Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a distributed infrastructure with secure access

Written by
Updated at November 28, 2025

In this tutorial, you will create an infrastructure for secure access to web apps hosted in different Yandex Cloud folders. For traffic control purposes, all requests to your web applications will be forwarded to a single IP address and then checked by the Yandex Smart Web Security profile rules.

This approach allows you to isolate resources used by different teams while also enforcing a common security policy for incoming traffic.

This tutorial explores a specific use case under Centralized online publication and protection against DDoS attacks of applications hosted in different Yandex Cloud folders, giving you an example of how to create the entire infrastructure from scratch.

The minimum roles required for this tutorial are as follows:

  • For a cloud:

    • resource-manager.admin: To create folders and assign roles.

  • For folders:

    • vpc.admin: To create Yandex Virtual Private Cloud resources.
    • smart-web-security.editor: To create a security profile.
    • compute.editor: To create VM instances.
    • alb.editor: To create Yandex Application Load Balancer resources.

Yandex Cloud resource placement chart

The chart displays the following resources:

  • IP address: Public IP address or domain that receives requests to your web apps.

  • Security folder, secured-entry-point: Folder accessible only to company resource administrators and information security employees. This folder will house the following resources:

    • ALB, app-load-balancer: L7 Yandex Application Load Balancer used to publish web apps online.
    • SWS profile, sws-profile: Yandex Smart Web Security profile to implement traffic protection at the application layer (L7).
    • Management VM, work-station: Yandex Compute Cloud VM instance to initiate connections to the VMs in your web app folders.

  • VPC, alb-network: Yandex Virtual Private Cloud cloud network to consolidate subnets across different folders:

    • alb-subnet-a, alb-subnet-b, and alb-subnet-d: Subnets with ALB nodes in three availability zones.
    • subnet-service-1 and subnet-service-2: Subnets hosting your web app resources.

  • Web app folders, service-1 and service-2: Folders housing web app targets, vm-service-1 and vm-service-2. These folders will be accessible to teams developing your web services.

To create the infrastructure and set up secure access to your web applications:

  1. Get your cloud ready.
  2. Create a security folder.
  3. Create a virtual network and subnets.
  4. Create web app folders.
  5. Connect the web app folders to the load balancer's internal subnets.
  6. Configure security groups.
  7. Configure the security profile.
  8. Create resources.
  9. Configure the load balancer.
  10. Test your infrastructure.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The infrastructure support cost includes:

Create a security folder

The security folder will house your load balancer, cloud network, subnets, and security profile.

Create a folder without a network

  1. In the management console, select a cloud and click Create folder.
  2. Name your folder, e.g., secured-entry-point.
  3. In the Advanced field, disable Create a default network. You will create a network and subnets in the next step.
  4. Click Create.

Assign roles for the folder

Provide your infrastructure and security administrators with access to the folder to manage your network, load balancer, and security profile.

  1. In the management console, navigate to secured-entry-point.

  2. Navigate to the Access bindings tab.

  3. Click Configure access.

  4. In the window that opens, select User accounts.

  5. Select a user from the list or use the user search option.

  6. Click Add role and select the role from the list or use the search bar. The minimum required roles are as follows:

  7. Click Save.

Create a virtual network and subnets

In the security folder, create a network with subnets for your L7 load balancer and web app folders. This will ensure network connectivity between the load balancer and web app resources.

  1. Go to the new folder, secured-entry-point.

  2. In the list of services, select Virtual Private Cloud.

  3. At the top right, click Create network.

  4. In the Name field, enter alb-network.

  5. In the Advanced field, disable Create subnets.

  6. Click Create network.

  7. In the left-hand panel, select Subnets.

  8. At the top right, click Create subnet and specify the settings for the subnet to host the web app folder:

    1. Name: subnet-service-1.
    2. Availability zone: ru-central1-a.
    3. Network: alb-network.
    4. CIDR: 10.121.0.0/24.
    5. Click Create subnet.

  9. Repeat the steps to create a subnet named subnet-service-2 in the ru-central1-b availability zone with 10.122.0.0/24 as its IP address range.

  10. Create subnets for your L7 load balancer in different availability zones with the following address ranges:

    • subnet-alb-a: ru-central1-a and 10.131.0.0/24
    • subnet-alb-b: ru-central1-b and 10.132.0.0/24
    • subnet-alb-d: ru-central1-d and 10.133.0.0/24

Create web app folders

These folders will house resources of your web applications. In this tutorial, such resources include VM instances running your test web services. Create the folders and grant your users access permissions to connect to the network resources and manage the VMs.

  1. Select a cloud and click Create folder.

  2. Name your folder, e.g., service-1.

  3. In the Advanced field, disable Create a default network.

  4. Click Create.

  5. Repeat these steps to create the service-2 folder.

  6. To restrict access to the folders, assign user roles based on the resources you will host in each folder. The minimum required roles for service-1 and service-2 are as follows:

    • vpc.user: To connect to and use Virtual Private Cloud network resources.
    • compute.editor: To be able to create, update, and delete VM instances.

Connect the web app folders to the load balancer's internal subnets

To consolidate folder resources into a single network, move the virtual network subnets to the web app folders.

  1. In the management console, navigate to secured-entry-point.
  2. In the list of services, select Virtual Private Cloud.
  3. Select the alb-network cloud network.
  4. Click in the subnet-service-1 row and select Move.
  5. Select service-1 from the drop-sown list.
  6. Click Move.
  7. Similarly, move subnet-service-2 to service-2.

Configure security groups

With security groups, you can set up incoming and outgoing traffic rules. In this tutorial, a L7 load balancer receives incoming internet traffic and routes it over the internal network to your web app VMs. Follow these best practices to configure security groups in each folder.

Create security groups for your web app VMs

The rules should allow outgoing and incoming traffic from the load balancer subnet.

  1. In the management console, select service-1.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. At the top right, click Create security group.

  5. In the Name field, specify service-1-security-group.

  6. In the Network field, select alb-network from the secured-entry-point folder.

  7. Under Rules, create the following rules using the instructions below the table:

    Traffic
    direction    		 Description Port range Protocol Source /
    destination    		 CIDR blocks
    Ingress http 8000 TCP CIDR 10.131.0.0/24
    10.132.0.0/24
    10.133.0.0/24
    Ingress ssh 22 TCP CIDR 10.133.0.0/24
    Egress any 0-65535 Any CIDR 10.131.0.0/24
    10.132.0.0/24
    10.133.0.0/24

    To create a rule:

    1. Navigate to the Ingress or Egress tab.
    2. Click Add.
    3. Add the new rule in accordance with the table.
    4. Click Save.

  8. Click Create.

  9. Repeat these steps to create service-2-security-group in the service-2 folder.

Create a security group for the L7 load balancer

The rules should allow incoming internet traffic on port 80 as well as traffic for load balancer node health checks on port 30080 with the Load balancer healthchecks source.

  1. In the management console, select secured-entry-point.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. At the top right, click Create security group.

  5. In the Name field, specify alb-security-group.

  6. In the Network field, select alb-network.

  7. Under Rules, create the following rules using the instructions below the table:

    Traffic
    direction    		 Description Port range Protocol Source /
    destination    		 CIDR blocks
    Ingress http 80 TCP CIDR 0.0.0.0/0
    Inbound healthchecks 30080 TCP Load balancer healthchecks
    Egress http 8000 Any CIDR 10.121.0.0/24
    10.122.0.0/24

    To create a rule:

    1. Navigate to the Ingress or Egress tab.
    2. Click Add.
    3. Add the new rule in accordance with the table.
    4. Click Save.

  8. Click Create.

Create security groups for the management VM

The rules should allow outgoing traffic from the management VM to port 22 on your web app VM.

  1. In the management console, select secured-entry-point.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. At the top right, click Create security group.

  5. In the Name field, specify vm-security-group.

  6. In the Network field, select alb-network.

  7. Under Rules, create the following rules using the instructions below the table:

    Traffic
    direction    		 Description Port range Protocol Source /
    destination    		 CIDR blocks
    Ingress ssh 22 TCP CIDR 0.0.0.0/0 *
    Egress ssh 22 TCP CIDR 10.121.0.0/24
    10.122.0.0/24

    * We recommend replacing 0.0.0.0/0 with CIDRs of the public IP addresses from which you want to allow connections to your management VM.

    To create a rule:

    1. Navigate to the Ingress or Egress tab.
    2. Click Add.
    3. Add the new rule in accordance with the table.
    4. Click Save.

  8. Click Create.

Configure the security profile

A security profile contains traffic filtering rules for protecion against cybersecurity threats at OSI application layer (L7).

Create a security profile using a preset template:

  1. In the management console, select secured-entry-point.
  2. In the list of services, select Smart Web Security.
  3. In the left-hand panel, select Security profiles and click Create profile.
  4. Select From a preset template.
  5. Enter sws-profile as the profile name.
  6. In the Action for the default base rule field, select Allow.
  7. Click Create profile.

Create resources

Here, by resources we mean VM instances, one per folder. The VM residing in the secured-entry-point security folder will be used to access your web application VMs over the internal network. In this tutorial, we refer to it as the management VM.

To restrict external traffic, web app VMs will not have external IP addresses.

Create the VM to manage your web applications

  1. In the management console, select secured-entry-point.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select Ubuntu 24.04.

  6. Under Location, select the ru-central1-d availability zone.

  7. Under Network settings:

    • In the Subnet field, make sure to select subnet-alb-d.
    • In the Public IP address field, leave Auto.
    • In the Security groups field, select vm-security-group.

  8. Under Access, select SSH key.

  9. Enter the VM user name in the Login field, Do not use root, admin, or any other usernames reserved for the OS purposes.

  10. In the SSH key field, select the SSH key saved in your organization user profile.

    To add a new key, do the following:

    1. Click Add key.

    2. Enter a name for the SSH key.

    3. Select one of the following:

      • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.
      • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
      • Generate key: Automatically create an SSH key pair.

    4. Click Add.

  11. Under General information, specify the VM name: work-station.

  12. Click Create VM.

Create VMs for your web applications

Repeat the above steps to create VMs in the service-1 and service-2 folders, configured as follows:

  • Select the ru-central1-a and ru-central1-b availability zones, respectively.
  • Select subnet-service-1 and subnet-service-2 as the subnets for your VMs, respectively.
  • In the Public IP address field, select No address.
  • In the Security groups field, select service-1-security-group and service-2-security-group.
  • Specify the VM names, vm-service-1 and vm-service-2.

Configure the load balancer

To create and configure the load balancer, use the wizard.

Warning

You can only use the wizard to create and add resources from a single folder, i.e., one target group and one backend group. You will need to manually add resources from the second folder.

Start the wizard

  1. In the management console, select secured-entry-point.
  2. In the list of services, select Application Load Balancer.
  3. Click Create L7 load balancer and select Wizard. The wizard will take you to the target group creation page.

Configure a target group

Target groups include VMs created in the web app folders. These groups will be connected to your load balancer over the internal subnets.

Create a target group for the service-1 folder:

  1. Specify the target group name: target-group-1.

  2. The list of targets will only include the IP address of your management VM. Add a new target to the list of resources:

    1. Below the list of resources, in the section with the Add target resource button, specify the vm-service-1 internal IP address.
    2. Also, select subnet-service-1 from the drop-down list with the Not selected placeholder. To find the subnet, check All folders.
    3. Click Add target resource.
    4. Activate your new target in the list of resources.
    5. Make sure the management VM resource is deactivated.

  3. Click Create and continue. The wizard will take you to the backend group creation page.

Configure backend groups

Backend groups contain settings for traffic balancing and target health checks. The wizard will automatically create one backend and one health check group. It will also use the group you created earlier as the target group.

  1. Enable Advanced settings.

  2. Specify the backend group name: backend-group-1.

  3. Leave HTTP as the group type.

  4. To ensure the same backend resource handles requests from a single user session, activate Session affinity.

  5. Under Backends:

    • Specify the backend name: backend-1.
    • Leave Target group as the backend type.
    • Leave the target group you created earlier, target-group-1.
    • Specify your service's TCP port you opened in service-1-security-group. In this tutorial, this is port 8000.

  6. Under HTTP health check:

    • Specify the same port as above, i.e., 8000.
    • Do not change the Path value as the test service does not have a dedicated endpoint for health checks.

  7. Click Create and continue. The wizard will take you to the HTTP router setup page.

Configure an HTTP router

HTTP routers implement rules for client-to-backend traffic and allow you to modify requests at the load balancer layer. The wizard will automatically create a virtual host and a routing rule. It will also use the group you created earlier as the backend group.

  1. Specify the router name: alb-http-router.

  2. Enable Advanced settings.

  3. Under Virtual hosts:

    • In the Name field, enter alb-virtual-host.
    • Leave the Authority field blank.
    • In the Security profile field, select the profile you created previously, sws-profile.

  4. Specify these route properties:

    • Route name: app-1.
    • Path: Starts with followed by /app1.
    • Action: Routing.
    • Backend group: Leave the group you created earlier.
    • Rewrite path or start: Specify the / path.

  5. Click Create and continue. The wizard will take you to the load balancer setup page.

Configure an L7 load balancer

A load balancer distributes incoming requests across target group VMs according to the rules specified in the HTTP router. Load balancers use listeners to receive traffic. The wizard will create a listener automatically. It will also use the router you created earlier as the HTTP router in this configuration.

  1. Specify the load balancer name: app-load-balancer.

  2. Enable Advanced settings.

  3. Under Network settings, select the network you created earlier, i.e., alb-network.

  4. For Security groups, select From list and then the security group associated with the alb-security-group load balancer.

  5. Under Allocation, select the subnets you created previously, i.e., subnet-alb-a, subnet-alb-b, and subnet-alb-d, in their respective availability zones and enable incoming traffic in those subnets.

  6. Configure the listener:

    • Specify the listener name: alb-listener.

    • Under Receiving and processing traffic, specify:

      • Listener type: HTTP.
      • Protocol: HTTP.
      • HTTP router: Select the router you created earlier.

  7. Click Create.

Add resources from the second folder

When creating a load balancer using the wizard, you can add resources only from one folder. This means you need to manually create and add the target group and backend group from the service-2 folder.

  1. In the management console, select secured-entry-point.

  2. In the list of services, select Application Load Balancer.

  3. In the left-hand panel, select Target groups.

  4. Click Create target group.

  5. Repeat the steps you followed to create a target group for the service-1 folder and create the service-2 target group. Configure the target as follows:

    • Name: target-group-2.
    • VM internal IP address: vm-service-2.
    • Subnet: subnet-service-2.

  6. In the left-hand panel, select Backend groups.

  7. Click Create backend group.

  8. Create a backend group by repeating the steps you followed to create a backend group for the service-1 folder. Configure the backend as follows:

    • Backend group name: backend-group-2.
    • Backend name: backend-2.
    • Target group: target-group-2.
    • Path: Use the same path as for backend-group-1.
    • Port: Specify your service's TCP port opened in service-2-security-group. In this tutorial, this is port 8000.

  9. In the left-hand panel, select HTTP routers.

  10. Select alb-http-router as the HTTP router.

  11. Under Virtual hosts, to the right of alb-virtual-host, click Edit.

  12. At the bottom of the window that opens, click Add route.

  13. Configure the route as follows:

    • Route name: app-2.
    • Path: Starts with followed by /app2.
    • Action: Routing.
    • Backend group: backend-group-2.
    • Rewrite path or start: Specify the / path.
    • Timeout, s: Clear the value and leave the field empty.

  14. Click Save.

Test your infrastructure

  1. Run test web services on your web app VMs.
  2. Review the health check details.
  3. Check availability of your web applications.
  4. Test the security profile.

Run test web services on your web app VMs

  1. Connect to the work-station management VM in the security folder:

    ssh -l <username> <VM_public_IP_address>

    If using different keys for different VMs, specify the path to the relevant key in the connection command, as in this example:

    ssh -i ~/.ssh/<key_name> -l <username> <VM_public_IP_address>

    Where:

    • <key_name>: Name of the private SSH key file used to create the VM.
    • <username>: Username specified when creating the VM.
    • <VM_public_IP_address>: VM IP address.

    Tip

    You can copy the VM connection command from the VM description page under Access.

  2. Connect to vm-service-1 from your management VM:

    1. Place the private SSH key file of vm-service-1 in the ~/.ssh folder of your management VM.

    2. Connect to vm-service-1:

      ssh -i ~/.ssh/<key_name> -l <username> <VM_internal_IP_address>

      Where:

      • <key_name>: Name of the private SSH key file used to create the VM.
      • <username>: Username specified when creating the VM.
      • <VM_internal_IP_address>: vm-service-1 internal IP address.

  3. Start the test web service by running this command:

    mkdir test-server; \
echo 'HELLO!' > test-server/hello_3.txt; \
echo 'TEST SERVER 1' > test-server/test_3.txt; \
python3 -m http.server -d test-server 8000

    Running this command will:

    • Create a test-server folder containing two files, hello_1.txt and test_1.txt.
    • Start the built-in Python web service on port 8000.

    Result:

    Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.133.0.10 - - [30/May/2025 09:55:41] "GET / HTTP/1.1" 200 -
10.133.0.15 - - [30/May/2025 09:55:41] "GET / HTTP/1.1" 200 -
10.133.0.10 - - [30/May/2025 09:55:42] "GET / HTTP/1.1" 200 -
10.133.0.15 - - [30/May/2025 09:55:42] "GET / HTTP/1.1" 200 -
10.133.0.10 - - [30/May/2025 09:55:43] "GET / HTTP/1.1" 200 -
10.133.0.15 - - [30/May/2025 09:55:43] "GET / HTTP/1.1" 200 -
...

  4. Open a new terminal window and repeat the above steps to start the test service on vm-service-2. Use different file names in the startup command so that your web applications’ responses vary.

Review the health check details

  1. Go to the app-load-balancer page.
  2. Select Health checks on the left.
  3. Make sure the targets have the HEALTHY status in all load balancer subnets.

Check availability of your web applications

To check the availability of your web applications, go to the following address in your browser:

http://<load_balancer_public_IP_address>/<route_prefix>

Where:

  • <load_balancer_public_IP_address>: app-load-balancer IP address.
  • <route_prefix>: Prefix specified in the Starts with field when configuring the HTTP router. In this tutorial, these are app1 and app2.

A page will open, listing root folder files for the specified application, as in this example:

Directory listing for /
  hello_1.txt
  test_1.txt

Test the security profile

  1. Check that the Smart Protection rule allows traffic:

    1. In the browser, go to:

      http://<load_balancer_public_IP_address>/<route_prefix>

    2. In another browser tab, go to the app-load-balancer page.

    3. Select Logs on the left.

    4. In the Query field, specify the filter expression:

      json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION
and json_payload.smartwebsecurity.matched_rule.verdict = ALLOW

    5. Click Run.

      The log list will contain entries about successful GET requests.

  2. Add a basic deny rule:

    1. Go to the sws-profile page.

    2. Under Security rules, click Add rule.

    3. Enter the rule name, deny-rule.

    4. Set Priority to 1000.

    5. Under Rule type:, keep the Base value.

    6. Leave Action set to Deny.

    7. Set Traffic to On condition.

    8. Then select the following values:

      • Conditions: IP.
      • Conditions for IP: Matches or falls within the range.
      • IP matches or falls within the range: Specify the IP address of the device you are using to test the web service.

    9. Click Add.

  3. Test the basic rule:

    1. In the browser, go to:

      http://<load_balancer_public_IP_address>/<route_prefix>

    2. In another browser tab, go to the app-load-balancer page.

    3. Select Logs on the left.

    4. In the Query field, specify the filter expression:

      json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION
and json_payload.smartwebsecurity.matched_rule.verdict = DENY

    5. Click Run.

      The log list will contain entries about GET requests blocked by the rule.

How to delete the resources you created

To stop paying for the resources, delete the folders where your infrastructure was deployed.

If you deployed the infrastructure in the existing folders, do the following:

  1. Delete the app-load-balancer L7 load balancer.

  2. Delete the HTTP router named alb-http-router.

  3. Delete the backend-group-1 and backend-group-2 backend groups.

  4. Delete the target-group-1 and target-group-2 target groups.

  5. Delete the VMs:

    • work-station
    • vm-service-1
    • vm-service-2

  6. Delete the sws-profile security profile.

  7. Delete the security groups:

    • alb-security-group
    • vm-security-group
    • service-1-security-group
    • service-2-security-group

  8. Delete the subnets:

    • subnet-service-1
    • subnet-service-2
    • subnet-alb-a
    • subnet-alb-b
    • subnet-alb-d

  9. Delete the alb-network cloud network.

Previous
Creating an L7 load balancer with a Smart Web Security profile through an Application Load Balancer ingress controller
Next
Centralized online publication and DDoS protection of applications