Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Architecture and protection of a basic internet service

Written by
Updated at May 13, 2025

In this tutorial, you will set up a basic web service infrastructure consisting of multiple VMs and accessible from the internet. You will use security groups to restrict access to the VMs and a network load balancer to distribute traffic across web servers.

The diagram below shows how a remote site communicates with your web service:

Remote site:

  • remote-net network with subnet-1 (10.129.0.0/24).
  • vm-1 Ubuntu VM residing in subnet-1 and used to test your cloud infrastructure.

Note

You can also use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.

Cloud site:

  • network with the following subnets: subnet-a (192.168.5.0/24), subnet-b (192.168.15.0/24), and subnet-d (192.168.25.0/24).
  • vpn IPsec gateway residing in subnet-a to provide an IPsec connection to a remote site and network connectivity between cloud VMs.
  • Route table containing static vpn-route directing subnet-1 traffic through the IPsec gateway to the cloud VMs.
  • web-node-a, web-node-b, and web-node-d Drupal internet service VMs residing in subnet-a, subnet-b, and subnet-d, respectively.
  • vpn-sg security group managing traffic between vpn and the remote site and web-service-sg security group managing traffic between web-node-a, web-node-b, and web-node-d.
  • web-service-lb load balancer distributing incoming traffic across web-node-a, web-node-b, and web-node-d.

To create a web service infrastructure:

  1. Get your cloud ready.
  2. Set up your remote site.
  3. Set up your cloud site.
  4. Test the solution.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of the web service infrastructure support includes:

Set up your remote site

In this step, you will set up your remote site infrastructure, including a network, a subnet, and a VM you will use to access the web service.

Note

You can use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.

If you are going to use your PC as the remote site, you can skip this section and go to Set up your cloud site.

Create a network with a subnet

  1. Create the remote-net network with the Create subnets option disabled.

  2. Create a subnet for your remote site test VM, configuring it as follows:

    • Name: subnet-1.
    • Zone: ru-central1-b.
    • Network: remote-net.
    • CIDR: 10.129.0.0/24.

Create a test VM

Create a VM you will use to test whether your web service is accessible from the internet.

  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select Ubuntu 22.04 LTS OS Login.

  6. Under Location, select the ru-central1-b availability zone.

  7. Under Network settings:

    • In the Subnet field, select subnet-1.
    • In the Public IP address field, select Auto.

  8. Under Access, select Access by OS Login to connect to your VM and manage its access using OS Login in Yandex Cloud Organization.

    With OS Login, you can connect to VMs using SSH keys and SSH certificates via a standard SSH client or the CLI. OS Login enables rotating the SSH keys used to access VMs, providing the most secure access option.

  9. Under General information, specify the VM name: vm-1.

  10. Click Create VM.

  11. Get the new VM public IP address:

    1. Once the vm-1 status changes to Running, click its name.

    2. In the VM overview page that opens, copy Public IPv4 address under Network interface.

      Save the copied IP address as you will need it later when creating a security group.

Set up your cloud site

Set up a cloud network

  1. In the management console, navigate to the folder where you want to deploy your infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. Create a cloud network named network with the Create subnets option disabled.

  4. In network, create subnets with the following settings:

    1. Subnet hosting the web-node-a VM and the vpn IPSec gateway:

      • Name: subnet-a.
      • Zone: ru-central1-a.
      • Network: network.
      • CIDR: 192.168.5.0/24.

    2. Subnet hosting the web-node-b VM:

      • Name: subnet-b.
      • Zone: ru-central1-b.
      • Network: network.
      • CIDR: 192.168.15.0/24.

    3. Subnet hosting the web-node-d VM:

      • Name: subnet-d.
      • Zone: ru-central1-d.
      • Network: network.
      • CIDR: 192.168.25.0/24.

Reserve two static public IP addresses

You will need two static public IP addresses: one for your VPN gateway and another for the network load balancer.

  1. In the management console, navigate to the folder where you will reserve your IP addresses.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-a availability zone and click ** Reserve**.
  6. Repeat steps 4 and 5 and reserve the second IP address in the ru-central1-b availability zone.

Create and configure security groups

To isolate traffic between network segments, create security groups with rules for inbound and outbound traffic.

Create a VPN gateway security group

You need to allow inbound and outbound internet traffic on UDP ports 500 and 4500 used by the IPsec VPN. You also need to allow traffic between the subnets of your virtual network and the remote site network.

  1. In the management console, navigate to the folder where you want to create a security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Specify the security group name: vpn-sg.

  6. In the Network field, select network.

  7. Under Rules, create rules from the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    Inbound

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Inbound

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Inbound

    internal

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    Outbound

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outbound

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outbound

    intersubnet

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    1 If you are using your local PC as the test VM, specify your home subnet CIDR here.

  8. Click Create.

Create a security group for your web service VMs

  1. In the management console, navigate to the folder where you want to create a security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Specify the security group name: web-service-sg.

  6. In the Network field, select network.

  7. Under Rules, create rules from the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks /
    Security group

    Inbound

    ssh

    22

    TCP

    CIDR

    0.0.0.0/0

    Inbound

    anyself

    0-65535

    Any

    Security group

    Current

    Inbound

    healthchecks

    80

    TCP

    Load balancer healthchecks

    Outbound

    self

    0-65535

    Any

    Security group

    Current

  8. Click Create.

Create and configure your cloud VMs

Create web service VMs in all availability zones

  1. In the management console, select the folder where you want to create your VMs.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, navigate to the Marketplace tab and select Drupal 10.

  6. Under Location, select the ru-central1-a availability zone.

  7. Under Network settings:

    • Select subnet-a.
    • In the Public IP address field, select No address.
    • Select the web-service-sg security group.

  8. Under Access:

    • Select the SSH key connection option.

    • In the Login field, set a user name.

      Alert

      Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM on your own.
      • Select an expiration date for the key.
      • Click Add.

      The system will add the SSH key to your organization user profile.

      If, due to organization restrictions, you cannot add SSH keys to your organization user profile, the system will only save it to the new VM user profile.

  9. Under General information, specify the VM name: web-node-a.

  10. Click Create VM.

  11. Repeat steps 4 through 10 to create the web-node-b and web-node-d VMs in the ru-central1-b and ru-central1-d availability zones and subnet-b and subnet-d subnets, respectively.

Create an IPSec remote access gateway

Create an IPSec gateway to provide secure access to your cloud resources.

  1. In the management console, navigate to the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, navigate to the Marketplace tab and select the IPSec instance.

  6. Under Location, select the ru-central1-a availability zone.

  7. Under Network settings:

    • Select subnet-a.
    • In the Public IP address field, select List and then select the previously reserved IP address from the list that opens.
    • Select the vpn-sg security group.

  8. Under Access, select SSH key and specify the VM access credentials:

    • Under Login, enter the username. Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  9. Under General information, specify the VM name: vpn.

  10. Click Create VM.

  11. Once the vpn VM status changes to Running, click its name. In the VM overview page that opens, copy Internal IPv4 of your VM.

    Save the copied internal gateway address as you will need it when configuring a static route.

Configure VPN routing

Configure routing between your remote site subnet and IPSec gateway.

Create a route table

Create a route table and add static routes:

  1. In the management console, navigate to your cloud network folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Select network.
  4. In the left-hand panel, select Routing tables.
  5. Click Create routing table.
  6. Specify the route table name: vpn-route.
  7. Under Static routes, click Add.
  8. In the window that opens:

    • In the Destination prefix field, enter 10.129.0.0/24.

      If you are using your local PC as the test VM, specify your home subnet CIDR.

    • In the Next hop field, specify the IPSec gateway internal IP address you saved previously.

    • Click Add.

  9. Click Create routing table.

Link the route table to all subnets

To make static routes available in your cloud network, link the route table to all its subnets.

  1. In the management console, navigate to your cloud network folder.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select Subnets.
  4. Click next to subnet-a and select Link routing table.
  5. In the window that opens, select the vpn-route table in the Route table field.
  6. Click Link.
  7. Repeat steps 4 through 6 to link the vpn-route route table to subnet-b and subnet-d.

Create a network load balancer

The network load balancer will distribute incoming traffic across your web service VMs in the target group.

To create a network load balancer:

  1. In the management console, navigate to the folder where you want to create a load balancer.

  2. In the list of services, select Network Load Balancer.

  3. Click Create a network load balancer.

  4. Specify the load balancer name: web-service-lb.

  5. In the Public address field, select List and then select the previously reserved public IP address from the list that opens.

  6. Under Listeners, click Add listener. In the window that opens:

    1. Specify the listener name: web-service-lb-listener.
    2. In the Port field, specify 80.
    3. In the Target port field, specify 80.
    4. Click Add.

  7. Under Target groups, click Add target group.

    1. In the Target group field, select Create target group. In the window that opens:

      1. Specify the target group name: web-tg.
      2. Select the web-node-a, web-node-b, and web-node-d VMs.
      3. Click Create.

    2. Select the web-tg target group.

  8. In the selected target group section:

    1. Click Configure.
    2. In the window that opens, select TCP in the Type field and click Apply.

  9. Click Create.

Test the solution

Check that your infrastructure works properly and your internet service VMs do not receive any external traffic:

  1. Run the following command on your remote site VM:

    curl <public_IP_address_of_network_load_balancer>

    You should get no response because the system blocks traffic to your Drupal servers.

  2. Add two new inbound traffic rules to the web-service-sg security group:

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    http-external-vm

    80

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    https-external-vm

    443

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    These rules allow access to the network load balancer’s target group instances from your remote VM public IP address.

  3. Run this command on your remote VM again:

    curl <public_IP_address_of_network_load_balancer>

    You should see the Drupal home page HTML code, which means the system successfully applied the rules allowing network access to the Drupal VMs from your remote VM.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VMs.
  2. Delete the network load balancer.
  3. Delete the static public IP addresses you reserved.
  4. You can also delete the route table, security groups, subnets, and networks.
Previous
All tutorials
Next
Implementing fault-tolerant scenarios for NAT VMs