Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Connecting a security profile to a resource

Written by
Updated at November 11, 2025

Connecting to a virtual host

The way you connect a security profile depends on who manages the Yandex Application Load Balancer:

  • If you manage it yourself, use the Yandex Cloud interfaces.

  • If the load balancer is managed by an Application Load Balancer ingress controller, use the Ingress resource annotation.

    Warning

    Annotation is the only way to connect a security profile for the ingress controller.

    If you connect the profile via the Yandex Cloud interfaces and then update the Ingress resource, the ingress controller will disable support for the security profile due to the lack of annotation.

    To learn more about the ingress controller settings, see the Yandex Managed Service for Kubernetes documentation.

    Tip

    We recommend using the new Yandex Cloud Gwin controller instead of an Application Load Balancer Ingress controller.

    Note

    To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.

To work with a security profile that connects to a load balancer, you will need a service account with the monitoring.editor, smart-web-security.admin, certificate-manager.admin, and logging.writer roles. For more information, see Assigning roles to a service account.

To connect a security profile to a virtual host:

  1. In the management console, select the folder containing the security profile.

  2. In the list of services, select Smart Web Security.

  3. Select the security profile you want to connect to the Yandex Application Load Balancer virtual host.

  4. Click Connect to host and in the window that opens, select:

    • Load balancer.

    • HTTP router.

    • Virtual host: You can associate the security profile with multiple virtual hosts at once.

      To associate the profile with another L7 load balancer, click Add load balancer.

  5. Click Connect. If the selected hosts are already connected to another security profile, confirm the connection.

    In the Connected hosts tab, you will see the connected virtual hosts.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. To view a list of current security profiles in the default folder, run this command:

    yc smartwebsecurity security-profile list

    Result:

    +----------------------+-------------------+---------------------+----------------+------------+-------------+
|          ID          |       NAME        |       CREATED       | DEFAULT ACTION | CAPTCHA ID | RULES COUNT |
+----------------------+-------------------+---------------------+----------------+------------+-------------+
| fev3s055oq64******** | my-new-profile    | 2024-08-05 06:57:18 | DENY           |            |           1 |
| fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY           |            |           2 |
+----------------------+-------------------+---------------------+----------------+------------+-------------+

  2. To view a list of HTTP routers in the default folder, run this command:

    yc application-load-balancer http-router list

    Result:

    +----------------------+-------------------+-------------+-------------+
|          ID          |       NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+-------------------+-------------+-------------+
| ds7e9te73uak******** |  my-first-router  |           1 |           1 |
+----------------------+-------------------+-------------+-------------+

  3. To view a list of virtual hosts for the selected HTTP router, run this command:

    yc application-load-balancer http-router get <HTTP_router_name_or_ID>

    Result:

    id: ds7e9te73uak********
name: my-first-router
folder_id: b1gt6g8ht345********
virtual_hosts:
  - name: test-virtual-host
    routes:
      - name: test-route
        http:
          match:
            path:
              prefix_match: /
          route:
            backend_group_id: ds7a4niks9qv********
            timeout: 60s
            auto_host_rewrite: false
    route_options: {}
created_at: "2024-08-05T08:34:03.973000654Z"

    Names of virtual hosts are specified in the virtual_hosts.name parameter. The example above features only one virtual host: test-virtual-host.

  4. To connect a security profile to a virtual host, run this command:

    yc application-load-balancer virtual-host update <virtual_host_name> \
   --http-router-name <HTTP_router_name> \
   --security-profile-id <security_profile_ID>

    Where:

    • <virtual_host_name>: Virtual host name from the previous step.
    • --http-router-name: HTTP router name. This is a required parameter. Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
    • --security-profile-id: Security profile ID. This is a required parameter.

    Result:

    done (1s)
name: test-virtual-host
routes:
  - name: test-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7a4niks9qv********
        timeout: 60s
        auto_host_rewrite: false
route_options:
  security_profile_id: fev3s055oq64********

For more information about the yc application-load-balancer virtual-host update command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

You can connect a Yandex Smart Web Security profile to a Yandex Application Load Balancer in the virtual host settings.

  1. In the Terraform configuration file, for the yandex_alb_virtual_host resource, specify security_profile_id under route_options.

    resource "yandex_alb_virtual_host" "my-virtual-host" {
  name                    = "<virtual_host_name>"
  ...

  route_options {
    security_profile_id   = "<security_profile_ID>"
  }
}

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

You can check the update using the management console or this CLI command:

yc alb http-router get <HTTP_router_ID>

Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call in Application Load Balancer.

Tip

To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.

The security profile is assigned to a particular virtual host of the L7 load balancer, with all incoming host traffic analyzed. If analysis of traffic to certain host routes is not required, disable the security profile for those routes. You can do this by using the --disable-security-profile (disableSecurityProfile) parameter when adding or updating a route via the CLI, API, or Terraform.

When adding routes, consider their order: a request will follow the first route with a matching predicate, so place the most specific routes first. Otherwise, the shared route may intercept requests, and the specific rules will not apply.

Connecting to a domain

  1. In the management console, select the folder containing the security profile.
  2. In the list of services, select Smart Web Security.
  3. Select Domain protectionDomains.
  4. Select a domain.
  5. Click Connect a security profile and select a profile.

Connecting to an API gateway

  1. In the management console, select the folder containing the security profile.
  2. In the list of services, select Smart Web Security.
  3. Copy the ID of the profile you need.
  4. In the list of services, select API Gateway.
  5. When creating an API gateway or in the existing API gateway specification, set this extension: x-yc-apigateway:smartWebSecurity.
  6. Specify the copied ID in the extension.

See also

Previous
Deleting a rule
Next
Disconnecting a profile from a resource