API Gateway protection with Smart Web Security
Yandex API Gateway supports integration with Yandex Smart Web Security. This allows you to set up DDoS and bot protection for an API gateway at OSI application level (L7).
With Smart Web Security profiles, you can configure protection using various conditions. For example, you can set a request limit with parameter-based request grouping or configure IP-based request blocking. To do this:
- Get your cloud ready.
- Create an ARL profile and Smart Web Security profile.
- Create an API gateway.
- Test the new resources.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or register a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Create an ARL profile and Smart Web Security profile
-
Create an ARL profile named
arl-profile. -
Add to it a rule with a request limit and request grouping based on the
tokenparameter. Specify the following settings:- Name:
query-limit-rule - Priority:
999900 - Request grouping: By property
- Property:
Query params - Group by:
token - Request limit per group:
1per1 minute
- Name:
-
Create a security profile named
sws-profileusing a preset template. When creating it, select the previously createdarl-profilein the ARL profile field. -
To set up IP-based blocking, add a rule with the following settings to the Smart Web Security profile:
-
Name:
ip-block-rule. -
Priority:
999700. -
Rule type: Basic.
-
Action: Allow.
-
Conditions for traffic:
- Traffic: On condition.
- Conditions:
IP. - Conditions for IP:
Matches or falls within the range. - IP matches or falls within the range: Specify your IP address.
-
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.
-
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the api-gw-sws-integration.tf configuration file to the same working directory.
This file describes:
- ARL profile that sets a request limit and request grouping by the
tokenparameter. - Smart Web Security profile that uses the ARL profile and, in addition, enables IP-based blocking.
- API gateway configured to work with the Smart Web Security profile.
- ARL profile that sets a request limit and request grouping by the
-
In the local variables section of the
api-gw-sws-integration.tffile, specify the following:arl_name: ARL profile name.folder_id: ID of the folder to host the new ARL profile.sws_name: Smart Web Security profile name.allowed_ips: List of IP addresses allowed to access the API gateway.api-gw-name: API gateway name.
-
Make sure the Terraform configuration files are correct using this command:
terraform validateTerraform will show any errors found in your configuration files.
-
Create the required infrastructure:
-
Run this command to view the planned changes:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
-
If everything looks correct, apply the changes:
-
Run this command:
terraform apply -
Confirm updating the resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.
-
Create an API gateway
Create an API gateway named my-gateway. When creating it, add the following specification to the Specification field:
openapi: "3.0.0"
x-yc-apigateway:
smartWebSecurity:
securityProfileId: <SWS_profile_ID>
info:
version: 1.0.0
title: Protected application
license:
name: MIT
paths:
/:
get:
x-yc-apigateway-integration:
type: dummy
content:
'*': "This application is protected by SWS!"
httpCode: 200
Leave the other parameters unchanged.
-
In the
api-gw-sws-integration.tffile:-
In the
securityProfileIdparameter of the API gateway specification, specify the ID of the Smart Web Security profile you created earlier. -
In the local variables section, specify
create-api-gw = 1.
-
-
Make sure the Terraform configuration files are correct using this command:
terraform validateTerraform will show any errors found in your configuration files.
-
Create the required infrastructure:
-
Run this command to view the planned changes:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
-
If everything looks correct, apply the changes:
-
Run this command:
terraform apply -
Confirm updating the resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.
-
Test the new resources
Test the Smart Web Security settings:
Checking the request limit
-
Send a GET request to the API gateway:
curl <API_gateway_service_domain>Result:
This application is protected by SWS! -
Repeat the request straight away. In response, you will get a web page with error code 429. This means the request limit kicked in and blocked your request.
-
Wait for a minute and repeat the request. The response must be the same as the first time:
This application is protected by SWS!
Checking the request grouping
-
Send a GET request to the API gateway, specifying
token=token:curl <API_gateway_service_domain>?token=tokenResult:
This application is protected by SWS! -
Repeat the request straight away. In response, you will get a web page with error code 429. This means the request limit kicked in and blocked your request.
-
Repeat the request within the same minute but change the
tokenvalue:curl <API_gateway_service_domain>?token=token2Result:
This application is protected by SWS!This means your request got into a new group that has not yet reached the request limit. That is why the request was successfully completed.
Checking the IP-based blocking
-
Send a GET request to the API gateway from an IP address you specified in the Smart Web Security profile:
curl <API_gateway_service_domain>Result:
This application is protected by SWS! -
Send a request from a different IP address, e.g., from a cloud VM:
curl --verbose <API_gateway_service_domain>In response, you will get a web page with CAPTCHA. This means Smart Web Security has blocked the request from an IP address not listed as an allowed one.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need, depending on how they were created:
-
In the terminal window, go to the directory containing the infrastructure plan.
Warning
Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.
-
Delete resources:
-
Run this command:
terraform destroy -
Confirm deleting the resources and wait for the operation to complete.
All the resources described in the Terraform manifests will be deleted.
-