Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Terminating TLS connections using the management console

Written by
Updated at September 4, 2024

To create an infrastructure for terminating TLS connections using the management console:

  1. Prepare your cloud.
  2. Create a cloud network.
  3. Reserve a static public IP address.
  4. Create security groups.
  5. Import the site's TLS certificate into Certificate Manager.
  6. Create an instance group for the site.
  7. Create a backend group.
  8. Create and configure an HTTP router.
  9. Create an L7 load balancer.
  10. Configure the site's DNS.
  11. Test the hosting.

We will use the my-site.com domain name as an example.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of supporting the infrastructure for terminating TLS connections includes:

Create a cloud network

All the resources created in the use case will belong to the same cloud network.

To create a network:

  1. In the management console, select Virtual Private Cloud.
  2. Click Create network.
  3. Enter a Name for the network: mysite-network.
  4. In the Advanced field, select Create subnets.
  5. Click Create network.

Reserve a static public IP address

For your virtual hosting to run, you need to assign a static public IP address to the L7 load balancer.

To reserve an IP address:

  1. In the management console, select Virtual Private Cloud.
  2. Open the IP addresses tab. Click Reserve address.
  3. In the window that opens, select the ru-central1-a availability zone. Click ** Reserve**.

Create security groups

Security groups include rules that allow the load balancer to receive incoming traffic and redirect it to the VMs so they can receive the traffic. In this use case, we will create two security groups: one for the load balancer and another one for all VMs.

To create security groups:

  1. In the management console, select Virtual Private Cloud.

  2. Open the Security groups tab.

  3. Create a security group for the load balancer:

    1. Click Create security group.
    2. Enter a Name for the security group: mysite-sg-balancer.
    3. Select the Network: mysite-network.
    4. Under Rules, create the following rules using the instructions below the table:
    Traffic
    direction    		 Description Port range Protocol Source /
    destination    		 CIDR blocks
    Outgoing any All Any CIDR 0.0.0.0/0
    Incoming ext-http 80 TCP CIDR 0.0.0.0/0
    Incoming ext-https 443 TCP CIDR 0.0.0.0/0
    Incoming healthchecks 30080 TCP Load balancer healthchecks
    1. Select the Egress or Ingress tab.
    2. Click Add rule.
    3. In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
    4. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
    5. In the Destination name or Source field, select the purpose of the rule:
      • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
      • Security group: Rule will apply to the VMs from the current group or the selected security group.
      • Load balancer healthchecks: Rule allowing a load balancer to health check VMs.
    6. Click Save. Repeat the steps to create all the rules from the table.
    7. Click Save.

  4. In the same way, create a security group named mysite-sg-vms for the VM and a network named mysite-network with the following rules:

    Traffic
    direction    		 Description Port range Protocol Source /
    destination    		 CIDR blocks
    Incoming balancer 80 TCP Security group mysite-sg-balancer
    Incoming ssh 22 TCP CIDR 0.0.0.0/0

Import the site's TLS certificate into Certificate Manager

For users to access the site using the secure HTTPS protocol (HTTP over TLS), the site must have a TLS certificate issued. For use in the L7 load balancer, import the certificate into Certificate Manager.

If your website does not have a certificate, you can use Certificate Manager to get one from Let's Encrypt®. This does not require additional steps after creating a certificate. It is imported automatically.

To import an existing certificate for my-site.com:

  1. In the management console, select Certificate Manager.
  2. Click Add certificate and select the User certificate option.
  3. Enter a Name for the certificate: mysite-cert.
  4. In the Certificate field, click Add certificate. Upload the File with your certificate or enter its Content and click Add.
  5. If your certificate is issued by a third-party certificate authority, click Add chain in the Intermediate certificate chain field. Upload the File with the certificate chain or enter its Content and click Add.
  6. In the Private key field, click Add private key. Upload the File with the key or enter its Content and click Add.
  7. Click Create.

Create an instance group for the site

To create an instance group for my-site.com:

  1. In the management console, select Compute Cloud.

  2. Open the Instance groups tab. Click Create group of virtual machines.

  3. Specify a VM group name: mysite-ig.

  4. Under Allocation, select multiple availability zones to ensure fault tolerance of your hosting.

  5. Under Instance template, click Define.

  6. Under Boot disk image, open the Marketplace tab and click Show all Marketplace products. Select LEMP and click Use.

  7. Under Computing resources:

    • Choose a VM platform.
    • Specify the required number of vCPUs and the amount of RAM.

    This minimum configuration is enough for functional website testing:

    • Platform: Intel Cascade Lake
    • Guaranteed vCPU performance: 5%
    • vCPU: 2
    • RAM: 1 GB

  8. Under Network settings, select the Network named mysite-network that you created earlier and its subnets.

  9. Select the previously created mysite-sg-vms security group.

  10. Specify the VM access data:

    • Enter the username in the Login field.

    • In the SSH key field, paste the contents of the public key file.

      You need to create a key pair for the SSH connection yourself. To learn how, see Connecting to a VM via SSH.

    Alert

    Once created, the VM gets an IP address and a host name (FQDN) for connections. If you selected No address in the Public address field, you will not be able to access the VM from the internet.

  11. Click Save.

  12. Under Scaling, enter the Size of the instance group: 2.

  13. Under Integration with Application Load Balancer, select Create target group and specify mysite-tg as the instance group name. You can read more about target groups here.

  14. Click Create.

Create a backend group

You must link the target group created with the VM group to the backend group that defines traffic allocation settings.

For the backends, groups will implement health checks: the load balancer will periodically send health check requests to the VMs and expect a response after a certain delay.

To create a backend group for my-site.com:

  1. In the management console, select Application Load Balancer.
  2. Open the Backend groups tab. Click Create backend group.
  3. Enter a Name for the backend group: my-site-bg.
  4. Under Backends, click Add.
  5. Enter a Name for the backend: mysite-backend.
  6. In the Target groups field, select the mysite-tg group.
  7. Specify the Port that the backend VMs will use to receive incoming traffic from the load balancer: 80.
  8. Click Add health check.
  9. Specify the Port that the backend VMs will use to accept health check connections: 80.
  10. Enter the Path to be accessed by the load balancer for health checks: /.
  11. Click Create.

Create and configure an HTTP router

The backend group should be linked to an HTTP router that defines routing rules.

To create an HTTP router:

  1. In the management console, select Application Load Balancer.
  2. Open the HTTP routers tab. Click Create HTTP router.
  3. Enter a Name for the HTTP router: mysite-router.
  4. Click Add virtual host.
  5. Enter a Name for the virtual host: mysite-host.
  6. In the Authority field, specify the site domain name: my-site.com.
  7. Click Add route.
  8. Enter a Name for the route: mysite-route.
  9. In the Backend group field, select the my-site-bg group.
  10. Click Create.

Create an L7 load Balancer

  1. In the management console, select Application Load Balancer.
  2. Click Create L7 load balancer.
  3. Enter a Name for the load balancer: mysite-alb.
  4. Under Network settings, select the mysite-sg-balancer security group that you previously created.
  5. Create a listener to redirect HTTP requests to HTTPS:
    1. Under Listeners, click Add listener.
    2. Enter a Name for the listener: listener-http.
    3. Under Public IP address, select the List type and the IP address you reserved earlier.
    4. In the Protocol field, select Redirect to HTTPS.
  6. Create an HTTPS request listener:
    1. Click Add listener again.
    2. Enter a Name for the listener: listener-https.
    3. Under Public IP address, select the List type and the IP address you reserved earlier.
    4. In the Protocol field, select HTTPS.
    5. Under Main listener, select the mysite-cert certificate and the mysite-router HTTP router.
    6. Add an SNI match for my-site.com:
    7. Click Add SNI match.
    8. Specify the Name for the SNI match: mysite-sni.
    9. In the Server names field, enter my-site.com.
    10. Select the mysite-cert certificate and the mysite-router HTTP router.
  7. Click Create.

Configure the site's DNS

The my-site.com domain name must be mapped to the L7 load balancer IP address using DNS records. To do this:

  1. In the management console, select Application Load Balancer.

  2. Copy the IP address of the load balancer that you created.

  3. On the site of your DNS hosting provider, go to the DNS settings.

  4. Create or edit the A record for my-site.com so that it points to the copied IP address:

    my-site.com. A <L7_load_balancer_IP_address>

    If you use Yandex Cloud DNS, follow this guide to configure the record:

    Configuring DNS records for Cloud DNS

    To get access to public zone domain names, you need to delegate the domain. Specify the addresses of the ns1.yandexcloud.net and ns2.yandexcloud.net servers in your personal dashboard at your registrar.

    1. In the management console, select Cloud DNS.
    2. If you do not have a public DNS zone, create one:
      1. Click Create zone.
      2. Enter a Name for the zone: tls-termination-dns.
      3. In the Zone field, enter the site's domain name with a trailing dot: my-site.com..
      4. Select a Type of the zone: Public.
      5. Click Create.
    3. Create a record in the zone:
      1. In the list of zones, click tls-termination-dns.
      2. Click Create record.
      3. Leave the Name field empty so that the record matches the my-site.com domain name (rather than a name with a subdomain, such as www.my-site.com).
      4. Select the record Type: A.
      5. In the Data field, paste the copied IP address of the load balancer.
      6. Click Create.

After configuring DNS, test the hosting.

Test the hosting

To test the hosting:

  1. Create the website home page, i.e., the index.html file.

    Example of the index.html file
    <!DOCTYPE html>
<html>
  <head>
    <title>My site</title>
  </head>
  <body>
    <h1>This is my site</h1>
  </body>
</html>

  2. Upload the index.html file to each VM:

    1. Go to the VM page of the management console. In the Network section, find the VM's public IP address.

    2. Connect to the VM over SSH.

    3. Grant your user write access to the /var/www/html directory:

      sudo chown -R "$USER":www-data /var/www/html

      sudo chown -R "$USER":apache /var/www/html

    4. Upload the website files to the VM via SCP.

      Use the scp command-line utility:

      scp -r <path_to_file_directory> <VM_username>@<VM_IP_address>:/var/www/html

      Use WinSCP to copy the local file directory to /var/www/html on the VM.

  3. Open the website at http://my-site.com in your browser. A redirect to https://my-site.com should occur with the TLS certificate from Certificate Manager already enabled.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the mysite-alb L7 load balancer.
  2. Delete the mysite-router HTTP router.
  3. Delete the my-site-bg backend group.
  4. Delete the mysite-ig instance group.
  5. Delete the static public IP address you reserved.
  6. If you used Cloud DNS, delete the DNS records and delete the DNS zone.

See also

Previous
Overview
Next
Terraform