Centralized online publication and protection against DDoS attacks of applications hosted in different Yandex Cloud folders
This tutorial describes a use case involving multiple independent teams managing Yandex Cloud resources. The services and apps developed by these teams are published on the internet. Yandex Cloud uses folders to separate resources, ensuring that each team can only access its designated folder. Moreover, the information security (IS) regulations prohibit teams from directly publishing their folder resources on the internet.
To implement this approach, you can use such Yandex Cloud services as Yandex Application Load Balancer (ALB) and Yandex Smart Web Security (SWS).
Application Load Balancer enables you to create OSI
Smart Web Security protects your resources against L7 DDoS attacks and bots. You can additionally connect a WAF and limit the load on your resource using the Advanced Rate Limiter (ARL) module. Configure the settings for protecting your resources in the Smart Web Security profile. Connect your security profile to the L7 load balancer.
To set up such a workflow, you need to do the following:
- Set up centralized online publication of services by using an L7 load balancer.
- Scan inbound traffic for information security threats by using Smart Web Security.
- Restrict team access to L7 load balancers and security profiles by placing L7 load balancers in a separate folder. Access to this folder must be restricted to a limited number of authorized personnel, e.g., IS employees.
- Establish network communication between L7 load balancers and team targets in different folders through a multi-folder VPC. L7 load balancers and team resources must reside in different subnets of the same VPC network.
Yandex Cloud resource placement chart
The chart displays the following resources:
- ALB: L7 load balancers created in Application Load Balancer and used to publish services online.
- SWS: Smart Web Security to implement protection at the application layer (L7).
- IS folder: ALB L7 folder accessible only to IS employees.
- VPC: Cloud network hosting ALB and team subnets.
- alb-subnet-a, alb-subnet-b, and alb-subnet-d: Subnets with ALB nodes.
- subnet-team-1 and subnet-team-2: Subnets with team resources.
 
- Team folders: Folders containing team targets, e.g., virtual machines (VMs), databases, Network Load Balancer-enabled L3-L4 load balancers (NLBs), and more.
To follow this tutorial, you must have already created targets for your services and placed them in different folders.
Therefore, consider the following:
- Requirements and best practices for further resource configuration.
- Configuring security and online publication for your services.
Requirements and best practices for resource configuration
Network
- 
For network connectivity between L7 load balancers and team targets, use a multi-folder VPC to extend the scope of your VPC network from a single to multiple folders. 
- 
Use security groups to manage network access across resources pertaining to different teams: - 
Target security groups should allow inbound traffic from L7 load balancer subnets. 
- 
L7 load balancer security groups should allow inbound traffic to target subnets. To learn more about best practices for setting up security groups, see this section. 
 
- 
L7 load balancers
- 
Place all L7 load balancers in a single folder accessible exclusively to IS employees. 
- 
Optionally, enable L3-L4 DDoS protection. To do this: - Reserve a public static IP address with DDoS protection and use it for the L7 load balancer's listener.
- Configure a trigger threshold- Set the MTU to 1450on your targets.
 
- 
You cannot use different public IP addresses for the listeners of a single L7 load balancer. 
- 
Use different ports for the listeners of a single L7 load balancer. For HTTPS, you can use SNI listeners with the same port. For the maximum number of SNI listeners, see the relevant limits. 
- 
Optionally, to ensure fault tolerance, place L7 load balancers across various availability zones. 
- 
Factor in subnet sizes for L7 load balancer nodes. 
- 
Set the minimum number of resource units for the L7 load balancer in each zone based on autoscaling policies. The expected load on your services dictates the number of resource units, including these metrics: - Number of requests per second (RPS)
- Number of concurrent active connections
- Number of new connections per second
- Traffic processed per second
 
- 
In case of high load on the L7 load balancer, consider its limits. If you cannot scale the service using resources within a single load balancer, distribute it across multiple L7 load balancers. 
- 
Assign a dedicated L7 load balancer to each service under high load. 
- 
When publishing multiple services through a single ALB L7, consider the relevant SLA - 
Note that external requests to web servers will originate from IP addresses within the internal IP range of the L7 load balancer subnets. IP addresses of request sources (users) will be included in the X-Forwarded-For 
Targets
- In the L7 load balancer target group, provide the IP addresses of your services from team folders to publish on the internet.
- These IP addresses must be within the RFC 1918 private ranges- If the target’s internal IP address changes, manually update the L7 load balancer's target group configuration.
Configuring secure online publication for your services
To configure secure online publication for your services:
- Create an IS folder.
- Grant access to the folder only to IS employees.
- Set up network connectivity between resources from different folders.
- Configure security groups by following these best practices.
- Reserve a public IP address and enabe L3-L4 DDoS protection.
- Create a security profile.
- If using HTTPS, add a TLS certificate to Certificate Manager.
- Create an L7 load balancer.
- Test the L7 load balancer.
The chart below shows the L7 load balancer resources you will create and configure in this tutorial.
Creating a security profile
- 
In the management console - 
From the list of services, select Smart Web Security. 
- 
Click Create profile. 
- 
Select From a preset template. 
- 
Enter sws-ddosas the profile name.
- 
In the Action for the default base rule field, select Allow.
- 
Under Security rules, next to sp-rule-1, click- 
Enable Only logging (dry run). This option is used for profile testing. In logging mode, traffic will not get blocked, and users will not be disconnected from your service because of a misconfigured profile. Review profile performance and customize the rules to meet your service's requirements. 
- 
Click Save changes. 
- 
Click Create. 
For other ways to create a security profile, see this section.
Creating an L7 load balancer
- In the management console- From the list of services, select Application Load Balancer.
- Click Create L7 load balancer and select Wizard.
Configuring a target group
The system will deploy your application backends on the target group VM. The load balancer will distribute requests to your application’s backend endpoints via the target group.
- 
Specify the target group name: test-target-group.
- 
Provide the internal IP address of your target, which is either your service's internal NLB listener address or the VM address. 
- 
Select the subnet hosting your service resources. To select a subnet, you need the vpc.userrole for the folder containing the subnet.
- 
Configure the other targets. To do this, click Add target resource and specify addresses and subnets. 
- 
Click Create and continue. 
Configuring a backend group
Backend groups contain settings for traffic balancing and target health checks. The wizard will automatically create one backend and one health check group. It will also use the group you created earlier as the target group.
- 
Enable Advanced settings. 
- 
Specify the backend group name: test-backend-group.
- 
Leave HTTPas the group type.
- 
To ensure the same backend resource handles requests from a single user session, enable Session affinity. If your target is an internal NLB, you do not have to enable session affinity. 
- 
Under Backends: - Specify the backend name: backend-1.
- Leave Target groupas the backend type.
- Leave the target group you created earlier, test-target-group.
- Specify the TCP port of your service. It is usually 80for HTTP and443for HTTPS.
- If your target is a VM, make sure to set up a health check.
- If your target is an internal NLB, disable the health check.
 
- Specify the backend name: 
- 
Click Create and continue. 
Configuring an HTTP router
HTTP routers implement rules for client-to-backend traffic and allow you to modify requests at the load balancer layer. The wizard will automatically create a virtual host and a routing rule. It will also use the group you created earlier as the backend group.
- 
Specify the router name: test-http-router.
- 
Enable Advanced settings. 
- 
Under Virtual hosts, specify: - 
Host name: test-virtual-host.
- 
Authority: Your service domain name. 
- 
Security profile: Profile you created earlier. If you skip selecting the profile, Smart Web Security protection will not work. 
 
- 
- 
Specify these route properties: - Route name: test-route.
- Path: Starts with followed by \.
- Action: Routing.
- Backend group: Leave the group you created earlier.
 
- Route name: 
- 
Click Create and continue. 
Configuring an L7 load balancer
A load balancer receives requests and distributes them across target group VMs according to the rules set in the HTTP router. Load balancers use listeners to receive traffic. The wizard will create a listener automatically. It will also use the router you created earlier as the HTTP router in this configuration.
- 
Specify the load balancer name: test-load-balancer.
- 
Enable Advanced settings. 
- 
Under Network settings, select the VPC network you created earlier. 
- 
For Security groups, select From list and then the security group you created earlier. 
- 
Under Allocation, select subnets in the availability zones you need and enable inbound traffic in those subnets. 
- 
Configure the listener: - Specify the listener name: test-listener.
- UnderPublic IP address, enable a public IP address and specify the following:
- Port: TCP port of your service. It is usually 443for HTTPS and80for HTTP.
- Type: Set it to Listand select the IP address you reserved previously.
 
- Port: TCP port of your service. It is usually 
- Under Receiving and processing traffic, specify:
- Listener type: HTTP.
- Protocol: HTTPorHTTPS.
- For HTTPS, select your service's TLS certificate you previously added in Certificate Manager.
- HTTP router: Leave the router you created earlier.
 
- Listener type: 
 
- Specify the listener name: 
- 
Click Create. 
If your infrastructure already uses an L7 load balancer and a configured listener with a public IP address:
- In the management console- Select your L7 load balancer.
- Under Listeners, next to the listener with a public IP address, click - Under Receiving and processing traffic, click Add SNI match and specify the following:
- 
Server names: Your service's domain name. This field contains the SNI extension values that, when received from a client, will trigger the listener to establish a TLS connection. Tip Some browsers reuse TLS connections with the same IP address if a connection certificate contains the necessary domain name. In this case, no new SNI match is set and traffic can potentially be routed to an inappropriate HTTP router. To avoid this, use different certificates for each SNI match and the main listener. To manage traffic across the domain names within a single certificate, set up virtual hosts in the HTTP router. 
- 
Certificates: Your service's TLS certificate previously added in Certificate Manager. 
- 
HTTP router: HTTP router you created earlier. 
 
- 
For other ways to create an L7 load balancer and more configuration options, see our step-by-step guides.
Testing an L7 load balancer
- 
In the management console - 
From the list of services, select Application Load Balancer. 
- 
Select the L7 load balancer you created. 
- 
Select Health checks on the left. Make sure you get HEALTHYfor all health checks of your backend group’s L7 load balancer.
- 
Select Balancing map on the left. Check the configuration for each resourse in this order: Listener > HTTP router > Backend group > Target group.