Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Centralized online publication and protection against DDoS attacks of applications hosted in different Yandex Cloud folders

Written by
Updated at April 9, 2025

This tutorial describes a use case involving multiple independent teams managing Yandex Cloud resources. The services and apps developed by these teams are published on the internet. Yandex Cloud uses folders to separate resources, ensuring that each team can only access its designated folder. Moreover, the information security (IS) regulations prohibit teams from directly publishing their folder resources to the internet.

To implement this approach, you can use such Yandex Cloud services as Yandex Application Load Balancer (ALB) and Yandex Smart Web Security (SWS).

Application Load Balancer enables you to create OSI L7 load balancers to evenly distribute traffic across your services and applications and publish them online.

Smart Web Security protects your resources against L7 DDoS attacks and bots. You can additionally connect a WAF and limit the load on your resource using the Advanced Rate Limiter (ARL) module. To configure parameters for protecting your resources, you will need a Smart Web Security profile, which you then connect to the L7 load balancer.

To set up such a workflow, you need to do the following:

  • Set up centralized online publication of services by using an L7 load balancer.
  • Scan inbound traffic for information security threats by using Smart Web Security.
  • Restrict team access to L7 load balancers and security profiles by placing L7 load balancers in a separate folder. Access to this folder must be restricted to a limited number of authorized personnel, e.g., IS employees.
  • Establish network communication between L7 load balancers and team targets in different folders through Multi-folder VPC. L7 load balancers and team resources must reside in different subnets of the same VPC network.

Yandex Cloud resource placement chart

The chart displays the following resources:

  • ALB: L7 load balancers created in Application Load Balancer and used to publish services online.
  • SWS: Smart Web Security to implement protection at the application layer (L7).
  • IS folder: ALB L7 load balancer folder accessible only to IS employees.
  • VPC: Cloud network hosting ALB and team subnets.
    • alb-subnet-a, alb-subnet-b, and alb-subnet-d: Subnets with ALB nodes.
    • subnet-team-1 and subnet-team-2: Subnets with team resources.
  • Team folders: Folders containing team targets, e.g., virtual machines (VMs), databases, NLB L3-L4 load balancers, and more.

This tutorial assumes that you have already created targets for your services and placed them in different folders.
Therefore, consider the following:

Requirements and best practices for resource configuration

Network

  • For network connectivity between L7 load balancers and team targets, use Multi-folder VPC to extend the scope of your VPC network from a single to multiple folders.

  • Use security groups to manage network access across resources of different teams:

    • Target security groups should allow inbound traffic from L7 load balancer subnets.

    • L7 load balancer security groups should allow inbound traffic to target subnets.

      For best practices for setting up security groups, see Security groups.

L7 load balancers

  • Place all L7 load balancers in a single folder accessible exclusively to IS employees.

  • Optionally, enable L3-L4 DDoS protection. Proceed as follows:

    • Reserve a public static IP address with DDoS protection and use it for the L7 load balancer's listener.
    • Configure a trigger threshold for the L3-L4 protection mechanisms, aligned with the amount of legitimate traffic to your services.
    • Set the MTU to 1450 on your targets.

  • You cannot use different public IP addresses for the listeners of a single L7 load balancer.

  • Use different ports for the listeners of a single L7 load balancer.

    For HTTPS, you can use SNI listeners with the same port. For the maximum number of SNI listeners, see the relevant limits.

  • Optionally, to ensure fault tolerance, place L7 load balancers across various availability zones.

  • Consider subnet sizes for L7 load balancer nodes.

  • Set the minimum number of resource units for the L7 load balancer in each zone based on autoscalingpolicies. The expected load on your services dictates the number of resource units, considering these parameters:

    • Number of requests per second (RPS)
    • Number of concurrent active connections
    • Number of new connections per second
    • Traffic processed per second

  • In case of high load on the L7 load balancer, consider its limits. If you cannot scale the service using resources within a single load balancer, distribute it across multiple L7 load balancers.

  • Assign a dedicated L7 load balancer to each service under high load.

  • When publishing multiple services through a single ALB L7 load balancer, consider the relevant SLA.

  • Note that external requests to web servers will originate from IP addresses within the internal IP range of the L7 load balancer subnets. IP addresses of request sources (users) will be included in the X-Forwarded-For (XFF) HTTP header. Therefore, to log user IP addresses from XFF on the target web servers, you may need to update the configuration.

Targets

  • In the L7 load balancer target group, provide the IP addresses of your services from team folders to make available on the internet.
  • These IP addresses must be within the RFC 1918 private ranges.
  • If the target internal IP address changes, manually update the L7 load balancer's target group configuration.

Configuring secure online publication for your services

To configure secure online publication for your services:

  1. Create an IS folder.
  2. Grant access to the folder only to IS employees.
  3. Set up network connectivity between resources from different folders.
  4. Configure security groups by following these best practices.
  5. Reserve a public IP address and enabe L3-L4 DDoS protection.
  6. Create a security profile.
  7. If using HTTPS, add a TLS certificate to Certificate Manager.
  8. Create an L7 load balancer.
  9. Test the L7 load balancer.

The chart below shows the L7 load balancer resources you will create and configure in this use case.

Creating a security profile

  1. In the management console, select the IS folder.

  2. From the list of services, select Smart Web Security.

  3. Click Create profile.

  4. Select From a preset template.

  5. Enter sws-ddos for the profile name.

  6. In the Action for the default base rule field, select Allow.

  7. Under Security rules, next to the sp-rule-1 rule, click and select Edit.

  8. Enable Only logging (dry run).

    This option is used for profile testing. In logging mode, traffic will not get blocked, and users will not be disconnected from your service because of a misconfigured profile. Review the profile performance and customize the rules to meet your service's requirements.

  9. Click Save changes.

  10. Click Create.

For other ways to create a security profile, see Authentication in Container Registry.

Creating an L7 load balancer

  1. In the management console, select the IS folder.
  2. From the list of services, select Application Load Balancer.
  3. Click Create L7 load balancer and select Wizard.

Configuring a target group

Your application backends will be deployed on the VM instance of the target group. The target group will be connected to the load balancer so that requests might be sent to the backend endpoints of your application.

  1. Enter the target group name: test-target-group.

  2. Provide the internal IP address of your target, which is either your service's internal NLB listener address or the VM address.

  3. Select the subnet hosting your service resources.

    To select a subnet, you need the vpc.user role for the folder containing the subnet.

  4. Configure other targets. To do this, click Add target resource and specify addresses and subnets.

  5. Click Create and continue.

Configuring a backend group

Backend groups contain settings for traffic balancing and target health check. The wizard automatically creates one backend and one health check group. It will also select the group you created at the previous step as target group.

  1. Enable Advanced settings.

  2. Enter the backend group name: test-backend-group.

  3. Leave HTTP as the group type.

  4. To ensure that requests from a single user session are handled by the same backend resource, enable Session affinity. If your target is an NLB internal load balancer, you do not have to enable session affinity.

  5. Under Backends:

    • Enter the backend name: backend-1.
    • Leave Target group as the backend type.
    • Leave the previously created target group, test-target-group.
    • Specify the TCP port of your service. It is usually 80 for HTTP and 443 for HTTPS.
    • If your target is a VM, make sure to set up a health check.
    • If your target is an NLB internal load balancer, disable the health check.

  6. Click Create and continue.

Configuring an HTTP router

HTTP routers define the rules for routing requests sent to backends and allow you to modify requests directly in the balancer. The wizard will automatically create a virtual host and routing rule. It will also select the group you created at the previous step as backend group.

  1. Enter the router name: test-http-router.

  2. Enable Advanced settings.

  3. Under Virtual hosts, specify:

    • Host name: test-virtual-host.

    • Authority: Your service domain name.

    • Security profile: Profile you created earlier.

      If you skip selecting the profile, Smart Web Security protection will not work.

  4. Specify these route parameters:

    • Route name: test-route.
    • Path: Starts with followed by \.
    • Action: Routing.
    • Backend group: Leave the group you created earlier.

  5. Click Create and continue.

Configuring an L7 load balancer

A load balancer receives requests and distributes them across target group VMs according to the rules set in the HTTP router. Load balancers use listeners to receive traffic. The wizard will create a listener automatically. It will also select the router you created at the previous step as HTTP router.

  1. Enter the load balancer name: test-load-balancer.

  2. Enable Advanced settings.

  3. Under Network settings, select the VPC network you created earlier.

  4. For Security groups, select From list and then the previously created security group.

  5. Under Allocation, select subnets in the availability zones you need and enable inbound traffic in those subnets.

  6. Configure the listener:

    • Enter the listener name: test-listener.
    • UnderPublic IP address, enable a public IP address and specify the following:
      • Port: TCP port of your service. It is usually 443 for HTTPS and 80 for HTTP.
      • Type: Set it to List and select the previously reserved IP address.
    • Under Receiving and processing traffic, specify:
      • Listener type: HTTP.
      • Protocol: HTTP or HTTPS.
      • For HTTPS, select your service's TLS certificate you previously added in Certificate Manager.
      • HTTP router: Leave the router you created earlier.

  7. Click Create.

If your infrastructure already uses an L7 load balancer and a configured listener with a public IP address:

  1. In the management console, select Application Load Balancer.
  2. Select your L7 load balancer.
  3. Under Listeners, next to the listener with a public IP address, click and select Edit.
  4. Under Receiving and processing traffic, click Add SNI match and specify the following:

    • Server names: Your service's domain name. This field contains the SNI extension values that, when received from a client, will trigger the listener to establish a TLS connection.

      Tip

      Some browsers reuse TLS connections with the same IP address if a connection certificate contains the necessary domain name. In this case, no new SNI match is set and traffic can potentially be routed to an inappropriate HTTP router. To avoid this, use different certificates for each SNI match and the main listener. To manage traffic across the domain names within a single certificate, set up virtual hosts in the HTTP router.

    • Certificates: Your service's TLS certificate previously added in Certificate Manager.

    • HTTP router: HTTP router you created earlier.

For other ways to create an L7 load balancer and more configuration options, see our step-by-step guides.

Testing an L7 load balancer

  1. In the management console, select the IS folder.

  2. From the list of services, select Application Load Balancer.

  3. Select the created L7 load balancer.

  4. Select Health checks on the left.

    Make sure you get HEALTHY for all health checks of your backend group L7 load balancer.

  5. Select Balancing map on the left.

    Check the configuration for each resourse in this order: Listener > HTTP router > Backend group > Target group.

Previous
Creating an L7 load balancer with a Smart Web Security security profile through an Application Load Balancer Ingress controller
Next
Overview