Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Creating an Application Load Balancer L7 load balancer with a Smart Web Security security profile

Written by
Updated at November 2, 2024

With Yandex Smart Web Security, you can protect your infrastructure from DDoS attacks and bots at the application level (L7).

You will create a test web server, deploy an Application Load Balancer L7 load balancer for distributing traffic to the test web server, and protect the created infrastructure using a Smart Web Security security profile.

To create an L7 load balancer with a security profile:

  1. Prepare your cloud.
  2. Prepare your infrastructure.
  3. Create a security profile.
  4. Connect the security profile to a virtual host.
  5. Test the security profile.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Prepare the infrastructure

Deploy an Application Load Balancer infrastructure as well as a VM with a test web server.

The following resources will be created:

Save the public IP address of the L7 load balancer: you will need it to test your security profile.

Tip

To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.

Create a security profile

The security profile is the main Smart Web Security component, which consists of a set of rules, each containing conditions for filtering user requests arriving to the resource being protected.

To create a security profile:

  1. In the management console, select the folder you want to create a profile in.

  2. In the list of services, select Smart Web Security.

  3. Click Create and select From a preset template.

    A preset profile includes:

    Tip

    Creating a pre-configured profile with full Smart Protection is preferable. This will ensure the highest level of security for your resource being protected.

  4. Enter a name for the profile, e.g., test-sp1.

  5. In the Action for the default base rule field, select Deny. Thus, if no other rules are set, all traffic to the protected resource will be denied.

  6. Click Add rule.

  7. In the rule creation window:

    1. Enter a name for the rule, e.g., test-rule1.

    2. Set the rule priority, e.g., 999800. The rule will have higher priority than the preconfigured ones.

      Note

      The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:

      • Basic default rule: 1000000.
      • Smart Protection rule providing full protection: 999900.

    3. Select the Base rule type.

    4. Select the Allow action.

      The rule will describe conditions under which requests will be directed to the backend of the test application.

    5. In the Conditions field, select IP.

    6. In the IP conditions field that appears, select Matches or belongs to range and set the public IP address of the device from which you are going to send requests to the L7 load balancer, e.g., 158.160.100.200.

    7. Click Add.

      The rule you created will appear under Security rules in the table.

  8. Click Create.

Connect the security profile to the virtual host

  1. In the management console, choose the folder where you want to connect a security profile to an Application Load Balancer virtual host.

  2. In the list of services, select Smart Web Security.

  3. Select the test-sp1 profile.

  4. Click Connect to host.

  5. In the window that opens, select:

    • Load balancer test-load-balancer.
    • HTTP router test-http-router.
    • Virtual host test-virtual-host.

  6. Click Connect.

    You will see the connected virtual host under Connected hosts.

Test the security profile

  1. Open the terminal on the device whose IP address you specified in the allow rule.

  2. Send a request to the backend of the test application:

    curl --verbose <public_IP_address_of_L7_load_balancer>

    This command should list the contents of the directory with your test web server.

  3. Repeat the request from a different IP address. As a result, you should see a message about a failure to establish a connection to the server.

Note

Smart Protection rules are usually not tested. Such tests would add the parameters of suspicious requests, e.g., IP addresses, to a blacklist.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the security profile.
  2. Delete the L7 load balancer.
  3. Delete the HTTP router.
  4. Delete the backend group.
  5. Delete the target group.
  6. Delete the VM.
Previous
Viewing operations with profiles
Next
Overview