Basic internet service architecture and protection
In this tutorial, you will set up a basic web service infrastructure consisting of multiple VMs and accessible from the internet. You will use security groups to restrict access to the VMs and a network load balancer to distribute traffic across web servers.
The diagram below shows the scheme of connection to your web service:
Remote site:
remote-net
network includingsubnet-1
with CIDR block10.129.0.0/24
.vm-1
Ubuntu VM residing insubnet-1
and used to test your cloud web service.
Note
You can also use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.
Cloud site:
network
including subnets:subnet-a
with CIDR block192.168.5.0/24
,subnet-b
with CIDR block192.168.15.0/24
, andsubnet-d
with CIDR block192.168.25.0/24
.vpn
IPsec gateway residing insubnet-a
and providing IPsec connection allowing client and cloud VMs communication.- Route table containing static
vpn-route
directingsubnet-1
traffic through the IPsec gateway to the cloud VMs. web-node-a
,web-node-b
, andweb-node-d
Drupal web service VMs residing insubnet-a
,subnet-b
, andsubnet-d
, respectively.vpn-sg
security group managing traffic betweenvpn
and the remote site andweb-service-sg
security group managing traffic betweenweb-node-a
,web-node-b
, andweb-node-d
.web-service-lb
load balancer distributing incoming traffic acrossweb-node-a
,web-node-b
, andweb-node-d
.
To create the web service infrastructure:
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of the web service infrastructure support includes:
- Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
- Fee for public static IP addresses (see Yandex Virtual Private Cloud pricing).
- Fee for using a network load balancer (see Yandex Network Load Balancer pricing).
Set up your remote site
In this step, you will set up your remote site infrastructure, including a network, a subnet, and a VM you will use to access the web service.
Note
You can use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.
If you are going to use your PC as the remote site, you can skip this section and go to Set up your cloud site.
Create a network with a subnet
-
Create the
remote-net
network with the Create subnets option disabled. -
Create a subnet with the following settings:
- Name:
subnet-1
- Zone:
ru-central1-b
- Network:
remote-net
- CIDR:
10.129.0.0/24
- Name:
Create a test VM
Create a VM you will use to test whether your web service is accessible from the internet.
-
In the management console
, select the folder where you want to create your VM. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, select the Ubuntu 22.04 LTS OS Login image.
-
Under Location, select the
ru-central1-b
availability zone. -
Under Network settings:
- In the Subnet field, select
subnet-1
. - In the Public IP address field, select
Auto
.
- In the Subnet field, select
-
Under Access, select Access by OS Login to access your VM using Yandex Cloud Organization OS Login.
With OS Login, you can connect to VMs with SSH keys and certificates via a standard SSH client or YC CLI. You can also rotate SSH keys ensuring better security.
-
Under General information, specify the VM name:
vm-1
. -
Click Create VM.
-
Get the new VM public IP address:
-
Once the
vm-1
status changes toRunning
, click its name. -
In the VM overview page that opens, copy Public IPv4 address under Network interface.
Save the copied IP address as you will need it later when creating a security group.
-
Set up your cloud site
Set up a cloud network
-
In the management console
, navigate to the folder where you want to create your infrastructure. -
In the list of services, select Virtual Private Cloud.
-
Create a cloud network named
network
with the Create subnets option disabled. -
In
network
, create subnets with the following settings:-
Subnet hosting
web-node-a
and thevpn
IPSec gateway:- Name:
subnet-a
- Zone:
ru-central1-a
- Network:
network
- CIDR:
192.168.5.0/24
- Name:
-
Subnet hosting
web-node-b
:- Name:
subnet-b
- Zone:
ru-central1-b
- Network:
network
- CIDR:
192.168.15.0/24
- Name:
-
Subnet hosting
web-node-d
:- Name:
subnet-d
- Zone:
ru-central1-d
- Network:
network
- CIDR:
192.168.25.0/24
- Name:
-
Reserve two public IP addresses
You will need two static public IP addresses: one for your VPN gateway and another for the network load balancer.
- In the management console
, navigate to the folder where you will reserve your IP addresses. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
IP addresses. - Click Reserve address.
- In the window that opens, select the
ru-central1-a
availability zone and click ** Reserve**. - Repeat steps 4 to 5 and reserve the second IP address in the
ru-central1-b
availability zone.
Create and configure security groups
To isolate traffic between network segments, create security groups with rules for inbound and outbound traffic.
Create the VPN gateway security group
You need to allow inbound and outbound internet traffic on UDP ports 500
and 4500
used by the IPsec VPN. You also need to allow traffic between your remote site and your cloud network.
-
In the management console
, navigate to the folder where you want to create the security group. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
Specify the security group name:
vpn-sg
. -
In the Network field, select
network
. -
Under Rules, create rules from the table below:
Traffic
directionDescription
Port range
Protocol
Source /
Destination nameCIDR blocks
Inbound
udp500
500
UDP
CIDR
<remote_VM_public_IP_address>/32
Inbound
udp4500
4500
UDP
CIDR
<remote_VM_public_IP_address>/32
Inbound
internal
0-65535
Any
CIDR
192.168.5.0/24
192.168.15.0/24
192.168.25.0/24
10.129.0.0/24
1
Outbound
udp500
500
UDP
CIDR
<remote_VM_public_IP_address>/32
Outbound
udp4500
4500
UDP
CIDR
<remote_VM_public_IP_address>/32
Outbound
intersubnet
0-65535
Any
CIDR
192.168.5.0/24
192.168.15.0/24
192.168.25.0/24
10.129.0.0/24
1
1 Specify your home subnet CIDR if you use your PC as the remote site.
-
Click Create.
Create a security group for your web service VMs
-
In the management console
, navigate to the folder where you want to create the security group. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
Specify the security group name:
web-service-sg
. -
In the Network field, select
network
. -
Under Rules, create rules from the table below:
Traffic
directionDescription
Port range
Protocol
Source /
Destination nameCIDR blocks /
Security groupInbound
ssh
22
TCP
CIDR
0.0.0.0/0
Inbound
anyself
0-65535
Any
Security group
Current
Inbound
healthchecks
80
TCP
Load balancer healthchecks
—
Outbound
self
0-65535
Any
Security group
Current
-
Click Create.
Set up your cloud VMs
Create web service VMs in all availability zones
-
In the management console
, select the folder where you want to create your VMs. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, navigate to the Marketplace tab and select the Drupal 10 image.
-
Under Location, select the
ru-central1-a
availability zone. -
Under Network settings:
- Select
subnet-a
. - In the Public IP address field, select
No address
. - Select the
web-service-sg
security group.
- Select
-
Under Access:
-
Select the SSH key connection option.
-
In the Login field, specify the user name.
Alert
Do not use
root
or other reserved usernames. To perform operations requiring root privileges, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Specify the SSH key name.
- Create an SSH key pair and upload or paste its contents into the appropriate field.
- Select the key expiration date.
- Click Add.
The system will add the SSH key to your organization user profile.
If, due to restrictions, you cannot add SSH keys to your organization user profile, the system will save it to the new VM user profile.
-
-
Under General information, specify the VM name:
web-node-a
. -
Click Create VM.
-
Repeat steps 4 to 10 and create the
web-node-b
andweb-node-d
VMs in theru-central1-b
andru-central1-d
availability zones andsubnet-b
andsubnet-d
subnets, respectively.
Create an IPSec remote access gateway
Create an IPSec VPN gateway to provide secure access to your cloud resources.
-
In the management console
, navigate to the folder where you want to create your VM. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, navigate to the Marketplace tab and select the IPSec instance image.
-
Under Location, select the
ru-central1-a
availability zone. -
Under Network settings:
- Select
subnet-a
. - In the Public IP address field, select
List
and then select the previously reserved IP address from the list that opens. - Select the
vpn-sg
security group.
- Select
-
Under Access, select SSH key, and specify the VM access credentials:
- Under Login, specify a username. Do not use
root
or other reserved usernames. To perform operations requiring root privileges, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, specify a username. Do not use
-
Under General information, specify the VM name:
vpn
. -
Click Create VM.
-
Once the
vpn
VM status changes toRunning
, click its name and in the VM overview page that opens, copy Internal IPv4 under Network interface.Save the copied IP address as you will need it when configuring VPN routing.
Configure VPN routing
Configure routing between your remote site and IPSec VPN gateway.
Create a route table
Create a route table and add static routes:
- In the management console
, navigate to your cloud network folder. - In the list of services, select Virtual Private Cloud.
- Select
network
. - In the left-hand panel, select
Routing tables. - Click Create routing table.
- Specify the route table name:
vpn-route
. - Under Static routes, click Add.
- In the window that opens:
-
In the Destination prefix field, specify
10.129.0.0/24
.If you use a local PC as your remote site, specify your home subnet CIDR.
-
In the Next hop field, specify the IPSec gateway internal IP address you saved previously.
-
Click Add.
-
- Click Create routing table.
Link the route table to all subnets
To make static routes available in your cloud network
, link the route table to all its subnets.
- In the management console
, navigate to your cloud network folder. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
Subnets. - Click
next tosubnet-a
and select Link routing table. - In the window that opens, select the
vpn-route
table in the Route table field. - Click Link.
- Repeat steps 4 to 6 to link the
vpn-route
route table tosubnet-b
andsubnet-d
.
Create a network load balancer
The network load balancer will distribute incoming traffic across your web service VMs.
To create a network load balancer:
-
In the management console
, navigate to the folder where you want to create the load balancer. -
In the list of services, select Network Load Balancer.
-
Click Create a network load balancer.
-
Specify the load balancer name:
web-service-lb
. -
In the Public address field, select
List
and then select the previously reserved public IP address from the list that opens. -
Under Listeners, click Add listener. In the window that opens:
- Specify the listener name:
web-service-lb-listener
. - In the Port field, specify
80
. - In the Target port field, specify
80
. - Click Add.
- Specify the listener name:
-
Under Target groups, click Add target group.
-
In the Target group field, select
Create target group. In the window that opens:- Specify the target group name:
web-tg
. - Select the
web-node-a
,web-node-b
, andweb-node-d
VMs. - Click Create.
- Specify the target group name:
-
Select the new
web-tg
target group.
-
-
In the selected target group section:
- Click Configure.
- In the window that opens, select
TCP
in the Type field and click Apply.
-
Click Create.
Test the solution
Check that your infrastructure works and your web service VMs do not receive any external traffic:
-
Run the following command on your remote site VM:
curl <public_IP_address_of_network_load_balancer>
You should get no response because the system blocks traffic to your Drupal web service.
-
Add two new inbound traffic rules to the
web-service-sg
security group:Description
Port range
Protocol
Source /
Destination nameCIDR blocks
http-external-vm
80
TCP
CIDR
<remote_VM_public_IP_address>/32
https-external-vm
443
TCP
CIDR
<remote_VM_public_IP_address>/32
These rules allow access to the network load balancer’s target group instances from your remote VM public IP address.
-
Run this command on your remote VM again:
curl <public_IP_address_of_network_load_balancer>
You should see the Drupal homepage HTML code, which means the system successfully applied the rules allowing access from your remote VM.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the VMs.
- Delete the network load balancer.
- Delete the static public IP addresses you reserved.
- You can also delete the route table, security groups, subnets, and networks.