Connecting a security profile to a virtual host
The security profile connection method depends on who manages the Yandex Application Load Balancer load balancer:
-
If the load balancer is managed by you, use the Yandex Cloud interfaces.
-
If the load balancer is managed by an Application Load Balancer Ingress controller, use the Ingress resource annotation.
Warning
Annotation is the only way for an Ingress controller to connect the security profile.
If you connect the profile via the Yandex Cloud interfaces and then update the Ingress resource, the Ingress controller will disable the support of the security profile due to the lack of annotation.
To learn more about Ingress controller settings, see the Yandex Managed Service for Kubernetes documentation.
Note
To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.
To connect a security profile using the Yandex Cloud interfaces:
-
In the management console
, select the folder containing the security profile you need. -
In the list of services, select Smart Web Security.
-
Select the security profile to connect to the Yandex Application Load Balancer virtual host.
-
Click
Connect to host and in the window that opens, select:-
Virtual host. You can connect the security profile to multiple virtual hosts at once.
To connect the profile to another L7 load balancer, click Add load balancer.
-
Click Connect. If the selected hosts are already connected to another security profile, confirm the connection.
In the Connected hosts tab, you will see the connected virtual hosts.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
To view a list of current security profiles in the default folder, run this command:
yc smartwebsecurity security-profile list
Result:
+----------------------+-------------------+---------------------+----------------+------------+-------------+ | ID | NAME | CREATED | DEFAULT ACTION | CAPTCHA ID | RULES COUNT | +----------------------+-------------------+---------------------+----------------+------------+-------------+ | fev3s055oq64******** | my-new-profile | 2024-08-05 06:57:18 | DENY | | 1 | | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY | | 2 | +----------------------+-------------------+---------------------+----------------+------------+-------------+
-
To view a list of HTTP routers in the default folder, run this command:
yc application-load-balancer http-router list
Result:
+----------------------+-------------------+-------------+-------------+ | ID | NAME | VHOST COUNT | ROUTE COUNT | +----------------------+-------------------+-------------+-------------+ | ds7e9te73uak******** | my-first-router | 1 | 1 | +----------------------+-------------------+-------------+-------------+
-
To view a list of virtual hosts for the selected HTTP router, run this command:
yc application-load-balancer http-router get <HTTP_router_name_or_ID>
Result:
id: ds7e9te73uak******** name: my-first-router folder_id: b1gt6g8ht345******** virtual_hosts: - name: test-virtual-host routes: - name: test-route http: match: path: prefix_match: / route: backend_group_id: ds7a4niks9qv******** timeout: 60s auto_host_rewrite: false route_options: {} created_at: "2024-08-05T08:34:03.973000654Z"
Names of virtual hosts are specified in the
virtual_hosts.name
parameter. The example above features only one virtual host:test-virtual-host
. -
To connect a security profile to a virtual host, run this command:
yc application-load-balancer virtual-host update <virtual_host_name> \ --http-router-name <HTTP_router_name> \ --security-profile-id <security_profile_ID>
Where:
<virtual_host_name>
: Virtual host name from the previous step.--http-router-name
: HTTP router name. This is a required parameter. Instead of the HTTP router name, you can provide its ID in the--http-router-id
parameter.--security-profile-id
: Security profile ID. This is a required parameter.
Result:
done (1s) name: test-virtual-host routes: - name: test-route http: match: path: prefix_match: / route: backend_group_id: ds7a4niks9qv******** timeout: 60s auto_host_rewrite: false route_options: security_profile_id: fev3s055oq64********
For more information about the yc application-load-balancer virtual-host update
command, see the CLI reference.
Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call of the Application Load Balancer service.
Tip
To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.