Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Application Load Balancer

Terminating TLS connections

Written by

Application Load Balancer L7 load balancers can terminate TLS connections: send certificates to clients, decrypt incoming traffic to send to the backends, and encrypt backend responses to forward to clients. This scenario describes configuring a load balancer to terminate TLS connections using a certificate from Certificate Manager and to redirect HTTP requests to HTTPS.

This scenario uses my-site.com as an example domain name.

To create a virtual hosting:

  1. Before you start.
  2. Create a cloud network.
  3. Reserve a static public IP address.
  4. Create security groups.
  5. Import the site's TLS certificate into Certificate Manager.
  6. Create a VM group for the site.
  7. Upload the site files to the VM.
  8. Create a backend group.
  9. Create and configure an HTTP router.
  10. Create an L7 load balancer.
  11. Check that the hosting is running properly.

If you no longer need these resources, delete them.

Before you start

Before working, you need to register in Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

The cost of virtual hosting includes:

Create a cloud network

All resources you have created in the tutorial belong to the same cloud network.

To create a network:

  1. In the management console, open Virtual Private Cloud.
  2. Click Create network.
  3. Specify a network Name: mysite-network.
  4. In the Advanced field, select Create subnets.
  5. Click Create network.

Reserve a static public IP address

For your virtual hosting to run, you need to assign a static public IP address to the L7 load balancer.

To reserve an address:

  1. In the management console, open Virtual Private Cloud.
  2. Go to the IP addresses tab. Click Reserve address.
  3. In the window that opens, select the ru-central1-a availability zone. Click Reserve address.

Create security groups

Note

Security groups are at the Preview stage. If they aren't available on your network, all incoming and outgoing traffic will be enabled for the resources and no additional setup is required.

Security groups include rules that let the load balancer receive incoming traffic and redirect it to the VMs so they can receive the traffic. Two security groups will be created in the use case: the first one for the load balancer and the second one for all VMs.

To create security groups:

  1. In the management console, open Virtual Private Cloud.

  2. Open the Security groups tab.

  3. Create a security group for the load balancer:

    1. Click Create group.

    2. Specify a group Name: mysite-sg-balancer.

    3. Select the Network: mysite-network.

    4. Under Rules, create the following rules using the instructions below the table:

      Traffic
      direction      		 Description Port
      range      		 Protocol Source/
      destination type      		 Source /
      destination
      Outgoing any All Any CIDR 0.0.0.0/0
      Incoming ext-http 80 TCP CIDR 0.0.0.0/0
      Incoming ext-https 443 TCP CIDR 0.0.0.0/0
      Incoming healthchecks 30080 TCP CIDR 198.18.235.0/24
      198.18.248.0/24

      1. Select the Outgoing traffic or Incoming traffic tab.

      2. Click Add rule.

      3. In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.

      4. In the Protocol field, specify the desired protocol or leave Any to allow traffic transmission over any protocol.

      5. In the Purpose or Source field, select the purpose of the rule:

        • CIDR: The rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
        • Security group: The rule will apply to the VMs from the current group or the selected security group.

      6. Click Save. Repeat the steps to create all rules from the table.

    5. Click Save.

  4. In a similar manner, create a security group called mysite-sg-vms for the VM and a network named mysite-network with the following rules:

    Traffic
    direction    		 Description Port
    range    		 Protocol Source/
    destination type    		 Source /
    destination
    Incoming balancer 80 TCP Security group mysite-sg-balancer
    Incoming ssh 22 TCP CIDR 0.0.0.0/0

Import the site's TLS certificate into Certificate Manager

For users to access the site using the secure HTTPS protocol (HTTP over TLS), the site must have a TLS certificate issued. For use in the L7 load balancer, import the certificate into Certificate Manager.

If your site does not have a certificate, you can use to get a Certificate Managercertificate from Let's Encrypt®. This does not require additional steps after creating a certificate. It is imported automatically.

To import an existing certificate for my-site.com:

  1. In the management console, open Certificate Manager.
  2. Click Add certificate and select User certificate.
  3. Specify a certificate Name: mysite-cert.
  4. In the Certificate field, click Add certificate. Upload the File with your certificate or enter its Contents and click Add.
  5. If your certificate is issued by a third-party certificate authority, in the Intermediate certificate chain field, click Add chain. Upload the File with the certificate chain or enter its Contents and click Add.
  6. In the Private key field, click Add private key. Upload the File with the key or enter its Contents and click Add.
  7. Click Create.

Create a VM group for the site

To create a VM group for my-site.com:

  1. In the management console, open Compute Cloud.

  2. Open the Instance groups tab. Click Create group.

  3. Specify a VM group name: mysite-ig.

  4. Under Allocation, select multiple availability zones to ensure fault tolerance of your hosting.

  5. Under Instance template, click Define.

  6. On the Cloud Marketplace tab, click Show more and select the LEMP product. Click Use.

  7. Under Computing resources:

    • Select the VM's platform.
    • Specify the necessary number of vCPUs and amount of RAM.

    The minimum configuration is enough for functional website testing:

    • Platform: Intel Cascade Lake.
    • Guaranteed vCPU share: 5%.
    • vCPU: 2.
    • RAM: 1 GB.

  8. Under Network settings, select the Network named mysite-network that you created earlier and its subnets.

  9. Select the previously created mysite-sg-vms security group.

  10. Specify data required for accessing the VM:

    • Enter the username in the Login field.

    • In the SSH key field, paste the contents of the public key file.

      You need to create a key pair for the SSH connection yourself. See the section about how to connect to VMs via SSH.

    Alert

    The IP address and host name (FQDN) to connect to the VM are assigned at VM creation. If you selected No address in the Public address field, you won't be able to access the VM from the internet.

  11. Click Save.

  12. Under Scaling, enter the Size of the instance group: 2.

  13. Under Integration with Application Load Balancer, select Create target group and specify mysite-tg as the group name. Read more about target groups.

  14. Click Create.

It may take several minutes to create an instance group. Once the group's status changes to RUNNING and the status of all of its VMs to RUNNING_ACTUAL, you can upload the website files to them.

Upload the site files to the VM

To test the web servers, upload the index.html files to the virtual machines.

Example of the index.html file
<!DOCTYPE html>
<html>
  <head>
    <title>My site</title>
  </head>
  <body>
    <h1>This is my site</h1>
  </body>
</html>

To upload a file to a VM:

  1. You can get the IP address of an instance under Network on the instance page in the management console.

  2. Connect to the VM over SSH.

  3. Grant your user write access to the directory /var/www/html:

    sudo chown -R "$USER":www-data /var/www/html

    sudo chown -R "$USER":apache /var/www/html

  4. Upload the website files to the VM over SCP.

    Use the scp command-line utility:

    scp -r <path to the file directory> <your user's name>@<VM's IP address>:/var/www/html

    Use the WinSCP program to copy the local file directory to the /var/www/html directory on the VM.

Create a backend group

You must link the target group created with the VM group to the backend group that defines traffic allocation settings.

For the backends, groups will implement health checks: the load balancer will periodically send health check requests to the VMs and expect a response after a certain delay.

To create a backend group for my-site.com:

  1. In the management console, open Application Load Balancer.
  2. Open the Backend groups tab. Click Create backend group.
  3. Specify a Name for the backend group: my-site-bg.
  4. Under Backends, click Add.
  5. Specify a Name for the backend: mysite-backend.
  6. In the Target group field, select mysite-tg.
  7. Specify the Port that the backend VMs will use to receive incoming traffic from the load balancer: 80.
  8. Click Add health check.
  9. Enter the Port that the backend VMs will use to accept health check connections from the load balancer: 80.
  10. Enter the Path to be accessed by the load balancer's health checks: /.
  11. Click Create.

Create and configure an HTTP router

The backend group should be linked to an HTTP router that defines routing rules.

To create an HTTP router:

  1. In the management console, open Application Load Balancer.
  2. Open the HTTP routers tab. Click Create HTTP router.
  3. Specify a Name for the HTTP router: mysite-router.
  4. Click Add virtual host.
  5. Specify a Name for the virtual host: mysite-host.
  6. In the Authority field, specify the site's domain name as my-site.com.
  7. Click Add route.
  8. Specify a Name for the route: mysite-route.
  9. In the Backend group field, select my-site-bg as the group.
  10. Click Create.

Create an L7 load Balancer

  1. In the management console, open Application Load Balancer.

  2. Click Create L7 load balancer.

  3. Specify a Name for the load balancer: mysite-alb.

  4. Under Network settings, select the mysite-sg-balancer security group that you created previously.

  5. Create a listener to redirect HTTP requests to HTTPS:

    1. Click Add listener under Listeners.
    2. Enter a Name for the listener: listener-http.
    3. Under Public IP address settings, select the List type and the IP address reserved previously.
    4. In the Protocol field, select Redirect to HTTPS.

  6. Create an HTTPS request listener:

    1. Click Add listener again.

    2. Enter a Name for the listener: listener-https.

    3. Under Public IP address settings, select the List type and the IP address reserved previously.

    4. In the Protocol field, select HTTPS.

    5. Under Main listener, select the mysite-cert certificate and the mysite-router HTTP router.

    6. Add an SNI match for my-site.com:

      1. Click Add SNI match.
      2. Specify a Name for the SNI match: mysite-sni.
      3. In the Server names field, enter my-site.com.
      4. Select the mysite-cert certificate and the mysite-router HTTP router.

  7. Click Create.

Wait 15 to 20 minutes after setting up the DNS to check that the site is up.

Check that the hosting is running properly

To check that your hosting is functional, open the website at http://my-site.com in your browser. A redirect to https://my-site.com should occur with the TLS certificate from Certificate Manager already enabled.

Delete the resources you created

To shut down the hosting and stop paying for the created resources:

  1. Delete the non-billable resources that block the deletion of billable resources:

    1. Delete the mysite-alb L7 load balancer.
    2. Delete the mysite-router HTTP router.
    3. Delete the my-site-bg backend group.

  2. Delete the mysite-ig instance group.

  3. Delete the static public IP address that you reserved.

Language / Region
© 2022 Yandex.Cloud LLC
In this article: