Fault-tolerant website with load balancing via Yandex Application Load Balancer using Terraform
To create an infrastructure for your website with load balancing in three availability zones with an Application Load Balancer using Terraform:
- Get your cloud ready.
- Create your infrastructure.
- Upload the website files.
- Test the fault tolerance.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or register a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing ).
- Fee for a dynamic public IP address (see Yandex Virtual Private Cloud pricing).
- Fee for load balancing (see Application Load Balancer pricing).
- Fee for public DNS queries and DNS zones if using Yandex Cloud DNS (see Cloud DNS pricing).
Create an infrastructure
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the documentation on the Terraform website or its mirror.
To host a fault-tolerant website in an instance group with load balancing via Application Load Balancer using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, step 1).
-
Prepare your infrastructure description files:
Ready-made configurationManually-
Clone the repository with configuration files.
git clone https://github.com/yandex-cloud-examples/yc-website-high-availability-with-alb.git -
Navigate to the repository directory. Make sure it contains the following files:
application-load-balancer-website.tf: New infrastructure configuration.application-load-balancer-website.auto.tfvars: User data file.
- Create a configuration file folder.
- In this folder, create:
-
application-load-balancer-website.tfconfiguration file:application-load-balancer-website.tf
# Declaring variables for confidential parameters variable "folder_id" { type = string } variable "vm_user" { type = string } variable "ssh_key_path" { type = string sensitive = true } variable "domain" { type = string } # Adding other variables locals { sa_name = "ig-sa" network_name = "network1" subnet_name1 = "subnet-1" subnet_name2 = "subnet-2" subnet_name3 = "subnet-3" } # Configuring a provider terraform { required_providers { yandex = { source = "yandex-cloud/yandex" version = ">= 0.47.0" } } } provider "yandex" { zone = "ru-central1-a" } # Creating a service account and assigning permissions resource "yandex_iam_service_account" "ig-sa" { name = local.sa_name } resource "yandex_resourcemanager_folder_iam_member" "editor" { folder_id = var.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.ig-sa.id}" } # Creating a cloud network and subnets resource "yandex_vpc_network" "network-1" { name = local.network_name } resource "yandex_vpc_subnet" "subnet-1" { name = local.subnet_name1 zone = "ru-central1-a" network_id = yandex_vpc_network.network-1.id v4_cidr_blocks = ["192.168.1.0/24"] } resource "yandex_vpc_subnet" "subnet-2" { name = local.subnet_name2 zone = "ru-central1-b" network_id = yandex_vpc_network.network-1.id v4_cidr_blocks = ["192.168.2.0/24"] } resource "yandex_vpc_subnet" "subnet-3" { name = local.subnet_name3 zone = "ru-central1-d" network_id = yandex_vpc_network.network-1.id v4_cidr_blocks = ["192.168.3.0/24"] } # Create security groups resource "yandex_vpc_security_group" "alb-sg" { name = "alb-sg" network_id = yandex_vpc_network.network-1.id egress { protocol = "ANY" description = "any" v4_cidr_blocks = ["0.0.0.0/0"] from_port = 1 to_port = 65535 } ingress { protocol = "TCP" description = "ext-http" v4_cidr_blocks = ["0.0.0.0/0"] port = 80 } ingress { protocol = "TCP" description = "ext-https" v4_cidr_blocks = ["0.0.0.0/0"] port = 443 } ingress { protocol = "TCP" description = "healthchecks" predefined_target = "loadbalancer_healthchecks" port = 30080 } } resource "yandex_vpc_security_group" "alb-vm-sg" { name = "alb-vm-sg" network_id = yandex_vpc_network.network-1.id ingress { protocol = "TCP" description = "balancer" security_group_id = yandex_vpc_security_group.alb-sg.id port = 80 } ingress { protocol = "TCP" description = "ssh" v4_cidr_blocks = ["0.0.0.0/0"] port = 22 } } # Creating an instance group for a website resource "yandex_compute_image" "lemp" { source_family = "lemp" } resource "yandex_compute_instance_group" "alb-vm-group" { name = "alb-vm-group" folder_id = var.folder_id service_account_id = yandex_iam_service_account.ig-sa.id instance_template { platform_id = "standard-v2" service_account_id = yandex_iam_service_account.ig-sa.id resources { core_fraction = 5 memory = 1 cores = 2 } boot_disk { mode = "READ_WRITE" initialize_params { image_id = yandex_compute_image.lemp.id type = "network-hdd" size = 3 } } network_interface { network_id = yandex_vpc_network.network-1.id subnet_ids = [yandex_vpc_subnet.subnet-1.id,yandex_vpc_subnet.subnet-2.id,yandex_vpc_subnet.subnet-3.id] nat = true security_group_ids = [yandex_vpc_security_group.alb-vm-sg.id] } metadata = { user-data = "#cloud-config\nusers:\n - name: ${var.vm_user}\n groups: sudo\n shell: /bin/bash\n sudo: ['ALL=(ALL) NOPASSWD:ALL']\n ssh_authorized_keys:\n - ${file("${var.ssh_key_path}")}" } } scale_policy { fixed_scale { size = 3 } } allocation_policy { zones = ["ru-central1-a", "ru-central1-b", "ru-central1-d"] } deploy_policy { max_unavailable = 1 max_expansion = 0 } application_load_balancer { target_group_name = "alb-tg" } } # Creating a backend group resource "yandex_alb_backend_group" "alb-bg" { name = "alb-bg" http_backend { name = "backend-1" port = 80 target_group_ids = [yandex_compute_instance_group.alb-vm-group.application_load_balancer.0.target_group_id] healthcheck { timeout = "10s" interval = "2s" healthcheck_port = 80 http_healthcheck { path = "/" } } } } # Creating an HTTP router and a virtual host resource "yandex_alb_http_router" "alb-router" { name = "alb-router" } resource "yandex_alb_virtual_host" "alb-host" { name = "alb-host" http_router_id = yandex_alb_http_router.alb-router.id authority = [var.domain, "www.${var.domain}"] route { name = "route-1" http_route { http_route_action { backend_group_id = yandex_alb_backend_group.alb-bg.id } } } } # Creating an L7 load balancer resource "yandex_alb_load_balancer" "alb-1" { name = "alb-1" network_id = yandex_vpc_network.network-1.id security_group_ids = [yandex_vpc_security_group.alb-sg.id] allocation_policy { location { zone_id = "ru-central1-a" subnet_id = yandex_vpc_subnet.subnet-1.id } location { zone_id = "ru-central1-b" subnet_id = yandex_vpc_subnet.subnet-2.id } location { zone_id = "ru-central1-d" subnet_id = yandex_vpc_subnet.subnet-3.id } } listener { name = "alb-listener" endpoint { address { external_ipv4_address { } } ports = [ 80 ] } http { handler { http_router_id = yandex_alb_http_router.alb-router.id } } } } # Creating a DNS zone resource "yandex_dns_zone" "alb-zone" { name = "alb-zone" description = "Public zone" zone = "${var.domain}." public = true } # Create resource records in a DNS zone resource "yandex_dns_recordset" "rs-1" { zone_id = yandex_dns_zone.alb-zone.id name = "${var.domain}." ttl = 600 type = "A" data = [yandex_alb_load_balancer.alb-1.listener[0].endpoint[0].address[0].external_ipv4_address[0].address] } resource "yandex_dns_recordset" "rs-2" { zone_id = yandex_dns_zone.alb-zone.id name = "www" ttl = 600 type = "CNAME" data = [ var.domain ] } -
application-load-balancer-website.auto.tfvarsuser data file:application-load-balancer-website.auto.tfvars
folder_id = "<folder_ID>" vm_user = "<VM_user_name>" ssh_key_path = "<path_to_public_SSH_key>" domain = "<domain>"
-
For more information about the properties of Terraform resources, see the relevant Terraform guides:
- Service account: yandex_iam_service_account.
- Role: yandex_resourcemanager_folder_iam_member.
- Network: yandex_vpc_network.
- Subnets: yandex_vpc_subnet.
- Security groups: yandex_vpc_security_group.
- VM image: yandex_compute_image.
- Instance group: yandex_compute_instance_group.
- Backend group: yandex_alb_backend_group.
- HTTP router: yandex_alb_http_router.
- Virtual host: yandex_alb_virtual_host.
- L7 load balancer: yandex_alb_load_balancer.
- DNS zone: yandex_dns_zone.
- DNS resource record: yandex_dns_recordset.
-
-
In the
application-load-balancer-website.auto.tfvarsfile, set the following user-defined properties:folder_id: Folder ID.vm_user: VM user name.ssh_key_path: Path to the public SSH key to authenticate the user on the VM. For more information, see Creating an SSH key pair.domain: Domain name, e.g.,alb-example.com.
-
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-
After creating the infrastructure, upload the website files.
Upload the website files
To test the web server, upload the website files to each VM. You can use the index.html file from this archive as an example.
For each VM in the created group, do the following:
-
On the Virtual machines tab, click the VM name in the list.
-
Copy Public IPv4 address from the Network section.
-
Connect to the VM over SSH.
-
Grant your user write permissions for the
/var/www/htmldirectory:sudo chown -R "$USER":www-data /var/www/html -
Upload the website files to the VM via SCP.
Linux/macOSWindowsUse the
scpcommand line utility:scp -r <path_to_directory_with_files> <VM_user_name>@<VM_IP_address>:/var/www/htmlUse WinSCP to copy the local file directory to
/var/www/htmlon the VM.
Test the fault tolerance
-
In the management console, select Compute Cloud.
-
Go to the page of the VM from the previously created group.
-
Copy Public IPv4 address from the Network section.
-
Connect to the VM over SSH.
-
Stop the web service to simulate a failure on the web server:
sudo service nginx stop -
Open your website in a browser. The website should open, even though one of the web servers has failed.
-
After the check is complete, restart the web service:
sudo service nginx start
How to delete the resources you created
To stop paying for the resources you created:
-
Open the
application-load-balancer-website.tfconfiguration file and delete the description of the new infrastructure from it. -
Apply the changes:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-