Network security
This section provides customers with recommendations on security settings in Yandex Virtual Private Cloud.
For more information about how to configure your network infrastructure, watch our webinar How a network works in Yandex Cloud
Creating a protected segmented environment
To control network access to your resources, use one of the following:
-
With built-in security groups, you can manage VM access to resources and security groups in Yandex Cloud or resources on the internet. A security group is a set of rules for incoming and outgoing traffic that can be assigned to a VM's network interface. Security groups work like a stateful firewall: they monitor the status of sessions and, if a rule allows a session to be created, they automatically allow response traffic. See the guide on how to set up security groups in Create a security group. You can specify a security group in the VM settings.
-
Separate VM as a firewall based on an NGFW image from Cloud Marketplace.
Solution: Installing an NGFW on a Yandex Cloud VM: Check Point -
Router-on-a-Stick method based on Cloud Interconnect: you can connect your firewall to the Yandex Cloud infrastructure via a dedicated channel and route traffic to cloud networks through this firewall.
To deliver traffic to an application within your cloud infrastructure, we recommend using a network load balancer, such as Yandex Application Load Balancer, to route your traffic through the selected ports only. Use the network load balancer together with security groups to limit the list of IP addresses that have access to the application.
To isolate applications from each other, put resources in different security groups, and, if strict isolation is required, in different VPC. Traffic within VPC is allowed by default; it is not allowed between VPCs, unless there is a VM with two network interfaces in different networks, either VPN or Cloud Interconnect.
DDoS protection
When assigning public IP addresses to your cloud resources, enable the built-in DDoS protection at L4. If you need L7 DDoS protection, contact your account manager.
Setting up remote access and communication channels
To enable administrators to establish remote connections to your cloud resources, use one of the following:
-
Site-to-site VPN between a remote site, e.g., your office, and a cloud. As a remote access gateway, use a VM featuring a site-to-site VPN based on an image from Cloud Marketplace.
Setup options:
-
Client VPN between remote devices and Yandex Cloud. As a remote access gateway, use a VM featuring a client VPN based on an image from Cloud Marketplace. For more information, see the guide in the Creating a VPN connection using OpenVPN section.
-
Dedicated private connection between a remote site and Yandex Cloud using Cloud Interconnect.
-
VPN on certified data cryptographic security tools:
- GOST VPN. If you need to provide a secure channel on certified hardware data cryptographic security tools, contact your manager. The GOST VPN service includes the installation of a hardware cryptographic gateway on the Yandex Cloud side and, if necessary, on the client side, as well as the configuration and further support of a secure channel. Crypto gateways are available for rent. The service is provided jointly with a Yandex Cloud partner.
- Virtual crypto gateway. You can use certified virtual crypto gateways from Russian companies, such as InfoTeCS, S-Terra CSP, and CRYPTO-PRO. A crypto gateway works like a regular VM. You are responsible for purchasing any licenses and maintaining crypto gateways.
To access the infrastructure using control protocols (for example, SSH or RDP), create a bastion VM. You can do this using a free Teleport
For better control of administrative actions, we recommend that you use PAM (Privileged Access Management) solutions that support administrator session logging (for example, Teleport). For SSH and VPN access, we recommend that you avoid using passwords and use public keys, X.509 certificates, and SSH certificates instead. When setting up SSH for your virtual machines, we recommend that you use the SSH certificates (also for the SSH host).
To access web services deployed in the cloud, use TLS version 1.2 or higher.
Outbound internet access
Possible options for setting up outbound internet access:
- Public IP address. Assigned to a VM according to the one-to-one NAT rule.
- NAT gateway. Enables internet access for a subnet through a shared pool of Yandex Cloud public IP addresses. We don't recommend using an NAT gateway for critical interactions, since the NAT gateway's IP address might be used by multiple clients at the same time. This feature must be taken into account when modeling threats for your infrastructure.
- NAT instance. The NAT function is performed by a separate VM. You can create this VM using a NAT instance image from Cloud Marketplace.
Comparison of internet access methods:
Public IP address | NAT gateway | NAT instance |
---|---|---|
Advantages:- No setup required- A dedicated IP address for each VM | Benefits:- Runs only on egress connections | Advantages:- Traffic filtering on a NAT instance - Using your own firewall - Effective use of IP addresses |
Disadvantages:- It might be unsafe to expose a VM directly to the internet - The cost of reserving each IP address |
Drawbacks:- Shared pool of IP addresses | Disadvantages:- Setup required - The cost of using a VM (vCPU, RAM, and disk space) |
Regardless of which option you select for setting up outgoing internet access, be sure to limit traffic using one of the mechanisms described above in Creating a protected segmented environment. To build a secure system, use static IP addresses, since they can be added to the list of exceptions of the receiving party's firewall.
DNS security
To increase fault tolerance, some traffic may be routed to third-party recursive resolvers. To avoid this, contact support.