Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Basic internet service architecture and protection

Written by
Updated at February 27, 2025

In this tutorial, you will set up a basic web service infrastructure consisting of multiple VMs and accessible from the internet. You will use security groups to restrict access to the VMs and a network load balancer to distribute traffic across web servers.

The diagram below shows the scheme of connection to your web service:

Remote site:

  • remote-net network including subnet-1 with CIDR block 10.129.0.0/24.
  • vm-1 Ubuntu VM residing in subnet-1 and used to test your cloud web service.

Note

You can also use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.

Cloud site:

  • network including subnets: subnet-a with CIDR block 192.168.5.0/24, subnet-b with CIDR block 192.168.15.0/24, and subnet-d with CIDR block 192.168.25.0/24.
  • vpn IPsec gateway residing in subnet-a and providing IPsec connection allowing client and cloud VMs communication.
  • Route table containing static vpn-route directing subnet-1 traffic through the IPsec gateway to the cloud VMs.
  • web-node-a, web-node-b, and web-node-d Drupal web service VMs residing in subnet-a, subnet-b, and subnet-d, respectively.
  • vpn-sg security group managing traffic between vpn and the remote site and web-service-sg security group managing traffic between web-node-a, web-node-b, and web-node-d.
  • web-service-lb load balancer distributing incoming traffic across web-node-a, web-node-b, and web-node-d.

To create the web service infrastructure:

  1. Get your cloud ready.
  2. Set up your remote site.
  3. Set up your cloud site.
  4. Test the solution.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of the web service infrastructure support includes:

Set up your remote site

In this step, you will set up your remote site infrastructure, including a network, a subnet, and a VM you will use to access the web service.

Note

You can use your PC as the remote site. To do this, you need to know your public IP address and your subnet CIDR.

If you are going to use your PC as the remote site, you can skip this section and go to Set up your cloud site.

Create a network with a subnet

  1. Create the remote-net network with the Create subnets option disabled.

  2. Create a subnet with the following settings:

    • Name: subnet-1
    • Zone: ru-central1-b
    • Network: remote-net
    • CIDR: 10.129.0.0/24

Create a test VM

Create a VM you will use to test whether your web service is accessible from the internet.

  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select the Ubuntu 22.04 LTS OS Login image.

  6. Under Location, select the ru-central1-b availability zone.

  7. Under Network settings:

    • In the Subnet field, select subnet-1.
    • In the Public IP address field, select Auto.

  8. Under Access, select Access by OS Login to access your VM using Yandex Cloud Organization OS Login.

    With OS Login, you can connect to VMs with SSH keys and certificates via a standard SSH client or YC CLI. You can also rotate SSH keys ensuring better security.

  9. Under General information, specify the VM name: vm-1.

  10. Click Create VM.

  11. Get the new VM public IP address:

    1. Once the vm-1 status changes to Running, click its name.

    2. In the VM overview page that opens, copy Public IPv4 address under Network interface.

      Save the copied IP address as you will need it later when creating a security group.

Set up your cloud site

Set up a cloud network

  1. In the management console, navigate to the folder where you want to create your infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. Create a cloud network named network with the Create subnets option disabled.

  4. In network, create subnets with the following settings:

    1. Subnet hosting web-node-a and the vpnIPSec gateway:

      • Name: subnet-a
      • Zone: ru-central1-a
      • Network: network
      • CIDR: 192.168.5.0/24

    2. Subnet hosting web-node-b:

      • Name: subnet-b
      • Zone: ru-central1-b
      • Network: network
      • CIDR: 192.168.15.0/24

    3. Subnet hosting web-node-d:

      • Name: subnet-d
      • Zone: ru-central1-d
      • Network: network
      • CIDR: 192.168.25.0/24

Reserve two public IP addresses

You will need two static public IP addresses: one for your VPN gateway and another for the network load balancer.

  1. In the management console, navigate to the folder where you will reserve your IP addresses.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-a availability zone and click ** Reserve**.
  6. Repeat steps 4 to 5 and reserve the second IP address in the ru-central1-b availability zone.

Create and configure security groups

To isolate traffic between network segments, create security groups with rules for inbound and outbound traffic.

Create the VPN gateway security group

You need to allow inbound and outbound internet traffic on UDP ports 500 and 4500 used by the IPsec VPN. You also need to allow traffic between your remote site and your cloud network.

  1. In the management console, navigate to the folder where you want to create the security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Specify the security group name: vpn-sg.

  6. In the Network field, select network.

  7. Under Rules, create rules from the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    Inbound

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Inbound

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Inbound

    internal

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    Outbound

    udp500

    500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outbound

    udp4500

    4500

    UDP

    CIDR

    <remote_VM_public_IP_address>/32

    Outbound

    intersubnet

    0-65535

    Any

    CIDR

    • 192.168.5.0/24
    • 192.168.15.0/24
    • 192.168.25.0/24
    • 10.129.0.0/24 1

    1 Specify your home subnet CIDR if you use your PC as the remote site.

  8. Click Create.

Create a security group for your web service VMs

  1. In the management console, navigate to the folder where you want to create the security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Specify the security group name: web-service-sg.

  6. In the Network field, select network.

  7. Under Rules, create rules from the table below:

    Traffic
    direction

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks /
    Security group

    Inbound

    ssh

    22

    TCP

    CIDR

    0.0.0.0/0

    Inbound

    anyself

    0-65535

    Any

    Security group

    Current

    Inbound

    healthchecks

    80

    TCP

    Load balancer healthchecks

    Outbound

    self

    0-65535

    Any

    Security group

    Current

  8. Click Create.

Set up your cloud VMs

Create web service VMs in all availability zones

  1. In the management console, select the folder where you want to create your VMs.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, navigate to the Marketplace tab and select the Drupal 10 image.

  6. Under Location, select the ru-central1-a availability zone.

  7. Under Network settings:

    • Select subnet-a.
    • In the Public IP address field, select No address.
    • Select the web-service-sg security group.

  8. Under Access:

    • Select the SSH key connection option.

    • In the Login field, specify the user name.

      Alert

      Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Specify the SSH key name.
      • Create an SSH key pair and upload or paste its contents into the appropriate field.
      • Select the key expiration date.
      • Click Add.

      The system will add the SSH key to your organization user profile.

      If, due to restrictions, you cannot add SSH keys to your organization user profile, the system will save it to the new VM user profile.

  9. Under General information, specify the VM name: web-node-a.

  10. Click Create VM.

  11. Repeat steps 4 to 10 and create the web-node-b and web-node-d VMs in the ru-central1-b and ru-central1-d availability zones and subnet-b and subnet-d subnets, respectively.

Create an IPSec remote access gateway

Create an IPSec VPN gateway to provide secure access to your cloud resources.

  1. In the management console, navigate to the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, navigate to the Marketplace tab and select the IPSec instance image.

  6. Under Location, select the ru-central1-a availability zone.

  7. Under Network settings:

    • Select subnet-a.
    • In the Public IP address field, select List and then select the previously reserved IP address from the list that opens.
    • Select the vpn-sg security group.

  8. Under Access, select SSH key, and specify the VM access credentials:

    • Under Login, specify a username. Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  9. Under General information, specify the VM name: vpn.

  10. Click Create VM.

  11. Once the vpn VM status changes to Running, click its name and in the VM overview page that opens, copy Internal IPv4 under Network interface.

    Save the copied IP address as you will need it when configuring VPN routing.

Configure VPN routing

Configure routing between your remote site and IPSec VPN gateway.

Create a route table

Create a route table and add static routes:

  1. In the management console, navigate to your cloud network folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Select network.
  4. In the left-hand panel, select Routing tables.
  5. Click Create routing table.
  6. Specify the route table name: vpn-route.
  7. Under Static routes, click Add.
  8. In the window that opens:

    • In the Destination prefix field, specify 10.129.0.0/24.

      If you use a local PC as your remote site, specify your home subnet CIDR.

    • In the Next hop field, specify the IPSec gateway internal IP address you saved previously.

    • Click Add.

  9. Click Create routing table.

Link the route table to all subnets

To make static routes available in your cloud network, link the route table to all its subnets.

  1. In the management console, navigate to your cloud network folder.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select Subnets.
  4. Click next to subnet-a and select Link routing table.
  5. In the window that opens, select the vpn-route table in the Route table field.
  6. Click Link.
  7. Repeat steps 4 to 6 to link the vpn-route route table to subnet-b and subnet-d.

Create a network load balancer

The network load balancer will distribute incoming traffic across your web service VMs.

To create a network load balancer:

  1. In the management console, navigate to the folder where you want to create the load balancer.

  2. In the list of services, select Network Load Balancer.

  3. Click Create a network load balancer.

  4. Specify the load balancer name: web-service-lb.

  5. In the Public address field, select List and then select the previously reserved public IP address from the list that opens.

  6. Under Listeners, click Add listener. In the window that opens:

    1. Specify the listener name: web-service-lb-listener.
    2. In the Port field, specify 80.
    3. In the Target port field, specify 80.
    4. Click Add.

  7. Under Target groups, click Add target group.

    1. In the Target group field, select Create target group. In the window that opens:

      1. Specify the target group name: web-tg.
      2. Select the web-node-a, web-node-b, and web-node-d VMs.
      3. Click Create.

    2. Select the new web-tg target group.

  8. In the selected target group section:

    1. Click Configure.
    2. In the window that opens, select TCP in the Type field and click Apply.

  9. Click Create.

Test the solution

Check that your infrastructure works and your web service VMs do not receive any external traffic:

  1. Run the following command on your remote site VM:

    curl <public_IP_address_of_network_load_balancer>

    You should get no response because the system blocks traffic to your Drupal web service.

  2. Add two new inbound traffic rules to the web-service-sg security group:

    Description

    Port range

    Protocol

    Source /
    Destination name

    CIDR blocks

    http-external-vm

    80

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    https-external-vm

    443

    TCP

    CIDR

    <remote_VM_public_IP_address>/32

    These rules allow access to the network load balancer’s target group instances from your remote VM public IP address.

  3. Run this command on your remote VM again:

    curl <public_IP_address_of_network_load_balancer>

    You should see the Drupal homepage HTML code, which means the system successfully applied the rules allowing access from your remote VM.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VMs.
  2. Delete the network load balancer.
  3. Delete the static public IP addresses you reserved.
  4. You can also delete the route table, security groups, subnets, and networks.
Previous
All tutorials
Next
Configuring a fault-tolerant architecture in Yandex Cloud