Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Getting started with Yandex Smart Web Security

Written by
Updated at June 27, 2025

Smart Web Security protects your infrastructure from cybersecurity threats at OSI application level (L7). These may include DDoS attacks, bots, and SQL injections. In addition, you can enable DDoS protection at levels L3 and L4 using Yandex DDoS Protection.

Smart Web Security is a toolkit to protect infrastructures of various complexity and scale. Protection is achieved by cleaning malicious traffic from the incoming traffic flow. The traffic is checked against filtering rules in a security profile. You can additionally process the cleaned traffic with ARL profile rules to reduce the load on your application.

A security profile may include:

  • Basic rules for simple traffic filtering based on specified conditions.
  • Smart Protection rules for automatic protection against DDoS attacks with machine learning and behavior analysis algorithms.
  • WAF profile rules for protection from application vulnerability exploits. Currently, you can connect the OWASP Core Rule Set (CRS) that blocks many known threats, such as SQL and command injections, cross-site scripting, and others.
  • Built-in Yandex SmartCaptcha to run CAPTCHA checks against bots and spam.
  • IP address filtering lists to allow or block requests from specified IP addresses.

An ARL profile contains rules for limiting the number of requests to the protected resource based on various conditions.

You can connect a security profile to various types of resources:

  • Virtual host or Ingress controller to protect resources that use Yandex Application Load Balancer.
  • API Gateway to protect the APIs of your applications.
  • Domain to protect your website or web application hosted in Yandex Cloud or other platforms.

Setup

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Create and configure a protected resource

Application Load Balancer evenly distributes incoming traffic between nodes, thus preventing overload and improving fault tolerance. If you have no L7 load balancer set up yet, you can deploy a test infrastructure.

API gateway is the single entry point for APIs of various services, enabling requests management, routing, authentication, and so forth. If you have no API gateway configured, you can deploy one with a test specification.

Domain is a server, website, or application that processes external requests to a web address. To protect a domain, Smart Web Security provides a proxy server with load balancing, request analysis and routing. And basic DDoS protection as well.

The proxy server has an MTU limit of 1,450 bytes for all packets.

Note

The external domain protection feature is currently at the Preview stage.

Prepare data about the resource

  • Address of the domain the web application is running on. You need access to the domain management interface to update the A record.
  • Server IP address, port and protocol used by the web application.
  • Valid private key and TLS certificate for this domain in PEM-encoded format. Certificates with RSA-2048 and RSA-4096 keys are supported.

Create a proxy server

  1. In the management console, select your folder.

  2. From the list of services, select Smart Web Security.

  3. In the left-hand panel, select Domain security.

  4. Click Create proxy server.

  5. Enter a name for the proxy server, e.g., test-proxy.

  6. Click Create server.

    To work with the proxy server, a service account with the monitoring.editor, smart-web-security.admin, certificate-manager.admin, logging.writer roles will be created.

    Creating a proxy server can take several minutes. Wait for the server to get the Active status. After that, you can add a domain.

Add a domain

  1. In the left-hand menu, go to the Domains tab and click Add domain.

  2. Enter the address of the domain your web application is in, e.g., example.com.

  3. Click Continue.

  4. Select the connection type used by your application. We recommend the secure HTTPS protocol.

  5. If you use Certificate Manager and have added your domain certificate to it, select it from the list.

  6. If not using Certificate Manager, click CreateCustom certificate.

    1. Enter a name for the certificate.
    2. Copy or upload the private key, certificate, and intermediate certificate chain as a file in PEM format.
    3. Click Create certificate.

  7. Click Continue.

  8. Under Target resources, set up the targets:

    1. IP address and port your web application runs on.
    2. Optionally, expand the Connect target resources section to select the protocol your web application runs on.

  9. Click Add domain.

After you create a domain, the domain parameters overview page will open. Under How do I activate protection?, copy the proxy server IP address, as you will need it in the next step.

Set up your infrastructure

  1. Add a resource A record to your domain's public DNS zone, with values specified as follows:

    • Record name: Your domain's address, ending with a dot. Example: example.com. or my.first.example.com..
    • Value: Proxy server's IPv4 address you obtained in the previous step.

    This record redirects requests coming to your domain to the proxy server IP address.

    Note

    If your domain is delegated to Yandex Cloud DNS, create a resource record according to this guide. Otherwise, use your domain name registrar's personal account. If you have any questions, refer to the relevant documentation or contact the registrar's support service.

  2. In your server settings, block all connections except those for Yandex Cloud IP addresses.

Check your resource status

  1. Under Domain security, select the new proxy server.

  2. In the left-hand menu, go to the Domains tab and select the new domain.

  3. Under Target resources, check that your resource's status is Healthy.

    If it is not, the proxy server cannot connect to your resource. Check your web server address and network settings. Make sure access to the web server is allowed from Yandex Cloud IP addresses.

  4. In the left-hand panel, check that your domain's status is Healthy.

    If it is not, verify the domain address and the A record, and check the certificate for validity.

Create and check a security profile

Create a security profile

Note

To enhance your security, we use HTTP request data to improve our machine learning (ML) models. You can disable the use of this information in the management console when creating a security profile or later in its settings.

  1. In the management console, select the folder the protected resources are in.

  2. From the list of services, select Smart Web Security.

  3. Click Create profile and select From a preset template.

    A preset profile includes:

    Tip

    Creating a pre-configured profile with full Smart Protection is preferable. This will ensure the highest level of security for your resource being protected.

  4. Enter a name for the profile, e.g., test-sp1.

  5. In the Action for the default base rule field, select Deny.

  6. Optionally, enable or disable the use of HTTP request information to tune machine learning models under Fine-tuning ML models.

  7. Click Create.

Check your security profile settings

  1. Select the test-sp1 profile you created earlier.

  2. Make sure the Security rules tab contains a rule with the following parameters:

    • Type: Smart Protection
    • Action: Full protection
    • Conditions: All traffic

    This rule sends all incoming traffic of the protected resource for an automatic check using ML and behavioral analysis algorithms. As a result of this check:

    • Legitimate requests are routed to the protected resource.
    • Illegitimate requests and attacks are blocked.
    • Suspicious requests are sent to SmartCaptcha for additional verification.

Associate the security profile with the virtual host

The connection method depends on the resource type.

  • To connect a domain:

    1. Under Domain security Domains, select the required domain.
    2. From the top menu, click Connect security profile and select an existing or create a new security profile.

  • To connect a virtual host in Application Load Balancer:

    1. If the load balancer is managed by an Application Load Balancer ingress controller, use the Ingress resource annotation.

    2. If the load balancer is managed by you, select the created profile under Security profiles.

    3. At the top right, click Connect to host.

    4. In the window that opens, select:

      To associate the profile with another L7 load balancer, click Add load balancer.

    5. Click Connect.

    You will see the associated virtual host under Connected hosts.

  • To connect an API gateway:

    1. Under Security profiles, copy the ID of the profile you need.
    2. When creating an API gateway or in the existing API gateway specification, set this extension: x-yc-apigateway:smartWebSecurity.
    3. Specify the copied ID in the extension.

Monitor the security profile operation

  1. In the Smart Web Security service page, select the Monitoring section on the left-hand panel.
  2. View the charts of allowed and blocked requests.

Create and connect a WAF profile

WAF allows using rule sets to protect web applications against various cyber attacks.

Create a WAF profile

  1. In the management console, select the folder where you want to create a WAF profile.
  2. From the list of services, select Smart Web Security.
  3. Go to the WAF profiles tab and click Create WAF profile.
  4. Enter a name for the profile, e.g., test-waf-profile-1.
  5. By default, the WAF profile uses the OWASP Core Rule Set. To view the rules it includes, click the row with its description.
  6. Click Create.

Configure a basic rule set

  1. On the WAF profile's overview page that opens, click Set up a basic rule set.

  2. Set the Anomaly threshold, which is the sum of anomaly scores of the triggered rules that will block the request, e.g., Moderate: 25 and more.

    We recommend that you start with an anomaly threshold of 25 and gradually reduce it to 5. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules. You can use the Only logging (dry-run) mode in the security profile to test various anomaly thresholds.

  3. Set the required Paranoia level, e.g., 2 or lower.

    The paranoia level classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the greater the risk of WAF false positives.

  4. Check the rules you included in the set. Add or delete them as needed. When using rules, pay attention to their anomaly scores and paranoia levels.

You can configure any rule in the set to block requests. Requests matching such a rule get blocked regardless of the anomaly threshold you set. To turn a rule into a blocking one, click on its right. If the Only logging(dry-run) mode is enabled in the security profile, requests will not be blocked even when if they match the blocking rules.

Create an exclusion rule

  1. Go to the Exclusion rules tab and click Create exception rule.

  2. Enter a name for the exclusion rule, e.g., exception-rule-1.

  3. Under Scope of use, specify rules from the basic set for which the exclusion will apply. You can either select All rules or specify particular rules.

  4. Under Traffic conditions, select the triggering conditions for the exclusion rule.

    If you leave the Conditions field empty, the exclusion rule will apply to all traffic.

  5. Click Create.

Connect the WAF profile to the security profile

  1. Navigate to the Security profiles tab.
  2. From the list, select the security profile to connect your WAF profile to, e.g., test-sp1.
  3. Click Add rule.
  4. Enter a name for the rule, e.g., waf-rule-1.
  5. In the Priority field, set a value higher than that of the Smart Protection rules already existing in the security profile, e.g., 888800.
  6. Optionally, to test your WAF profile and simulate false positives triggered by legitimate requests, use the Only logging (dry-run) mode in the security profile.
  7. In the Rule type field, select Web Application Firewall.
  8. In the WAF profile field, select the previously created profile named test-waf-profile-1.
  9. In the Action field, select Full protection.
  10. If required, set the conditions for traffic mapping.
  11. Click Add.

Create and connect an ARL profile

ARL allows limiting the number of requests to the protected resource to prevent an overload.

Create an ARL profile

  1. In the management console, select the folder where you want to create an ARL profile.
  2. From the list of services, select Smart Web Security.
  3. Go to the ARL profiles tab and click Create ARL profile.
  4. Enter a name for the profile, e.g., test-arl-profile-1.
  5. Add a profile description and labels if needed.
  6. Click Create.

Configure rules

  1. On the ARL profile's overview page that opens, click Add rule.

  2. Enter a name for the rule, e.g., arl-rule-1.

  3. In the Priority field, set the rule priority within the ARL profile, e.g., 1000.

  4. Optionally, to test the ARL rule, enable the Only logging (dry run) mode. Requests will not be blocked in this mode.

  5. Under Traffic conditions, select All traffic or On condition.

  6. To set traffic conditions, select one or more items from the Conditions list:

    • IP: IP address, IP address range, IP address region, or address list.
    • HTTP header: HTTP header string.
    • Host: Domain receiving the request.
    • HTTP method: Request method.
    • Cookie: Cookie header string.

  7. Under Request counting, select how to count requests for limiting:

    • No grouping: Count each request separately.
    • Grouping by property: Count the number of request groups sharing one or more properties.

    1. Select a grouping property:

      • Request path: Request path.
      • HTTP method: Request method.
      • IP address: IP address the request originates from.
      • Region: IP address region of the requests.
      • Host: Domain receiving the request.
      • HTTP cookie: String in the cookie header.
      • HTTP header: HTTP header string.
      • Query params: String in the request parameters.

    2. Optionally, enable Case-sensitive to put properties with the same values in different cases into different groups.

  8. Specify the request limit and select the time interval, e.g., 1000 requests per 1 minute.

  9. Click Save rule.

Connect your ARL profile to the security profile

  1. Navigate to the Security profiles tab.
  2. From the list, select the security profile to connect your ARL profile to, e.g., test-sp1.
  3. Click Edit.
  4. In the ARL profile list, select the previously created test-arl-profile-1.
  5. Click Save.

See also

Next
All guides