Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Connecting a security profile to a virtual host

Written by
Updated at November 2, 2024

The security profile connection method depends on who manages the Yandex Application Load Balancer load balancer:

  • If the load balancer is managed by you, use the Yandex Cloud interfaces.

  • If the load balancer is managed by an Application Load Balancer Ingress controller, use the Ingress resource annotation.

    Warning

    Annotation is the only way for an Ingress controller to connect the security profile.

    If you connect the profile via the Yandex Cloud interfaces and then update the Ingress resource, the Ingress controller will disable the support of the security profile due to the lack of annotation.

    To learn more about Ingress controller settings, see the Yandex Managed Service for Kubernetes documentation.

    Note

    To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.

To connect a security profile using the Yandex Cloud interfaces:

  1. In the management console, select the folder containing the security profile you need.

  2. In the list of services, select Smart Web Security.

  3. Select the security profile to connect to the Yandex Application Load Balancer virtual host.

  4. Click Connect to host and in the window that opens, select:

    • Load balancer.

    • HTTP router.

    • Virtual host. You can connect the security profile to multiple virtual hosts at once.

      To connect the profile to another L7 load balancer, click Add load balancer.

  5. Click Connect. If the selected hosts are already connected to another security profile, confirm the connection.

    In the Connected hosts tab, you will see the connected virtual hosts.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. To view a list of current security profiles in the default folder, run this command:

    yc smartwebsecurity security-profile list

    Result:

    +----------------------+-------------------+---------------------+----------------+------------+-------------+
|          ID          |       NAME        |       CREATED       | DEFAULT ACTION | CAPTCHA ID | RULES COUNT |
+----------------------+-------------------+---------------------+----------------+------------+-------------+
| fev3s055oq64******** | my-new-profile    | 2024-08-05 06:57:18 | DENY           |            |           1 |
| fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY           |            |           2 |
+----------------------+-------------------+---------------------+----------------+------------+-------------+

  2. To view a list of HTTP routers in the default folder, run this command:

    yc application-load-balancer http-router list

    Result:

    +----------------------+-------------------+-------------+-------------+
|          ID          |       NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+-------------------+-------------+-------------+
| ds7e9te73uak******** |  my-first-router  |           1 |           1 |
+----------------------+-------------------+-------------+-------------+

  3. To view a list of virtual hosts for the selected HTTP router, run this command:

    yc application-load-balancer http-router get <HTTP_router_name_or_ID>

    Result:

    id: ds7e9te73uak********
name: my-first-router
folder_id: b1gt6g8ht345********
virtual_hosts:
  - name: test-virtual-host
    routes:
      - name: test-route
        http:
          match:
            path:
              prefix_match: /
          route:
            backend_group_id: ds7a4niks9qv********
            timeout: 60s
            auto_host_rewrite: false
    route_options: {}
created_at: "2024-08-05T08:34:03.973000654Z"

    Names of virtual hosts are specified in the virtual_hosts.name parameter. The example above features only one virtual host: test-virtual-host.

  4. To connect a security profile to a virtual host, run this command:

    yc application-load-balancer virtual-host update <virtual_host_name> \
   --http-router-name <HTTP_router_name> \
   --security-profile-id <security_profile_ID>

    Where:

    • <virtual_host_name>: Virtual host name from the previous step.
    • --http-router-name: HTTP router name. This is a required parameter. Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
    • --security-profile-id: Security profile ID. This is a required parameter.

    Result:

    done (1s)
name: test-virtual-host
routes:
  - name: test-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7a4niks9qv********
        timeout: 60s
        auto_host_rewrite: false
route_options:
  security_profile_id: fev3s055oq64********

For more information about the yc application-load-balancer virtual-host update command, see the CLI reference.

Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call of the Application Load Balancer service.

Tip

To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.

See also

Previous
Deleting a rule
Next
Disconnecting a profile from a host