2. Network security
This section provides users with recommendations on security settings in Yandex Virtual Private Cloud.
To isolate applications from each other, put resources in different security groups, and, if strict isolation is required, in different networks. By default, internal network traffic is allowed, while traffic between networks is not. Traffic between networks is only allowed via a VM with two network interfaces in different networks, VPN, or Yandex Cloud Interconnect.
2.1 Cloud objects use a firewall or security groups
With built-in security groups, you can manage VM access to resources and security groups in Yandex Cloud or resources on the internet. A security group is a set of rules for incoming and outgoing traffic that can be assigned to a VM's network interface. Security groups work like a stateful firewall: they monitor the status of sessions and, if a rule allows a session to be created, they automatically allow response traffic. For a guide on how to set up security groups, see Creating a security group. You can specify a security group in the VM settings.
You can use security groups to protect:
- VM
- Managed databases
- Yandex Application Load Balancer load balancers
- Yandex Managed Service for Kubernetes clusters
The list of available services is being extended.
You can manage network access without security groups, e.g., by using a separate VM as a firewall based on an NGFW image from Yandex Cloud Marketplace or a custom image. Using the NGFW can be critical to customers if they need the following features:
- Logging network connections.
- Streaming traffic analysis for malicious content.
- Detecting network attacks by signature.
- Other features of conventional NGFW solutions.
Make sure you use security groups in your clouds on each cloud object, or a separate VM based on the NGFW from Cloud Marketplace, or the Bring Your Own Image (BYOI) approach that allows you to deploy your own equipment or system images.
Check if there are security groups in different objects:
- Open the Yandex Cloud management console
in your browser. - Go to each cloud and folder and open all resources listed in "Objects that security groups can be applied to", one by one.
- In the object settings, find the Security group parameter and make sure that at least one security group is assigned.
- If the parameters of each object with security group support have at least one group set, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
Check whether the NGFW is used instead of security groups:
- Open the Yandex Cloud management console in your browser.
- Go to each cloud and folder and open all VM disks one by one.
- In the disk settings, find the Marketplace product parameter.
- If the disk's Marketplace product parameters have one of the NGFW product names specified: Check Point CloudGuard IaaS — Firewall & Threat Prevention PAYG or UserGate NGFW, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
-
See what organizations are available to you and write down the
ID
you need:yc organization-manager organization list
-
Run the command below to search for cloud objects with no security group:
export ORG_ID=<Organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); do for VM_ID in $(yc compute instance list --folder-id=$FOLDER_ID --format=json | jq -r '.[].id'); do yc compute instance get --id=$VM_ID --format=json | jq -r '. | select(.network_interfaces[].security_group_ids | not)' | jq -r '.id' done; done; done
-
If an empty string is output, the recommendation is fulfilled. If you get the cloud resource
ID
in the output, proceed to Guides and solutions to use.
Check whether the NGFW is used instead of a security group:
-
Run the command to search for the NGFW in the cloud. By default, the command searches for Checkpoint or Usergate. If you use a custom image, specify it.
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); do for DISK_ID in $(yc compute disk list --folder-id=$FOLDER_ID --format=json | jq -r '.[].id'); do yc compute disk get --id=$DISK_ID --format=json | jq -r '. | select(.product_ids[0]=="f2ecl4ak62mjbl13qj5f" or .product_ids[0]=="f2eqc5sac8o5oic7m99k")' | jq -r '.id' done; done; done
-
If you get the
ID
of a VM with the NGFW in the output, the recommendation is fulfilled. If you get an empty string, proceed to Guides and solutions to use.
Guides and solutions to use:
- Apply security groups to any objects that have no group.
- To apply security groups through Terraform, set up security groups (dev/stage/prod) using Terraform
. - To use the NGFW, install
the NGFW on your VM: Check Point. - Refer to this guide
on using the UserGate NGFW in the cloud. - Use NGFW in active-passive
mode.
2.2 Virtual Private Cloud has at least one security group
To apply security groups to your cloud objects in Virtual Private Cloud, make sure there is at least one security group. You can also create a default security group that will be assigned to cloud objects when connecting to subnets if they have no security group. Make sure that each network has at least one security group.
- Open the Yandex Cloud console in your browser.
- Go to each cloud and then to each folder and each Virtual Private Cloud.
- Go to Security groups.
- If at least one security group for each Virtual Private Cloud or the default security group is found, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
-
See what organizations are available to you and write down the
ID
you need:yc organization-manager organization list
-
Run the command below to search for folders with no security group:
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); \ do echo "SG_ID: " && yc vpc security-group list --folder-id=$FOLDER_ID --format=json | jq -r '.[] | select(.id)' | jq -r '.id' && echo "FOLDER_ID: " $FOLDER_ID && echo "-----" done; done
-
If each
SG_ID
combination has theID
specified in front of theFOLDER_ID
of the folder it resides in, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
Guides and solutions to use:
Create a security group in each Virtual Private Cloud with restricted access rules, so that it can be assigned to cloud objects.
2.3 Security groups have no access rule that is too broad
A security group lets you grant network access to absolutely any IP address on the internet as well as across all port ranges. A dangerous rule looks as follows:
- Port range: 0 to 65535 or empty.
- Protocol: Any or TCP/UDP.
- Source: CIDR.
- CIDR blocks: 0.0.0.0/0 (access from any IP address) or ::/0 (ipv6).
Warning
If no port range is set, it is considered that access is granted across all ports (0-65535).
Make sure to only allow access through the ports that your application requires to run and from the IPs to connect to your objects from.
- Open the Yandex Cloud console in your browser.
- Go to each cloud and then to each folder and each Virtual Private Cloud.
- Go to Security groups.
- If there is no security group containing network access rules that allow access through any port and from any IP address (for explanation, see above), the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
-
See what organizations are available to you and write down the
ID
you need:yc organization-manager organization list
-
Find security groups with a dangerous access rule:
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); \ do echo "SG_ID: " && yc vpc security-group list --folder-id=$FOLDER_ID \ --format=json | jq -r '.[] | select(.rules[].direction=="INGRESS" and .rules[].ports.to_port=="65535" and .rules[].cidr_blocks.v4_cidr_blocks[]=="0.0.0.0/0")' | jq -r '.id' \ && echo "FOLDER_ID: " $FOLDER_ID && echo "-----" done; done
-
If an empty value is set in
SG_ID
next toFOLDER_ID
, the recommendation is fulfilled. If you see a non-emptySG_ID
, proceed to Guides and solutions to use.
Guides and solutions to use:
Delete the dangerous rule in each security group or edit it by specifying trusted IPs.
2.4 Access through control ports is only allowed for trusted IPs
We recommend that you only allow access to your cloud infrastructure through control ports from trusted IP addresses. Make sure your access rules specified in the security group contain no broad rules that allow access through control ports:
- Port range: 22, 3389, or 21.
- Protocol: TCP.
- Source: CIDR.
- CIDR blocks: 0.0.0.0/0 (access from any IP address) or ::/0 (ipv6).
- Open the Yandex Cloud console in your browser.
- Go to each cloud and then to each folder and each Virtual Private Cloud.
- Go to Security groups.
- If there is no security group containing network access rules that allow access through control ports from any IP address (for explanation, see above), the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
-
See what organizations are available to you and write down the
ID
you need:yc organization-manager organization list
-
Run the command below to search for security groups with dangerous access rules:
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); \ do echo "SG_ID: " && yc vpc security-group list --folder-id=$FOLDER_ID \ --format=json | jq -r '.[] | select(.rules[].direction=="INGRESS" and (.rules[].ports.to_port=="22" or .rules[].ports.to_port=="3389" or .rules[].ports.to_port=="21") and .rules[].cidr_blocks.v4_cidr_blocks[]=="0.0.0.0/0")' | jq -r '.id' \ && echo "FOLDER_ID: " $FOLDER_ID && echo "-----" done; done
-
If an empty value is set in
SG_ID
next toFOLDER_ID
, the recommendation is fulfilled; if theSG_ID
is not empty, proceed to Guides and solutions to use.
Guides and solutions to use:
Delete the dangerous rule in each security group or specify trusted IPs.
2.5 DDoS protection is enabled
Yandex Cloud has basic and extended DDoS protection. Make sure to use at least basic protection.
- Yandex DDoS Protection is a Virtual Private Cloud component that safeguards cloud resources from DDoS attacks. DDoS Protection is provided in partnership with Qrator Labs. You can enable it yourself for an external IP address through cloud administration tools. Supported up to OSI L4.
- Advanced DDoS protection operates at Levels 3 and 7 of the OSI model. You can also follow load and attack parameters and enable Solidwall WAF in your Qrator Labs account. To enable advanced protection, contact your manager or technical support.
- Open the Yandex Cloud console in your browser.
- Open all created networks.
- Go to IP addresses.
- If all the public IP addresses have the DDoS protection column set to Enabled, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
Contact your account manager to find out if you have extended DDoS protection activated.
-
See what organizations are available to you and write down the
ID
you need:yc organization-manager organization list
-
Run the command below to search for IP addresses with no DDOS protection:
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); \ do echo "Address_ID: " && yc vpc address list --folder-id=$FOLDER_ID \ --format=json | jq -r '.[] | select(.external_ipv4_address.requirements.ddos_protection_provider=="qrator" | not)' | jq -r '.id' \ && echo "FOLDER_ID: " $FOLDER_ID && echo "-----" done; done
-
If an empty value is set in
Address_ID
next toFOLDER_ID
, the recommendation is fulfilled; otherwise, proceed to Guides and solutions to use.
Guides and solutions to use:
- All materials about DDoS protection in Yandex Cloud.
2.6 Protected remote access is used
To enable administrators to establish remote connections to your cloud resources, use one of the following:
-
Site-to-site VPN between a remote site, e.g., your office, and a cloud. As a remote access gateway, use a VM featuring a site-to-site VPN based on an image from Cloud Marketplace.
Setup options:
- Creating an IPsec VPN tunnel using the strongSwan.
- Creating a site-to-site VPN connection to Yandex Cloud using Terraform
. - Client VPN between remote devices and Yandex Cloud. As a remote access gateway, use a VM featuring a client VPN based on an image from Cloud Marketplace.
See the guide in Creating a VPN connection using OpenVPN. You can also use certified data cryptographic security tools.
-
Dedicated private connection between a remote site and Yandex Cloud using Cloud Interconnect.
To access the infrastructure using control protocols (such as SSH or RDP), create a bastion VM. You can do this using a free Teleport
For better control of administrative actions, we recommend that you use PAM (Privileged Access Management) solutions that support administrator session logging (for example, Teleport). For SSH and VPN access, we recommend that you avoid using passwords and use public keys, X.509 certificates, and SSH certificates instead. When setting up SSH for your VMs, we recommend that you use the SSH certificates (including for the SSH host).
To access web services deployed in the cloud, use TLS version 1.2 or higher.
- Open the Yandex Cloud console in your browser.
- Open all created networks.
- Go to the Route tables section.
- If routes to remote sites' private networks through VMs with a VPN gateway are found, the recommendation is fulfilled.
- Check the VMs in each cloud for VPN gateways. In addition, check if their security groups have open ports for the VPN.
Contact your account manager to find out if you have Cloud Interconnect activated. If yes, check if remote access is used.
2.7 Outbound internet access control is performed
Possible options for setting up outbound internet access:
- Public IP address. Assigned to a VM according to the one-to-one NAT rule.
- Egress NAT (NAT gateway). Enables internet access for a subnet through a shared pool of Yandex Cloud public IP addresses. We do not recommend using Egress NAT for critical interactions, since the NAT gateway's IP address might be used by multiple clients at the same time. This feature must be taken into account when modeling threats for your infrastructure.
- NAT instance. The NAT function is performed by a separate VM. You can create this VM using a NAT instance image from Cloud Marketplace.
Comparison of internet access methods:
Public IP address |
Egress NAT |
NAT instance |
Advantages: |
Advantages: |
Advantages: |
|
|
|
Disadvantages: |
Disadvantages: |
Disadvantages: |
|
|
|
Regardless of which option you select for setting up outbound internet access, be sure to limit traffic using one of the mechanisms described above. To build a secure system, use static IP addresses, since they can be added to the list of exceptions of the receiving party's firewall.
- Open the Yandex Cloud console in your browser.
- Go to the appropriate folder.
- Go to IP addresses.
- If all the public IP addresses have the DDoS protection column set to Enabled, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.
-
See what organizations are available to you and write down the
ID
you need:yc organization-manager organization list
-
Run the command below to search for all VMs with public IPs:
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); do echo "VM_ID: " && yc compute instance list --folder-id=$FOLDER_ID --format=json | jq -r '.[] | select(.network_interfaces[].primary_v4_address.one_to_one_nat.address)' | jq -r '.id' \ && echo "FOLDER_ID: " $FOLDER_ID && echo "-----" done; done
-
If an empty value is set in
VM_ID
next toFOLDER_ID
, the recommendation is fulfilled; otherwise, proceed to Guides and solutions to use. -
Run the command below to see if there is Egress NAT (NAT gateway):
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); \ do echo "NAT_GW: " && yc vpc gateway list --folder-id=$FOLDER_ID --format=json | jq -r '.[] | select(.id)' | jq -r '.id' && echo "FOLDER_ID: " $FOLDER_ID && echo "-----" done; done
-
If an empty value is set in
NAT_GW
next toFOLDER_ID
, the recommendation is fulfilled; otherwise, proceed to the Guides and solutions to use. -
Run the command below to see if there is a NAT instance:
export ORG_ID=<organization ID> for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id'); do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); do for DISK_ID in $(yc compute disk list --folder-id=$FOLDER_ID --format=json | jq -r '.[].id'); do yc compute disk get --id=$DISK_ID --format=json | jq -r '. | select(.product_ids[0]=="fd8v7ru46kt3s4o5f0uo")' | jq -r '.id' done; done; done
-
If an empty string is output, the recommendation is fulfilled. If you see the NAT instance
ID
, proceed to Guides and solutions to use.
Guides and solutions to use:
- If any VM has public IPs, make sure they are required. Otherwise, delete an external IP address in the VM settings.
- If any NAT-Gateway is found, make sure it is required. Otherwise, delete it.
- If any NAT instance is found, make sure it is required. Otherwise, delete it.
2.8 DNS queries are not provided to third-party recursive resolvers
To increase fault tolerance, some traffic may be routed to third-party recursive resolvers. To avoid this, contact support.