Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Fixed-load HTTPS testing with Phantom

Written by
Updated at May 7, 2025

You can use Load Testing for testing a fixed-load service over HTTPS using the Phantom load generator.

To perform load testing:

  1. Prepare your cloud.
  2. Prepare a test target.
  3. Prepare your infrastructure.
  4. Create an agent.
  5. Prepare a file with test data.
  6. Create and run a test.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

If the agent is hosted on Yandex Cloud, you pay for computing resources (see Yandex Compute Cloud pricing).

At the Preview stage, Load Testing is free of charge.

Prepare a test target

As a test target, create a VM from a public Linux image.

In this example, we will test a service with internal IP address 172.17.0.10 in the same subnet as the agent.

Make sure the service is accessed over HTTPS using the default port: 443.

You can also use Load Testing for load testing of a service that is public or located in a subnet and security group other than those of the agent.

For a public service, allow incoming HTTPS traffic on port 443.

For a service whose subnet and security group is different from the agent's ones, create a rule for incoming HTTPS traffic on port 443 in the security group where the test target is located.

Prepare the infrastructure

Create a service account

  1. Create a service account named sa-loadtest in the folder to host the agent that will generate the load.
  2. Assign the following roles to the service account:
    • loadtesting.generatorClient: Allows running the agent, performing tests on the agent, and uploading the results to storage.
    • compute.admin: Allows managing VMs in Compute Cloud.
    • vpc.user: Allows connecting to Virtual Private Cloud network resources and using them.

Configure a network

Create and configure a NAT gateway in the subnet where your test target is and where the agent will reside. This will enable the agent to access Load Testing.

Configure security groups

  1. Set up the test agent's security group:

    1. Create an agent security group named agent-sg.
    2. Add rules:

      1. Rule for outgoing HTTPS traffic to the Load Testing public API:

        • Port range: 443
        • Protocol: TCP
        • Destination name: CIDR
        • CIDR blocks: 0.0.0.0/0

        This will allow connecting the agent to Load Testing to manage tests from the interface and get test results.

      2. Rule for incoming SSH traffic:

        • Port range: 22
        • Protocol: TCP
        • Destination name: CIDR
        • CIDR blocks: 0.0.0.0/0

        This will allow you to connect to the agent over SSH and manage tests from the console or collect debugging information.

      3. Rule for outgoing traffic when generating load to the test target:

        • Port range: 0-65535
        • Protocol: Any
        • Destination name: Security group
          Select From list. Specify the security group where the test target is located.

        Create this rule for each test target with a unique security group.

  2. Set up the test target's security group:

    1. Create the test target's security group named load-target-sg.

    2. Add a rule for incoming traffic when generating load to the test target:

      • Port range: 0-65535.
      • Protocol: Any.
      • Select From list. Specify the security group where the test target is located.

      This rule allows agents to generate load to this target or enable additional monitoring tools.

Create a test agent

  1. If you do not have an SSH key pair yet, create one.

  2. Create an agent.

    1. In the management console, select the folder where you want to create the agent.

    2. From the list of services, select Load Testing.

    3. In the Agents tab, click Create agent.

    4. Enter a name for the agent, e.g., agent-008.

    5. Specify the same availability zone where the test target is located.

    6. Under Agent:

    7. Under Access, specify the information required to access the agent:

      • Select the sa-loadtest service account.

      • Under Login, enter a username.

        Alert

        Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

      • In the SSH key field, paste the contents of the public key file.

    8. Click Create.

    9. Wait for the VM instance to create. Make sure the agent status has changed to Ready for test.

      Note

      If the agent creation process has stopped at Initializing connection, make sure the following conditions are met:

      • The agent has a public IP address and access to loadtesting.api.cloud.yandex.net:443.
      • A NAT gateway is set up in the target subnet.
      • The service account assigned to the agent has the required roles.

    If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    1. See the description of the CLI command for creating an agent:

      yc loadtesting agent create --help

    2. Select the same availability zone where the test target is located.

    3. Select the subnet where the test target is located. Make sure you created and set up a NAT gateway in the subnet.

      To get a list of available subnets using the CLI, run this command:

      yc vpc subnet list

      Result:

      +----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+
|          ID          |           NAME            |      NETWORK ID      | ROUTE TABLE ID |       ZONE        |      RANGE      |
+----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+
| e2lfkhps7bol******** |   default-ru-central1-b   | enpnf7hajqmd******** |                |   ru-central1-b   | [10.129.0.0/24] |
| e9bgnq1bggfa******** |   default-ru-central1-a   | enpnf7hajqmd******** |                |   ru-central1-a   | [10.128.0.0/24] |
| fl841n5ilklr******** |   default-ru-central1-d   | enpnf7hajqmd******** |                |   ru-central1-d   | [10.130.0.0/24] |
+----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+

    4. Select the security group. Make sure to configure the security group in advance.

      To get a list of available security groups using the CLI, run this command:

      yc vpc security-group list

      Result:

      +----------------------+---------------------------------+--------------------------------+----------------------+
|          ID          |              NAME               |          DESCRIPTION           |      NETWORK-ID      |
+----------------------+---------------------------------+--------------------------------+----------------------+
| enp414a2tnnp******** | default-sg-enpnf7hajqmd******** | Default security group for     | enpnf7hajqmd******** |
|                      |                                 | network                        |                      |
| enpctpve7951******** | sg-load-testing-agents          |                                | enpnf7hajqmd******** |
| enpufo9ms0gi******** | sg-load-testing-targets         |                                | enpnf7hajqmd******** |
+----------------------+---------------------------------+--------------------------------+----------------------+

    5. Find out the sa-loadtest service account ID using its name:

      yc iam service-account get sa-loadtest

      Result:

      id: ajespasg04oc********
folder_id: b1g85uk96h3f********
created_at: "2024-12-04T17:38:57Z"
name: sa-loadtest
last_authenticated_at: "2024-12-12T19:10:00Z"

    6. Create an agent in the default folder:

      yc loadtesting agent create \
  --name agent-008 \
  --labels origin=default,label-key=label-value \
  --zone default-ru-central1-a \
  --network-interface subnet-id=e9bgnq1bggfa********,security-group-ids=enpctpve7951******** \
  --cores 2 \
  --memory 2G \
  --service-account-id ajespasg04oc********
  --metadata-from-file user-data=metadata.yaml

      Where:

      • --name: Agent name.
      • --labels: Agent labels.
      • --zone: Availability zone to host the agent.
      • --network-interface: Agent network interface settings:
        • subnet-name: ID of the selected subnet.
        • security-group-ids: Security group IDs.
      • --cores: Number of CPU cores the agent can use.
      • --memory: Amount of RAM allocated to the agent.
      • --service-account-id: Service account ID.
      • --metadata-from-file: <key>=<value> pair with the name of the file containing the public SSH key path. For an example of the metadata.yaml configuration file, see VM metadata.

      For more information on how to create an agent with CLI, see the Yandex Cloud Examples repository.

  3. Assign a public IP to the agent to enable access over SSH:

    1. In the management console, select the folder where the agent is located.
    2. Select Compute Cloud.
    3. Select the VM named agent-008.
    4. Under Network interface, in the top-right corner, click and select Add public IP address.
    5. In the window that opens:
      • In the Public address field, select obtaining a Auto address.
      • Click Add.

    To assign a public IP address to an agent, run the following CLI command:

    yc compute instance add-one-to-one-nat \
  --id=<VM_ID> \
  --network-interface-index=<VM_network_interface_number> \
  --nat-address=<IP_address>

    Where:

    • --id: VM ID. You can get a list of available VM IDs in a folder using the yc compute instance list CLI command.

    • --network-interface-index: VM network interface number. The default value is 0. To get a list of VM network interfaces and their numbers, run the following command: yc compute instance get <VM_ID>.

    • --nat-address: Public IP address to assign to the VM. This is an optional parameter. If you omit it, a public IP address will be assigned to the VM automatically.

      You can get a list of reserved public IP addresses available in a folder using the yc vpc address list CLI command. The IP address and the VM must be in the same availability zone.

    Usage example:

    yc compute instance add-one-to-one-nat \
  --id=fhmsbag62taf******** \
  --network-interface-index=0 \
  --nat-address=51.250.*.***

    Result:

    id: fhmsbag62taf********
folder_id: b1gv87ssvu49********
created_at: "2022-05-06T10:41:56Z"
...
network_settings:
  type: STANDARD
placement_policy: {}

    For more information about the yc compute instance add-one-to-one-nat command, see the CLI reference.

Prepare a file with test data

  1. Generate payloads in URI format:

    [Host: 172.17.0.10]
[Connection: Close]
/ index
/test?param1=1&param2=2 get_test

    The Host parameter gives the IP address of the test target.
    The Connection: Close parameter specifies whether to close the connection after each request. This mode is heavier on the application and load generator. If you do not need to close the connections, select Keep-Alive.

    There are also two requests tagged index and get_test. The load generator will repeat them alternately within the specified load profile.

  2. Save the payloads to a file named data.uri.

Create and run a test

  1. In the management console, select Load Testing.

  2. In the left-hand panel, select Tests and click Create test.

  3. In the Agents parameter, select agent-008.

  4. Under Attached files, click Select files and select the data.uri file you saved earlier.

  5. Under Test settings, select a configuration method: Form or Config.

  6. Depending on the selected method, specify the test parameters:

    1. In the Load generator field, select PHANTOM.

    2. In the Target address field, specify the IP address of the service you are testing: 172.17.0.10.

    3. In the Target port field, specify 443 (default HTTPS port). Allow using a secure connection.

    4. In the Testing threads field, specify 5000.

      This means that the load generator can simultaneously process 5,000 operations: either create 5,000 connections or wait for 5,000 responses from the service at the same time.

      Tip

      For most tests, 1,000 to 10,000 threads are enough.

      Using more testing threads requires more resources on the part of the VM the agent is running on. Compute Cloud also has a limit of 50,000 of concurrent connections to a VM.

    5. In the Load type menu, select RPS.

    6. Add a Load profile:

      • Profile: const.
      • Responses per second: 2000.
      • Duration: 10m.

      This instructs the load generator to maintain a load of 2,000 requests per second for 10 minutes.

    7. In the Request type field, select URI.

    8. In the Attached files field, select Attached file.

    9. In the Autostop menu, click Autostop and enter the following description:

      • Autostop type: INSTANCES.
      • Limit: 90%.
      • Window duration: 60s.

      This will stop the test if 90% of testing threads are busy for 60 seconds, which is indicative of some testing problems. Learn more about autostop.

    10. Under Forced test termination time, specify the time to autostop the test unless it is stopped for other reasons. This parameter value should be slightly greater than the expected test duration.

    11. Under Test information, specify the name, description, and number of the test version. This will make the report easier to read.

    In the configuration input field, specify the testing thread settings in yaml format:

    phantom:
  enabled: true
  package: yandextank.plugins.Phantom
  address: 172.17.0.10:443 # IP address of the test target.
  ammo_type: uri
  load_profile:
    load_type: rps
    schedule: const(2000,5m) # Load schedule: 2,000 requests per second over 5 minutes.
  ssl: true
  instances: 5000 # Number of threads.
  ammofile: data.uri
core: {}
autostop: # Autostop.
  enabled: true
  package: yandextank.plugins.Autostop
  autostop:
    - limit (5m) # Make sure to specify the time limit for the test.
    - instances(90%,60s) # Stop the test if 90% of testing threads get busy
                         # within 60 seconds, which indicates
                         # a testing issue.
uploader:
  enabled: true
  package: yandextank.plugins.DataUploader
  job_name: '[example][phantom][const]'
  job_dsc: 'example'
  ver: '0.5.5'
  api_address: loadtesting.api.cloud.yandex.net:443

    Learn more about autostop.

    Tip

    View a sample configuration file. You can also find sample configuration files in existing tests.

  7. Click Create.

With that done, the configuration will pass the checks, and the agent will start loading the service you are testing.

To see the testing progress, select the new test and go to the Test results tab.

How to delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. Delete the agent.
  2. Delete the route table.
  3. Delete the NAT gateway.
Previous
Load testing a gRPC service
Next
Step-load HTTPS testing with Pandora