Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Migrating services from an NLB load balancer with an instance group as a target to an L7 ALB load balancer using the management console

Written by
Updated at October 20, 2025

To migrate a service from a network load balancer to an L7 load balancer:

  1. See the service migration recommendations.
  2. Create a migration infrastructure.
  3. Create a Yandex Smart Web Security profile.
  4. Create an L7 load balancer. At this step, you will associate the Smart Web Security profile with a virtual host of the L7 load balancer.
  5. Test the L7 load balancer.
  6. Migrate user traffic from the network load balancer to the L7 load balancer.

Service migration recommendations

  1. Optionally, enable L3-L4 DDoS protection (the OSI model). It will enhance the L7 protection provided by Yandex Smart Web Security after migration.

    To enable L3-L4 protection:

    1. Before the migration, reserve a public static IP address with DDoS protection and use this address for the L7 load balancer's listener. If you already have a protected public IP address for the load balancer, you can keep this address during migration. Otherwise, you will have to change the IP address to a protected one.

    2. Configure a trigger threshold for the protection mechanisms, consistent with the amount of legitimate traffic to the protected resource. To set up this threshold, contact support.

    3. Set the MTU value to 1450 for the targets downstream of the load balancer. For more information, see MTU and TCP MSS.

  2. Perform migration during the hours when the user load is at its lowest. Your service will be unavailable during the migration while updating the instance group’s integration with the target group and moving the network load balancer’s public IP address to the L7 load balancer. The downtime depends on the number of VMs in the group, deployment policy settings and usually takes from several minutes to tens of minutes.

  3. When using an L7 load balancer, requests to backends come with the source IP address from the range of internal IP addresses of the subnets specified when creating the L7 load balancer. The original IP address of the request source (user) is specified in the X-Forwarded-For header. If you want to log public IP addresses of users on the web server, reconfigure it.

  4. Before the migration, define the minimum number of resource units for the autoscaling settings in the L7 load balancer:

    Select the number of resource units based on the analysis of your service load expressed in:

    • Number of requests per second (RPS).
    • Number of concurrent active connections.
    • Number of new connections per second.
    • Traffic processed per second.

Create your infrastructure

  1. Create subnets in three availability zones for the L7 load balancer.

  2. Create security groups that allow the L7 load balancer to receive inbound traffic and send it to the targets and allow the targets to receive inbound traffic from the load balancer.

  3. When using HTTPS, add the TLS certificate of your service to Yandex Certificate Manager.

  4. Optionally, reserve an L3-L4 DDoS-protected static public IP address for the L7 load balancer.

Create a Smart Web Security profile

Create a Smart Web Security profile by selecting From a preset template.

Use these settings when creating the profile:

  • In the Action for the default base rule field, select Allow.
  • For the Smart Protection rule, enable Only logging (dry run).

These settings enable logging of traffic information, but no actions will be applied to the traffic. This will reduce the risk of disconnecting users due to profile configuration issues. Further on, you will have the option to disable Only logging (dry run) and configure deny rules for your use case in the security profile.

Create an L7 load balancer

  1. Create a target group for the L7 load balancer. Under Targets, select the VMs in your network load balancer's target group.

  2. Create a backend group with the following settings:

    1. Select HTTP as the backend group type.

    2. If your service needs one and the same backend resource processing requests within a single user session, enable session affinity for the backend group.

    3. Under Backends, click Add and set up the backend:

      • Type: Target group.
      • Target groups: Target group you created earlier.
      • Port: TCP port on which your service's VMs accept inbound traffic.
      • Under Protocol settings, specify the settings for connecting the L7 load balancer to the backend. Depending on the protocol type on your backend, select HTTP or HTTPS.
      • Under HTTP health check, set the check up according to these recommended practices.
      • Optionally, configure other settings as per this guide.

  3. Create an HTTP router.

    Under Virtual hosts, click Add virtual host and configure the virtual host:

    • Authority: Your service domain name.

    • Security profile: Smart Web Security profile you created earlier.

      Warning

      Smart Web Security cannot be made operational without linking a security profile to the L7 load balancer's virtual host.

    • Click Add route and configure the route:

      • Path: Starts with /.
      • Action: Routing.
      • Backend group: Backend group you created earlier.

  4. Create an L7 load balancer by selecting Manual:

    1. Specify the security group you created earlier.

    2. Under Allocation, select subnets in three availability zones for the load balancer nodes. Enable traffic in these subnets.

    3. Under Autoscaling settings, specify the minimum number of resource units per availability zone based on expected load.

    4. Under Listeners, click Add listener and set up the listener:

      1. Under Public IP address, specify:

        • Port: TCP port on which your service's VMs accept inbound traffic.
        • Type: List. Select a public IP address from the list. If you plan to enable DDoS protection at levels L3-L4, select a static public IP address with DDoS protection installed.

      2. Under Receiving and processing traffic, specify:

        • Listener type: HTTP.
        • Protocol: Select HTTP or HTTPS depending on the protocol your service uses.
        • If you select HTTPS, specify the TLS certificate you added to Certificate Manager earlier in the Certificates field.
        • HTTP router: Select the HTTP router you created earlier.

Test the L7 load balancer

  1. Wait until the L7 load balancer goes Active.

  2. Navigate to the new L7 load balancer and select Health checks on the left. Make sure you get HEALTHY for all checks.

  3. Run a test request to the service through the L7 load balancer, for example, using one of these methods:

    • Add this record to the hosts file on your workstation: <L7_load_balancer_public_IP_address> <service_domain_name>. Delete the record after the test.

    • Execute the request using cURL depending on the protocol type:

      curl http://<service_domain_name> \
    --resolve <service_domain_name>:<service_port>:<public_IP_address_of_L7_load_balancer>

      curl https://<service_domain_name> \
    --resolve <service_domain_name>:<service_port>:<public_IP_address_of_L7_load_balancer>

Migrate user traffic from the network load balancer to the L7 load balancer

Warning

Migration involves recreating the backend VMs.

If the network load balancer’s listener uses a public IP address without DDoS protection, save the current health check settings for the network load balancer’s target group before proceeding to the next step of the migration. You will need these settings to add a new target group to the load balancer.

To migrate traffic:

  1. Update the target group integration for the instance group:

    1. In the management console, select the folder containing your instance group.
    2. Select Compute Cloud.
    3. In the left-hand panel, select Instance groups.
    4. Select the group to update.
    5. In the top-right corner of the page, click Edit.
    6. Under Integration with Application Load Balancer, enable Create target group.
    7. Specify the name of the L7 load balancer’s target group and, optionally, the other target group settings.
    8. Click Save.

    Updating an instance group involves the following stages:

    • The system recreates the instances in the group.
    • The system removes targets from the network load balancer’s target group, and the remaining targets take over user traffic. The service becomes partially unavailable to users through the network load balancer during this period.
    • Once the target group is empty, it is deleted. The service becomes unavailable through the network load balancer.

    You can proceed to the next step without waiting for the instance group update to complete.

  2. Update the target group for the backend in the L7 load balancer’s backend group. Specify only the target group you created in the previous step.

    The system will automatically add the VMs from the instance group to the L7 load balancer’s target group.

  3. Select one of the following options to further migrate user traffic from the network load balancer to the L7 load balancer based on whether your NLB listener's public IP address is DDoS-protected:

Your network load balancer listener uses a DDoS-protected public IP address

  1. Monitor the status of your network load balancer’s targets. Wait until the targets are automatically deleted from the target group.

  2. Delete the listener in the network load balancer to release the static public IP address.

  3. In the L7 load balancer, assign to the listener the public IP address previously used by the network load balancer:

    If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

    To change the public IP address, run this command:

    yc application-load-balancer load-balancer update-listener <load_balancer_name> \
   --listener-name <listener_name> \
   --external-ipv4-endpoint address=<service_public_IP_address>,port=<service_port>

    Where address is the public IP address the network load balancer used previously.

  4. After the IP address changes, your service will again be available through the L7 load balancer. Monitor the L7 load balancer's user traffic on the load balancer statistics charts.

  5. Delete the now free static public IP address you selected when creating the L7 load balancer.

  6. Optionally, delete the network load balancer after migrating user traffic to the L7 load balancer.

Your network load balancer listener uses a public IP address without DDoS protection

  1. Monitor the status of your network load balancer’s targets. Wait until the targets are automatically deleted from the target group.

  2. Create a target group for the network load balancer. Add the VMs recreated when updating the instance group.

  3. In the network load balancer, attach the target group created in the previous step. When attaching the target group, configure the same health checks as in the original target group.

  4. Wait until the health checks for the VMs in the network load balancer’s target group return Healthy. This will make your service once again available through the network load balancer.

  5. To migrate user traffic from a network load balancer to an L7 load balancer, in your domain's public zone DNS service, change the A record for the service domain name to the L7 load balancer's public IP address. If the public domain zone was created in Yandex Cloud DNS, update the record using this guide.

    Note

    The migration may take a while because the propagation of DNS record's updates depends on its time-to-live (TTL) and the number of links in the DNS request chain.

  6. As the DNS record updates propagate, monitor the increase in requests to the L7 load balancer on the load balancer statistics charts.

  7. Monitor the decrease in traffic on the network load balancer using the processed_bytes and processed_packets load balancer metrics. You can create a dashboard to visualize these metrics. If there is no load on the network load balancer for a long time, the migration to the L7 load balancer is complete.

  8. Optionally, delete the network load balancer after migrating user traffic to the L7 load balancer.

Previous
Overview
Next
Terraform