Setting up a secure network configuration

1. In the management console, open Virtual Private Cloud in the folder where you want to reserve the IP addresses.
2. Open the IP addresses tab. Click Reserve address.
3. In the window that opens, select the ru-central1-b availability zone. Click ** Reserve**.
4. Click Reserve address once again.
5. In the window that opens, select the ru-central1-a availability zone. Click ** Reserve**.

1. In the management console, open your folder and click Create resource. Select Virtual machine instance.

2. Under Boot disk image, go to the Marketplace tab, click Show all Marketplace products, and select the Drupal image.

3. Under Location, select the ru-central1-a availability zone.

4. Under Network settings, specify:

   • Subnet: subnet-a.
   • Public IP address: No address.

5. Under Access, select the SSH key option and specify the access credentials for the VM:

   • Under Login, enter the username.

     Alert

     Do not use root or other usernames reserved by the OS. To perform operations requiring root privileges, use the sudo command.

   • In the SSH key field, select the SSH key saved in your organization user profile.

     If there are no SSH keys in your profile or you want to add a new key:

     1. Click Add key.

     2. Enter a name for the SSH key.

     3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

     4. Click Add.

     The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

6. Under General information, enter the VM name: web-node-a.

7. Click Create VM.

8. Do the same for the web-node-b and web-node-d VMs. Create the VMs in the ru-central1-b and ru-central1-d availability zones and connect them to subnet-b and subnet-d, respectively.

1. In the management console, open your folder and click Create resource. Select Virtual machine instance.

2. Under Boot disk image, go to the Marketplace tab, click Show all Marketplace products, and select the IPSec instance image.

3. Under Location, select the ru-central1-a availability zone.

4. Under Network settings:

   • In the Subnet field, select subnet-a.
   • In the Public IP address field, select List and select the reserved IP address from the list.

5. Under Access, select the SSH key option and specify the information required to access the VM:

   • Under Login, enter the username.

     Alert

     Do not use root or other usernames reserved by the OS. To perform operations requiring root privileges, use the sudo command.

   • In the SSH key field, select the SSH key saved in your organization user profile.

     If there are no SSH keys in your profile or you want to add a new key:

     1. Click Add key.

     2. Enter a name for the SSH key.

     3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

     4. Click Add.

     The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

6. Under General information, enter the VM name: vpc.

7. Click Create VM.

1. In the management console, open the Virtual Private Cloud section in the folder where you want to configure routing.
2. Select the network to create the route table in.
3. In the left-hand panel, select Routing tables.
4. Click Create.
5. Enter the route table name: vpn-route.
6. Click Add.
7. In the window that opens, enter the prefix of the remote site destination subnet. In our example, it is 192.168.0.0/24.
8. In the Next hop field, enter the internal IP address of the IPSec gateway. Click Add.
9. Click Create routing table.

1. In the management console, open Virtual Private Cloud in the folder where you want to configure routing.
2. Select the network with the subnets to assign the route table to.
3. In the row with the subnet you need, click .
4. In the menu that opens, select Link routing table.
5. In the window that opens, select the created table from the list.
6. Click Link.
7. Link the route table named vpn-route to all the three subnets.

1. In the management console, open Virtual Private Cloud in the folder where you want to create a security group.
2. In the left-hand panel, select Security groups.
3. Click Create security group.
4. Enter a name for the security group: vpn-sg.
5. In the Network field, select the network that the security group will refer to.
6. Under Rules, create traffic management rules:
   1. Select the Egress tab.
   2. Click Add.
   3. In the window that opens, set the port to 500 in the Port range field.
   4. In the Protocol field, select UDP.
   5. In the Destination name field, specify the public address of a remote VPN hub with the 32 mask.
7. Click Save.
8. Click Add.
   1. In the window that opens, set the port to 4500 in the Port range field.
   2. In the Protocol field, select UDP.
   3. In the Destination name field, specify the public address of a remote VPN hub with the 32 mask.
9. Click Save.
10. Set up rules that allow traffic between the web servers and VMs on the remote site. Click Add.
    1. In the window that opens, click Select entire range in the Port range field.
    2. In the Protocol field, select Any.
    3. In the Destination name field, specify the internal network CIDR: 10.0.0.0/8.
    4. Click Add and specify the remote site CIDR: 192.168.0.0/24.
11. Create the same rules for incoming traffic.

1. In the management console, open Compute Cloud.
2. Select the vpn VM.
3. Under Network, click and select Edit.
4. In the window that opens, select the vpn-sg security group in the Security groups field.
5. Click Save.
6. Repeat the steps and assign the web-service-sg security group to the web-node-a, web-node-b, and web-node-d VMs.

To create a network load balancer:

1. In the management console, open Network Load Balancer in the folder where you want to create a load balancer.
2. Click Create a network load balancer.
3. Enter the load balancer name: web-service-lb.
4. In the Public address field, select List and specify a static public address.
5. Under Listeners, click Add listener.
6. In the window that opens, enter a name for the listener and set the port to 80 in the Port and Target port fields. Click Add.
7. Under Target groups, click Add target group .
8. In the Target group field, click the list and then click Create target group.
9. In the window that opens, enter the target group name: web-tg.
10. Select the web-node-a, web-node-b, and web-node-d VMs.
11. Click Create.
12. Select the created target group from the list.
13. Click Create.