. Click Add certificate and select the User certificate option.
  3. Specify the certificate Name: mysite-cert.
  4. In the Certificate field, click Add certificate. Upload the File with your certificate or enter its Content and click Add.
  5. If your certificate is issued by a third-party certificate authority, click Add chain in the Intermediate certificate chain field. Upload the File with the certificate chain or enter its Content and click Add.
  6. In the Private key field, click Add private key. Upload the File with the key or enter its Content and click Add.
  7. Click Create.

Create an instance group for the website

To create an instance group for my-site.com:

  1. In the management console, select Compute Cloud.

  2. Open the Instance groups tab. Click Create group of virtual machines.

  3. Enter the instance group name: mysite-ig.

  4. Under Allocation, select multiple availability zones to ensure the fault tolerance of your hosting.

  5. Under Instance template, click Define.

  6. Under Boot disk image, open the Marketplace tab and click Show all Marketplace products. Select LEMP and click Use.

  7. Under Computing resources:

    • Choose a VM platform.
    • Specify the required number of vCPUs and the amount of RAM.

    This minimum configuration will do for functional website testing:

    • Platform: Intel Cascade Lake
    • Guaranteed vCPU performance: 5%
    • vCPU: 2
    • RAM: 1 GB

  8. Under Network settings, select the Network named mysite-network that you created earlier and its subnets.

  9. Select the mysite-sg-vms security group you created earlier.

  10. Specify the VM access credentials:

    • In the Login field, enter the username.

    • In the SSH key field, paste the contents of the public key file.

      You need to create a key pair for the SSH connection on your own. To learn how, see Connecting to a VM over SSH.

    Alert

    Once created, the VM will get an IP address and a host name (FQDN) for connections. If you selected No address in the Public address field, you will not be able to access the VM from the internet.

  11. Click Save.

  12. Under Scaling, enter the Size for the instance group: 2.

  13. Under Integration with Application Load Balancer, select Create target group and specify mysite-tg as the instance group name. Read more about target groups.

  14. Click Create.

Create a backend group

You must link the target group created along with the instance group to the backend group that defines traffic allocation settings.

For the backends, groups will implement health checks: the load balancer will periodically send health check requests to the VMs and expect a response after a certain delay.

To create a backend group for my-site.com:

  1. In the management console, select Application Load Balancer.
  2. Open the Backend groups tab. Click Create backend group.
  3. Enter the backend group Name: my-site-bg.
  4. Under Backends, click Add.
  5. Enter the backend Name: mysite-backend.
  6. In the Target groups field, select the mysite-tg group.
  7. Specify the Port the backend VMs will use to receive inbound traffic from the load balancer: 80.
  8. Click Add health check.
  9. Specify the Port the backend VMs will use to accept health check connections: 80.
  10. Specify the Path the load balancer will use for health checks: /.
  11. Click Create.

Create and configure an HTTP router

You need to link the backend group to an HTTP router that defines routing rules.

To create an HTTP router:

  1. In the management console, select Application Load Balancer.
  2. Open the HTTP routers tab. Click Create HTTP router.
  3. Specify the HTTP router Name: mysite-router.
  4. Click Add virtual host.
  5. Specify the virtual host Name: mysite-host.
  6. In the Authority field, specify the website domain name: my-site.com.
  7. Click Add route.
  8. Specify the route Name: mysite-route.
  9. In the Backend group field, select the my-site-bg group.
  10. Click Create.

Create an L7 load balancer

  1. In the management console, select Application Load Balancer.
  2. Click Create L7 load balancer.
  3. Enter the load balancer Name: mysite-alb.
  4. Under Network settings, select the mysite-sg-balancer security group you created earlier.
  5. Create a listener to redirect HTTP requests to HTTPS:
    1. Under Listeners, click Add listener.
    2. Enter the listener Name: listener-http.
    3. Under Public IP address, select the List type and the IP address you reserved earlier.
    4. In the Protocol field, select Redirect to HTTPS.
  6. Create an HTTPS request listener:
    1. Click Add listener again.
    2. Enter the listener Name: listener-https.
    3. Under Public IP address, select the List type and the IP address you reserved earlier.
    4. In the Protocol field, select HTTPS.
    5. Under Main listener, select mysite-cert as the certificate and mysite-router as the HTTP router.
    6. Add an SNI match for my-site.com:
    7. Click Add SNI match.
    8. Specify the Name for the SNI match: mysite-sni.
    9. In the Server names field, specify my-site.com.
    10. Select mysite-cert as the certificate and mysite-router as the HTTP router.
  7. Click Create.

Configure the website DNS

The my-site.com domain name must be mapped to the L7 load balancer’s IP address using DNS records. To do this:

  1. In the management console, select Application Load Balancer.

  2. Copy the IP address of the load balancer that you created.

  3. On the website of your DNS hosting provider, navigate to the DNS settings.

  4. Create or edit the A record for my-site.com so that it points to the IP address you copied:

    my-site.com. A <L7_load_balancer_IP_address>

    If you use Yandex Cloud DNS, follow this tutorial to configure the record:

    Configuring DNS records for Cloud DNS

    To get access to public zone domain names, you need to delegate the domain. Specify the addresses of the ns1.yandexcloud.net and ns2.yandexcloud.net servers in your account on your registrar's website.

    1. In the management console, select Cloud DNS.
    2. If you do not have a public DNS zone, create one:
      1. Click Create zone.
      2. Specify the zone Name: tls-termination-dns.
      3. In the Zone field, enter the website domain name with a trailing dot: my-site.com..
      4. Select the zone Type: Public.
      5. Click Create.
    3. Create a record in the zone:
      1. In the list of zones, click tls-termination-dns.
      2. Click Create record.
      3. Leave the Name field empty for the record to match the my-site.com domain name (rather than a name with a subdomain, e.g., www.my-site.com).
      4. Select the record Type: A.
      5. In the Data field, paste the the load balancer’s IP address you copied.
      6. Click Create.

After configuring DNS, test the hosting.

Test the hosting

To test the hosting:

  1. Create the website home page, i.e., the index.html file.

    Example of the index.html file
    <!DOCTYPE html>
<html>
  <head>
    <title>My site</title>
  </head>
  <body>
    <h1>This is my site</h1>
  </body>
</html>

  2. Upload the index.html file to each VM:

    1. Go to the VM page in the management console. In the Network section, find the VM's public IP address.

    2. Connect to the VM over SSH.

    3. Grant your user write permissions for the /var/www/html directory:

      sudo chown -R "$USER":www-data /var/www/html

      sudo chown -R "$USER":apache /var/www/html

    4. Upload the website files to the VM via SCP.

      Use the scp command line utility:

      scp -r <path_to_directory_with_files> <VM_user_name>@<VM_IP_address>:/var/www/html

      Use WinSCP to copy the local file directory to /var/www/html on the VM.

  3. Open the website at http://my-site.com in your browser. A redirect to https://my-site.com should occur with the TLS certificate from Certificate Manager already enabled.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the mysite-alb L7 load balancer.
  2. Delete the mysite-router HTTP router.
  3. Delete the my-site-bg backend group.
  4. Delete the mysite-ig instance group.
  5. Delete the static public IP address you reserved.
  6. If you used Cloud DNS, delete the DNS records and delete the DNS zone.

See also

Previous
Overview
Next
Terraform