Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing traffic sources

Written by
Updated at May 28, 2026

Smart Web Security allows you to configure request processing rules according to the source of traffic. For example, you can separately process requests from the Tor network, VPNs, anonymous networks, public proxies, or from individual countries.

All this is done with the help of preset Yandex Cloud IP address lists. These lists group IP addresses and networks together based on a particular characteristic, e.g., being Tor or VPN. The service maintains and regularly updates the lists.

This guide describes how to set up common traffic filtering rules based on source.

Setup steps

  1. Create a security profile.
  2. Set up a rule for Tor, proxy, and anonymous networks.
  3. Set up a rule for VPN traffic.
  4. Set up a rule based on regions.
  5. Check the order of executing the rules.
  6. Connect a security profile to the resources.
  7. Test the rules in logging mode.
  8. Activate the production mode.
  • Fee for the number of requests to Smart Web Security based on plans detailed in Yandex Smart Web Security pricing policy.
  • Fee for the infrastructure of the protected resource depending on its location.

This guide assumes that you already have a configured web resource in your Yandex Cloud infrastructure. If your web resource is located in a different infrastructure, connect it to a proxy server as per Setting up basic protection in Smart Web Security.

Create a security profile

This guide uses a ready-made security profile template.

  1. In the management console, select the folder the protected resources are in.

  2. Go to Smart Web Security.

  3. In the left-hand panel, select  Security profiles.

  4. Click Create profile and select From a preset template.

    A preset profile includes:

  5. Enter a name for the profile, e.g., sources-manage.

  6. Enable test mode for the sp-rule-1 Smart Protection rule:

    1. For Action for the default base rule, select Allow.
    2. Click next to sp-rule-1 and select Edit.
    3. Enable Only logging.
    4. Click Save changes.

  7. Under Fine-tuning ML models, do not withdraw your consent to the use of HTTP request info to improve your machine learning models. Otherwise, Smart Web Security will not be getting the data it needs to investigate security incidents.

  8. Click Create.

Set up a rule for Tor, proxy, and anonymous networks

Such traffic is identified with the help of the is_tor, is_proxy, and is_anonymous lists.

  1. Open the security profile you created earlier.
  2. Click  Add rule.
  3. Enter a name for the rule, e.g., traffic-sources-rule.
  4. Enable Only logging.
  5. Set a higher priority than the Smart Protection rules, e.g., 9100.
  6. Specify the rule settings:
    • Type: Base.
    • Traffic: On condition.
    • Conditions: IP.
    • Conditions for IP: IP belongs to the list.
  7. For the is_tor list, select Deny.
  8. Create a separate rule or add an additional condition for the is_proxy and is_anonymous lists with the Show CAPTCHA action.
  9. Click Add.

This set of rules helps block traffic from Tor immediately and, separately, check requests from public proxies and anonymous networks via SmartCaptcha.

Set up a rule for VPN traffic

VPN traffic is identified with the help of the is_vpn and is_ml_vpn lists.

You can set separate processing rules for such traffic as per your security policy: allow, block, require CAPTCHA, or apply further restrictions in the ARL profile.

Warning

VPN traffic detection is based on Yandex Cloud IP addresses and does not guarantee complete accuracy. False positives and false negatives are a possibility. Your decision to block VPN traffic should align with your business scenarios, as some of your real users may be using VPN.

  1. In the security profile, click Add rule.
  2. Enter a name for the rule, e.g., vpn-traffic-rule.
  3. Enable Only logging.
  4. Set up priority for the rule to be executed in the right order relative to other rules in the lists.
  5. Specify the rule settings:
    • Type: Base.
    • Traffic: On condition.
    • Conditions: IP.
    • Conditions for IP: IP belongs to the list.
  6. Select the list: is_vpn or is_ml_vpn.
  7. Select the VPN traffic action:
    • Allow: If VPN traffic is allowed.
    • Deny: If VPN traffic has to be blocked.
    • Show CAPTCHA: If further verification is required.
  8. Click Add.

To limit the request rate for VPN traffic, create an ARL profile and add to it a rule with conditions for the is_vpn and is_ml_vpn lists.

Set up a rule based on regions

  1. In the security profile, click Add rule.
  2. Enter a name for the rule, e.g., geo-traffic-rule.
  3. Enable Only logging.
  4. Set a higher priority than the Smart Protection rules but with due consideration for existing list-based rules.
  5. Specify the rule settings:
    • Type: Base.
    • Traffic: On condition.
    • Conditions: IP.
    • IP conditions: IP belongs to region or IP does not belong to region.
  6. Select the countries of interest using the two-letter code, e.g., RU, KZ, BY.
  7. Select an action:
    • Allow: To allow traffic.
    • Deny: To bock traffic.
    • Show CAPTCHA: To send requests to SmartCaptcha.
  8. Click Add.

If your service targets only a few countries, it is best to use the IP does not belong to region condition. Then you can explicitly specify allowed regions and restrict the rest of the traffic.

Check the order of executing the rules

Security profile rules are applied on first-to-trigger basis. Therefore, specify the processing order ahead of time:

  • First come the allowing rules for trusted traffic.
  • Then, rules for high-risk sources.
  • Then, rules based on regions.
  • After that, the Smart Protection rules and other general rules.

For more on the order of executing the rules, click here.

Test the rules in logging mode

Keep the new rules in the Only logging mode for a few days. During which period:

  • Analyze which requests are covered by the rules.
  • Estimate the share of legitimate traffic.
  • Update your lists, regions, and actions.

Use logs and the service's monitoring capabilities for your analysis. For more information, see Configuring logging via Smart Web Security and Monitoring in Smart Web Security.

Activate the production mode

After testing, disable Only logging for the rules. Keep on monitoring and updating the rules as needed.

See also

Previous
Creating an L7 load balancer with a security profile through an Application Load Balancer ingress controller
Next
Overview