Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Connecting a security profile to a resource

Written by
Updated at April 28, 2026

To protect your resource using Smart Web Security, connect a Yandex Smart Web Security profile to a virtual host, domain, or API gateway.

Connecting to a virtual host

The connection method depends on the Yandex Application Load Balancer management method.

  • If the load balancer is managed by you, use the Yandex Cloud interfaces.

  • If the load balancer is managed by a controller, use an annotation.

    Warning

    For an ingress controller, connect the security profile only via an annotation.

    If you connect the profile via the Yandex Cloud interfaces and then update the Ingress resource, the security profile will be disabled due to the lack of annotation.

To work with a security profile that connects to a load balancer, you will need a service account with the monitoring.editor, smart-web-security.admin, certificate-manager.admin, and logging.writer roles. For more information, see Assigning roles to a service account.

To connect a security profile to a virtual host:

  1. In the management console, select the folder containing the security profile.

  2. Go to Smart Web Security.

  3. In the left-hand panel, select Security profiles.

  4. Select the security profile you want to connect to the virtual host Yandex Application Load Balancer.

  5. Click Connect to host.

  6. In the window that opens, click Add resource and select Virtual host.

  7. Set the Load balancer, HTTP router, and Virtual host values one by one. You can associate the security profile with multiple virtual hosts at once.

    To associate the profile with another L7 load balancer, click Add resource and select Virtual host.

  8. Click Connect. If the selected hosts are already connected to another security profile, confirm the connection.

    You will see the connected virtual hosts under Connected resources.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. To view a list of current security profiles in the default folder, run this command:

    yc smartwebsecurity security-profile list

    Result:

    +----------------------+-------------------+---------------------+----------------+------------+-------------+
|          ID          |       NAME        |       CREATED       | DEFAULT ACTION | CAPTCHA ID | RULES COUNT |
+----------------------+-------------------+---------------------+----------------+------------+-------------+
| fev3s055oq64******** | my-new-profile    | 2024-08-05 06:57:18 | DENY           |            |           1 |
| fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY           |            |           2 |
+----------------------+-------------------+---------------------+----------------+------------+-------------+

  2. To view a list of HTTP routers in the default folder, run this command:

    yc application-load-balancer http-router list

    Result:

    +----------------------+-------------------+-------------+-------------+
|          ID          |       NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+-------------------+-------------+-------------+
| ds7e9te73uak******** |  my-first-router  |           1 |           1 |
+----------------------+-------------------+-------------+-------------+

  3. To view a list of virtual hosts for the selected HTTP router, run this command:

    yc application-load-balancer http-router get <HTTP_router_name_or_ID>

    Result:

    id: ds7e9te73uak********
name: my-first-router
folder_id: b1gt6g8ht345********
virtual_hosts:
  - name: test-virtual-host
    routes:
      - name: test-route
        http:
          match:
            path:
              prefix_match: /
          route:
            backend_group_id: ds7a4niks9qv********
            timeout: 60s
            auto_host_rewrite: false
    route_options: {}
created_at: "2024-08-05T08:34:03.973000654Z"

    Names of virtual hosts are specified in the virtual_hosts.name parameter. The example above features only one virtual host: test-virtual-host.

  4. To connect a security profile to a virtual host, run this command:

    yc application-load-balancer virtual-host update <virtual_host_name> \
   --http-router-name <HTTP_router_name> \
   --security-profile-id <security_profile_ID>

    Where:

    • <virtual_host_name>: Virtual host name from the previous step.
    • --http-router-name: HTTP router name. This is a required setting. Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
    • --security-profile-id: Security profile ID. This is a required setting.

    Result:

    done (1s)
name: test-virtual-host
routes:
  - name: test-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7a4niks9qv********
        timeout: 60s
        auto_host_rewrite: false
route_options:
  security_profile_id: fev3s055oq64********

For more information about the yc application-load-balancer virtual-host update command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

You can connect a Yandex Smart Web Security profile to a Yandex Application Load Balancer in the virtual host settings.

  1. In the Terraform configuration file, for the yandex_alb_virtual_host resource, specify security_profile_id under route_options.

    resource "yandex_alb_virtual_host" "my-virtual-host" {
  name                    = "<virtual_host_name>"
  ...

  route_options {
    security_profile_id   = "<security_profile_ID>"
  }
}

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

You can check the update using the management console or this CLI command:

yc alb http-router get <HTTP_router_ID>

Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call in Application Load Balancer.

Tip

We recommend using the new Yandex Cloud Gwin controller instead of an ALB Ingress controller and Gateway API.

Use the following annotations:

Tip

To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.

The security profile is assigned to a particular virtual host of the L7 load balancer, with all incoming host traffic analyzed. If analysis of traffic to certain host routes is not required, disable the security profile for those routes. You can do this by using the --disable-security-profile (disableSecurityProfile) parameter when adding or updating a route via the CLI, API, or Terraform.

When adding routes, consider their order: a request will follow the first route with a matching predicate, so place the most specific routes first. Otherwise, the shared route may intercept requests, and the specific rules will not apply.

Connecting to a domain

  1. In the management console, select the folder containing the security profile.

  2. In the left-hand panel, select Security profiles.

  3. Select the security profile you want to connect to a domain.

  4. Click Connect to host.

  5. In the window that opens, click Add resource and select Domain.

  6. Set the Proxy server and Domain values one by one. You can connect the security profile to multiple domains at once.

  7. Click Connect.

    You will see the connected domains under Connected resources.

Connecting to an API gateway

  1. In the management console, select the folder containing the security profile.

  2. In the left-hand panel, select Security profiles.

  3. Select the security profile you want to connect to the API gateway.

  4. Click Connect to host.

  5. In the window that opens, click Add resource and select API gateway.

  6. Set a value in the API gateway field.

  7. Click Connect.

    You will see the connected API gateways under Connected resources.

See also

Previous
Deleting a rule
Next
Disconnecting a profile from a resource