Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Architecture and protection of a basic web service

Written by
Updated at November 10, 2025

In this tutorial, you will deploy and set up a basic web service infrastructure consisting of multiple VMs and accessible from a remote site. You will use security groups to restrict access to the VMs and a network load balancer to distribute traffic across web servers.

The diagram below shows how a remote site communicates with your web service:

Remote site:

  • remote-net network with subnet-1 (10.129.0.0/24).
  • vm-1 Ubuntu VM residing in subnet-1 and used to test your cloud site infrastructure.

Note

You can also use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.

Cloud site:

  • network with the following subnets: subnet-a (192.168.5.0/24), subnet-b (192.168.15.0/24), and subnet-d (192.168.25.0/24).
  • vpn IPsec gateway residing in subnet-a to provide an IPsec connection to a remote site and network connectivity between cloud VMs.
  • Route table containing static vpn-route directing subnet-1 traffic through the IPsec gateway to the cloud VMs.
  • web-node-a, web-node-b, and web-node-d Drupal internet service VMs residing in subnet-a, subnet-b, and subnet-d, respectively.
  • vpn-sg security group managing IPSec tunnel traffic for vpn and web-service-sg security group managing traffic between web-node-a, web-node-b, and web-node-d.
  • web-service-lb load balancer distributing incoming traffic across web-node-a, web-node-b, and web-node-d.

To create the web service infrastructure:

  1. Get your cloud ready.
  2. Set up your remote site.
  3. Set up your cloud site.
  4. Test the solution.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The cost of support for the new infrastructure includes:

Set up your remote site

In this step, you will set up your remote site infrastructure, including a network, a subnet, and a VM you will use to access the web service.

Note

You can use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.

If you are going to use your PC as the remote site, you can skip this section and go to Set up your cloud site.

Create a network and a subnet

  1. Create the remote-net network with the Create subnets option disabled.

  2. Create a subnet for your remote site test VM, configuring it as follows:

    • Name: subnet-1.
    • Availability zone: ru-central1-b.
    • Network: remote-net.
    • CIDR: 10.129.0.0/24.

Create a test VM

Create a VM you to test whether your web service is accessible from the internet.

  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Select Advanced setup.

  6. Under Boot disk image, select Ubuntu 22.04 LTS OS Login.

  7. Under Location, select the ru-central1-b availability zone.

  8. Under Network settings:

    • In the Subnet field, select subnet-1.
    • In the Public IP address field, select Auto.

  9. Under Access, select Access by OS Login to connect to your VM and manage its access using OS Login in Yandex Identity Hub.

    With OS Login, you can connect to VMs using SSH keys and SSH certificates via a standard SSH client or the CLI. OS Login enables rotating the SSH keys used to access VMs, providing the most secure access option.

  10. Under General information, specify the VM name: vm-1.

  11. Click Create VM.

  12. Get the new VM public IP address:

    1. Once the vm-1 status changes to Running, click its name.

    2. On the VM overview page that opens, copy Public IPv4 address under Network interface.

      Save the copied IP address as you will need it later when creating a security group.

Set up your cloud site

Set up a cloud network

  1. In the management console, navigate to the folder where you want to deploy your infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. Create a cloud network named network with the Create subnets option disabled.

  4. In network, create subnets with the following settings:

    1. Subnet hosting the web-node-a VM and the vpn IPSec instance:

      • Name: subnet-a.
      • Availability zone: ru-central1-a.
      • Network: network.
      • CIDR: 192.168.5.0/24.

    2. Subnet hosting the web-node-b VM:

      • Name: subnet-b.
      • Availability zone: ru-central1-b.
      • Network: network.
      • CIDR: 192.168.15.0/24.

    3. Subnet hosting the web-node-d VM:

      • Name: subnet-d.
      • Availability zone: ru-central1-d.
      • Network: network.
      • CIDR: 192.168.25.0/24.

Reserve two static public IP addresses

You will need two static public IP addresses: one for your VPN gateway and another for the network load balancer.

  1. In the management console, navigate to the folder where you will reserve your IP addresses.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-a availability zone and click ** Reserve**.
  6. Repeat steps 4 and 5 and reserve the second IP address in the ru-central1-b availability zone.

Create and configure security groups

To split traffic between network segments, create security groups with rules for inbound and outbound traffic.

Create a security group for the VPN gateway

You need to allow inbound and outbound internet traffic on UDP ports 500 and 4500 used by the IPsec VPN. You also need to allow traffic between the subnets of your virtual network and the remote site network.

  1. In the management console, navigate to the folder where you want to create a security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Specify the security group name: vpn-sg.

  6. In the Network field, select network.

  7. Under Rules, create rules from the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    Inbound

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Inbound

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Inbound

    internal

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    Outbound

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outbound

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outbound

    intersubnet

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    1 If you are using your local PC as the test VM, specify your subnet CIDR here.

  8. Click Create.

Create a security group for your web service VMs

  1. In the management console, navigate to the folder where you want to create a security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Specify the security group name: web-service-sg.

  6. In the Network field, select network.

  7. Under Rules, create rules from the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks /
    Security group

    Ingress

    ssh

    22

    TCP

    CIDR

    0.0.0.0/0

    Inbound

    anyself

    0-65535

    Any

    Security group

    Current

    Inbound

    healthchecks

    80

    TCP

    Load balancer healthchecks

    Outbound

    self

    0-65535

    Any

    Security group

    Current

  8. Click Create.

Create and configure your cloud VMs

Create web service VMs in all availability zones

  1. In the management console, select the folder where you want to create your VMs.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Select Advanced setup.

  6. Under Boot disk image, navigate to the Marketplace tab and select Drupal 10.

  7. Under Location, select the ru-central1-a availability zone.

  8. Under Network settings:

    • Select subnet-a.
    • In the Public IP address field, select No address.
    • Select the web-service-sg security group.

  9. Under Access:

    • Select the SSH key connection option.

    • In the Login field, set a username.

      Alert

      Do not use root or other reserved usernames. For operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  10. Under General information, specify the VM name: web-node-a.

  11. Click Create VM.

  12. Repeat steps 4 through 10 to create the web-node-b and web-node-d VMs in the ru-central1-b and ru-central1-d availability zones and subnet-b and subnet-d subnets, respectively.

Create an IPSec instance for remote access

To provide secure access to your resources, create an IPSec instance.

  1. In the management console, navigate to the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Select Advanced setup.

  6. Under Boot disk image, navigate to the Marketplace tab and select the IPSec instance image.

  7. Under Location, select the ru-central1-a availability zone.

  8. Under Network settings:

    • Select subnet-a.
    • In the Public IP address field, select List and then select the previously reserved IP address from the list that opens.
    • Select the vpn-sg security group.

  9. Under Access, select SSH key and specify the VM access credentials:

    • Under Login, enter the username. Do not use root or other names reserved for the OS purposes. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  10. Under General information, specify the VM name: vpn.

  11. Click Create VM.

  12. Once the vpn VM status changes to Running, copy its Internal IPv4.

    You will need the internal gateway address to configure a static route.

Configure VPN routing

Configure routing between your remote site subnet and IPSec instance.

Create a route table

Create a route table and add static routes:

  1. In the management console, navigate to the folder where you want to configure routing.
  2. In the list of services, select Virtual Private Cloud.
  3. Select network.
  4. In the left-hand panel, select Routing tables.
  5. Click Create routing table.
  6. Specify the route table name: vpn-route.
  7. Under Static routes, click Add.
  8. In the window that opens:

    • In the Destination prefix field, enter 10.129.0.0/24.

      If you are using your local PC as the test VM, specify your subnet CIDR.

    • In the Next hop field, specify the IPSec gateway internal IP address.

    • Click Add.

  9. Click Create routing table.

Associate the route table with all subnets

To use static routes, associate the route table with all subnets in your cloud network.

  1. In the management console, navigate to your cloud network folder.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select Subnets.
  4. Click next to subnet-a and select Link routing table.
  5. In the window that opens, select the vpn-route table in the Route table field.
  6. Click Link.
  7. Repeat steps 4 through 6 to associate the vpn-route table with subnet-b and subnet-d.

Create a network load balancer

The network load balancer will distribute incoming traffic across your web service VMs in the target group.

To create a network load balancer:

  1. In the management console, navigate to the folder where you want to create a load balancer.

  2. In the list of services, select Network Load Balancer.

  3. Click Create a network load balancer.

  4. Specify the load balancer name: web-service-lb.

  5. In the Public address field, select List and specify the public static IP address.

  6. Under Listeners, click Add listener. In the window that opens:

    1. Specify the listener name: web-service-lb-listener.
    2. In the Port field, specify 80.
    3. In the Target port field, specify 80.
    4. Click Add.

  7. Under Target groups, click Add target group.

    1. In the Target group field, select Create target group. In the window that opens:

      1. Specify the target group name: web-tg.
      2. Select the web-node-a, web-node-b, and web-node-d VMs.
      3. Click Create.

    2. Select the web-tg target group.

  8. In the selected target group section:

    1. Click Configure.
    2. In the window that opens, select TCP in the Type field and click Apply.

  9. Click Create.

Test the solution

Check that your infrastructure works properly and your web service VMs do not receive any external traffic:

  1. Run the following command on your remote computer:

    curl <public_IP_address_of_network_load_balancer>

    You should get no response because the system will block traffic to your Drupal servers.

  2. Add two new inbound traffic rules to the web-service-sg security group:

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    http-external-vm

    80

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    https-external-vm

    443

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    These rules allow access to the network load balancer’s target group VMs from your remote VM public IP address.

  3. Run this command on your remote computer again:

    curl <public_IP_address_of_network_load_balancer>

    You should get the Drupal home page HTML code, which means the rules you added to the security group allowed network access to the Drupal VMs from your remote computer IP address.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VMs.
  2. Delete the network load balancer.
  3. Delete the static public IP addresses you reserved.
  4. You can also delete the route table, security groups, subnets, and networks.
Previous
All tutorials
Next
Implementing fault-tolerant scenarios for NAT VMs