Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Architecture and protection of a basic internet service

Written by
Updated at August 31, 2024

This scenario describes how the infrastructure of a basic internet service with multiple VMs is built. Access to VMs will be restricted using security groups. A network load balancer will distribute the load across web app servers.

To create the infrastructure of an internet service:

  1. Reserve two static public IP addresses.
  2. Create VMs for the service in all availability zones.
  3. Create an IPSec instance for remote access.
  4. Configure VPN routing.
  5. Create a route table.
  6. Link the route table to all subnets.
  7. Create and configure security groups.
  8. Assign the security groups to the VMs.
  9. Create a network load balancer.
  10. Test the infrastructure.

If you no longer need the infrastructure, delete the created resources.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Create a virtual network with subnet-a, subnet-b, and subnet-c in the respective availability zones.

The cost of internet service support includes:

Reserve two static public IP addresses

For your internet service to run, you need two static public IP addresses: one to be assigned to the VPN gateway and the other to the network load balancer.

  1. In the management console, select Virtual Private Cloud in the folder where you want to reserve the IP addresses.
  2. Go to the IP addresses tab. Click Reserve address.
  3. In the window that opens, select the ru-central1-b availability zone. Click Reserve address.
  4. Click Reserve address once again.
  5. In the window that opens, select the ru-central1-a availability zone. Click Reserve address.

Create VMs for the service in all availability zones

  1. In the management console, open your folder and click Create resource. Select Virtual machine.
  2. Enter the VM name: web-node-a.
  3. Select an availability zone ru-central1-a.
  4. Under Image/boot disk selection, go to the Cloud Marketplace tab and select the Drupal image.
  5. Under Network settings, select the subnet-a subnet. Under Public address, select No address.
  6. In the Access field, enter the login and SSH key to access the VM.
  7. Click Create VM.
  8. Repeat the steps for VMs named web-node-b and web-node-c. Create them in the ru-central1-b and ru-central1-c availability zones and connect them to subnet-b and subnet-c, respectively.

Create an IPSec instance for remote access

To provide secure access to your resources, create an IPSec instance.

  1. In the management console, open your folder and click Create resource. Select Virtual machine.
  2. Enter the VM name: vpn.
  3. Select an availability zone ru-central1-a.
  4. Under Image/boot disk selection, go to the Cloud Marketplace tab and select an IPSec instance image.
  5. Under Network settings, select the subnet-a subnet. Under Public address, select from a list of reserved IPs.
  6. In the Access field, enter the login and SSH key to access the VM.
  7. Click Create VM.

Configure VPN routing

Configure routing between the remote network and your IPSec instance. In the example, we'll use the subnet 192.168.0.0/24.

Create a route table

Create a route table and add static routes:

  1. In the management console, open the Virtual Private Cloud section in the folder where you want to configure routing.
  2. Select the network to create the route table in.
  3. Open the Route tables tab.
  4. Click Create a routing table.
  5. Enter the route table name: vpn-route.
  6. Click Add route.
  7. In the window that opens, enter the remote site's destination subnet prefix. In this example, this is 192.168.0.0/24.
  8. In the Next hop field, enter the internal IP address of the IPSec gateway. Click Add.
  9. Click Create route table.

Link the route table to all subnets

To use static routes, link the route table to a subnet. To do this:

  1. In the management console, select Virtual Private Cloud in the folder where you want to configure routing.
  2. Select the network with the subnets to assign the route table to.
  3. In the line with the desired subnet, click .
  4. In the menu that opens, select Link route table.
  5. In the window that opens, select the created table from the list.
  6. Click Link.
  7. Link the vpn-route route table to all three subnets.

Create and configure security groups

To distribute traffic between network segments, create security groups and set up rules for receiving and sending traffic.

Create a security group for a VPN

For a VPN to work properly, allow traffic to be received and transmitted to UDP ports 500 and 4500 from an external network. This is necessary to use the IPSec tunnel. You should also allow traffic to pass between the subnets of your virtual network and the network on the remote site.

  1. In the management console, select Virtual Private Cloud in the folder where you want to create a security group.
  2. Open the Security groups tab.
  3. Click Create group.
  4. Enter the security group name: vpn-sg.
  5. In the Network field, select the network that the security group will refer to.
  6. Under Rules, create traffic management rules:
    1. Open the Outgoing traffic tab.
    2. Click Add rule.
    3. In the window that opens, set Port to 500.
    4. In the Protocol field, select UDP.
    5. In the Destination field, specify the public address of a remote VPN hub with mask 32.
  7. Click Save.
  8. Click Add rule.
    1. In the window that opens, set Port to 4500.
    2. In the Protocol field, select UDP.
    3. In the Destination field, specify the public address of a remote VPN hub with mask 32.
  9. Click Save.
  10. Set up rules that allow traffic between the web servers and VMs on the remote site. Click Add rule.
    1. In the Port field of the window that opens, click Select the full range.
    2. In the Protocol field, select Any.
    3. In the Destination field, specify the internal network CIDR: 10.0.0.0/8.
    4. Click Add CIDR and specify the remote site CIDR: 192.168.0.0/24.
  11. Create the same rules for incoming traffic.

Create a security group for the internet service VMs

Create a security group named web-service-sg and set up traffic rules.

Rules for outgoing traffic

Allow outgoing connections to other VM instances in the security group:

  • protocol: Any,
  • Type of destination: Security group.
  • destination: Current.

Rules for incoming traffic

Allow the following incoming connections:

  1. HTTP connections from multiple test dummy IP addresses:
    • Protocol: TCP,
    • Port: 80,
    • CIDR: 1.1.1.1/32, 85.32.45.45/32.
  2. HTTPS connections from multiple test dummy IP addresses:
    • Protocol: TCP,
    • Port: 443,
    • CIDR: 1.1.1.1/32, 85.32.45.45/32.
  3. TCP connections for SSH access:
    • Protocol: TCP,
    • Port: 22,
    • CIDR: 0.0.0.0/0.
  4. Connections from other VM instances in the security group:
    • Protocol: Any.
    • Type of destination: Security group.
    • Destination: Current.
  5. Health checks from the network load balancer:
    • Protocol: TCP.
    • Port: 80.
    • Source: Load balancer health checks.

Assign the security groups to the VMs

For the security group rules to take effect, assign the groups to the VM network interfaces.

  1. In the management console, select Compute Cloud.
  2. Select the vpn VM.
  3. Under Network, click and select Edit network interface.
  4. In the window that opens, select the vpn-sg security group.
  5. Click Save.
  6. Repeat the steps and assign the web-service-sg security group to the web-node-a, web-node-b, and web-node-c VMs.

Create a network load balancer

The network load balancer will distribute the internet service's incoming traffic across the VMs in the target group.

To create a network load balancer:

  1. In the management console, select Network Load Balancer in the folder to create the load balancer in.
  2. Click Create load balancer.
  3. Enter the load balancer name: web-service-lb.
  4. In the Public address field, select List and specify a static public address.
  5. Click Add listener under Listeners.
  6. In the window that opens, enter a name for the listener and specify port 80 in the Port and Target port fields. Click Add.
  7. Under Target groups, click Add target group.
  8. In the Target group field, click on the list and then click Create target group.
  9. In the window that opens, enter the target group name: web-tg.
  10. Select the web-node-a, web-node-b, and web-node-c VMs.
  11. Click Create.
  12. Select the created target group from the list.
  13. Click Create.

Test the infrastructure

Test the infrastructure and make sure that traffic to the internet service VMs only comes from the addresses allowed by the rules:

  1. On your computer, run the command: curl <Network load balancer public IP address>. Make sure no response is received.
  2. Create a security group named web-service-test-sg with no rules and assign it to the web-node-a, web-node-b and web-node-c. VMs.
  3. In the web-service-test-sg security group, create the following rule for incoming traffic:
    • Protocol: TCP.
    • port 80,
    • CIDR: <IP address of your computer>/32.
  4. Run the command curl <Network load balancer public IP address> on your computer once again. Make sure the Drupal homepage HTML code is returned in response.
  5. Delete the test security group.

Delete the resources you created

To stop paying for the deployed resources, delete the created VMs and the load balancer:

  • vpn
  • web-node-a
  • web-node-b
  • web-node-c
  • web-service-lb

Release and delete the static public IP addresses you reserved.

Previous
All tutorials
Next
Configuring a fault-tolerant architecture in Yandex Cloud