Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Connecting a security profile to a virtual host

Written by
Updated at May 5, 2025

The security profile connection method depends on who manages the Yandex Application Load Balancer load balancer:

  • If the load balancer is managed by you, use the Yandex Cloud interfaces.

  • If the load balancer is managed by an Application Load Balancer Ingress controller, use the Ingress resource annotation.

    Warning

    Annotation is the only way for an Ingress controller to connect the security profile.

    If you connect the profile via the Yandex Cloud interfaces and then update the Ingress resource, the Ingress controller will disable the support of the security profile due to the lack of annotation.

    To learn more about Ingress controller settings, see the Yandex Managed Service for Kubernetes documentation.

    Note

    To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.

To connect a security profile to a virtual host:

  1. In the management console, select the folder containing the security profile.

  2. In the list of services, select Smart Web Security.

  3. Select the security profile to connect to the Yandex Application Load Balancer virtual host.

  4. Click Connect to host and in the window that opens, select:

    • Load balancer.

    • HTTP router.

    • Virtual host. You can connect the security profile to multiple virtual hosts at once.

      To connect the profile to another L7 load balancer, click Add load balancer.

  5. Click Connect. If the selected hosts are already connected to another security profile, confirm the connection.

    In the Connected hosts tab, you will see the connected virtual hosts.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. To view a list of current security profiles in the default folder, run this command:

    yc smartwebsecurity security-profile list

    Result:

    +----------------------+-------------------+---------------------+----------------+------------+-------------+
|          ID          |       NAME        |       CREATED       | DEFAULT ACTION | CAPTCHA ID | RULES COUNT |
+----------------------+-------------------+---------------------+----------------+------------+-------------+
| fev3s055oq64******** | my-new-profile    | 2024-08-05 06:57:18 | DENY           |            |           1 |
| fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY           |            |           2 |
+----------------------+-------------------+---------------------+----------------+------------+-------------+

  2. To view a list of HTTP routers in the default folder, run this command:

    yc application-load-balancer http-router list

    Result:

    +----------------------+-------------------+-------------+-------------+
|          ID          |       NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+-------------------+-------------+-------------+
| ds7e9te73uak******** |  my-first-router  |           1 |           1 |
+----------------------+-------------------+-------------+-------------+

  3. To view a list of virtual hosts for the selected HTTP router, run this command:

    yc application-load-balancer http-router get <HTTP_router_name_or_ID>

    Result:

    id: ds7e9te73uak********
name: my-first-router
folder_id: b1gt6g8ht345********
virtual_hosts:
  - name: test-virtual-host
    routes:
      - name: test-route
        http:
          match:
            path:
              prefix_match: /
          route:
            backend_group_id: ds7a4niks9qv********
            timeout: 60s
            auto_host_rewrite: false
    route_options: {}
created_at: "2024-08-05T08:34:03.973000654Z"

    Names of virtual hosts are specified in the virtual_hosts.name parameter. The example above features only one virtual host: test-virtual-host.

  4. To connect a security profile to a virtual host, run this command:

    yc application-load-balancer virtual-host update <virtual_host_name> \
   --http-router-name <HTTP_router_name> \
   --security-profile-id <security_profile_ID>

    Where:

    • <virtual_host_name>: Virtual host name from the previous step.
    • --http-router-name: HTTP router name. This is a required parameter. Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
    • --security-profile-id: Security profile ID. This is a required parameter.

    Result:

    done (1s)
name: test-virtual-host
routes:
  - name: test-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7a4niks9qv********
        timeout: 60s
        auto_host_rewrite: false
route_options:
  security_profile_id: fev3s055oq64********

For more information about the yc application-load-balancer virtual-host update command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

You can connect a Yandex Smart Web Security security profile to a Yandex Application Load Balancer load balancer in the virtual host settings.

  1. In the Terraform configuration file for the yandex_alb_virtual_host resource, specify the security_profile_id parameter in the route_options section.

    resource "yandex_alb_virtual_host" "my-virtual-host" {
  name                    = "<virtual_host_name>"
  ...

  route_options {
    security_profile_id   = "<security_profile_ID>"
  }
}

  2. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

You can check the resources' updates using the management console or this CLI command:

yc alb http-router get <HTTP_router_ID>

Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call of the Application Load Balancer service.

Tip

To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.

See also

Previous
Deleting a rule
Next
Disconnecting a profile from a host