Creating an Application Load Balancer L7 load balancer with a Smart Web Security security profile
With Yandex Smart Web Security, you can protect your infrastructure from DDoS attacks and bots at the application level (L7).
You will create a test web server, deploy an Application Load Balancer L7 load balancer for distributing traffic to the test web server, and protect the created infrastructure using a Smart Web Security security profile.
To create an L7 load balancer with a security profile:
- Prepare your cloud.
- Prepare your infrastructure.
- Create a security profile.
- Connect the security profile to a virtual host.
- Test the security profile.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Prepare the infrastructure
Deploy an Application Load Balancer infrastructure as well as a VM with a test web server.
The following resources will be created:
- VM
test-vm1
with a test web server. - Target group
test-target-group
. - Backend group
test-backend-group
. - HTTP router
test-http-router
with virtual hosttest-virtual-host
. - L7 load balancer
test-load-balancer
.
Save the public IP address of the L7 load balancer: you will need it to test your security profile.
Tip
To ensure availability of your service at high load, set up autoscaling for your L7 load balancer.
Create a security profile
The security profile is the main Smart Web Security component, which consists of a set of rules, each containing conditions for filtering user requests arriving to the resource being protected.
To create a security profile:
-
In the management console
, select the folder you want to create a profile in. -
In the list of services, select Smart Web Security.
-
Click Create and select From a preset template.
A preset profile includes:
- Basic default rule enabled for all traffic with the
Deny
action type. - Smart Protection rule enabled for all traffic with the
Full protection
action type.
Tip
Creating a pre-configured profile with full Smart Protection is preferable. This will ensure the highest level of security for your resource being protected.
- Basic default rule enabled for all traffic with the
-
Enter a name for the profile, e.g.,
test-sp1
. -
In the Action for the default base rule field, select
Deny
. Thus, if no other rules are set, all traffic to the protected resource will be denied. -
Click
Add rule. -
In the rule creation window:
-
Enter a name for the rule, e.g.,
test-rule1
. -
Set the rule priority, e.g.,
999800
. The rule will have higher priority than the preconfigured ones.Note
The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:
- Basic default rule:
1000000
. - Smart Protection rule providing full protection:
999900
.
- Basic default rule:
-
Select the
Base
rule type. -
Select the
Allow
action.The rule will describe conditions under which requests will be directed to the backend of the test application.
-
In the Conditions field, select IP.
-
In the IP conditions field that appears, select
Matches or belongs to range
and set the public IP address of the device from which you are going to send requests to the L7 load balancer, e.g.,158.160.100.200
. -
Click Add.
The rule you created will appear under Security rules in the table.
-
-
Click Create.
Connect the security profile to the virtual host
-
In the management console
, choose the folder where you want to connect a security profile to an Application Load Balancer virtual host. -
In the list of services, select Smart Web Security.
-
Select the
test-sp1
profile. -
Click
Connect to host. -
In the window that opens, select:
- Load balancer
test-load-balancer
. - HTTP router
test-http-router
. - Virtual host
test-virtual-host
.
- Load balancer
-
Click Connect.
You will see the connected virtual host under Connected hosts.
Test the security profile
-
Open the terminal on the device whose IP address you specified in the allow rule.
-
Send a request to the backend of the test application:
curl --verbose <public_IP_address_of_L7_load_balancer>
This command should list the contents of the directory with your test web server.
-
Repeat the request from a different IP address. As a result, you should see a message about a failure to establish a connection to the server.
Note
Smart Protection rules are usually not tested. Such tests would add the parameters of suspicious requests, e.g., IP addresses, to a blacklist.
How to delete the resources you created
To stop paying for the resources you created: