Contact usConsole
© 2023 Nebius Israel Ltd
Application Load Balancer

Terminating TLS connections

Application Load Balancer L7 load balancers can terminate TLS connections: send certificates to clients, decrypt incoming traffic to send to the backends, and encrypt backend responses to forward to clients. This scenario describes configuring a load balancer to terminate TLS connections using a certificate from Certificate Manager and to redirect HTTP requests to HTTPS.

This scenario uses my-site.com as an example domain name.

To create a virtual hosting:

  1. Prepare your cloud.
  2. Create a cloud network.
  3. Reserve a static public IP address.
  4. Create security groups.
  5. Import the site's TLS certificate into Certificate Manager.
  6. Create a VM group for the site.
  7. Upload the site files to the VM.
  8. Create a backend group.
  9. Create and configure an HTTP router.
  10. Create an L7 load balancer.
  11. Check that the hosting is running properly.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up for Nebius Israel and create a billing account:

  1. Go to the management console and log in to Nebius Israel or create an account if you do not have one yet.
  2. On the Billing page in the management console, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder to run your infrastructure.

Learn more about clouds and folders.

The cost of virtual hosting includes:

Create a cloud network

All resources you have created in the tutorial belong to the same cloud network.

To create a network:

  1. In the management console, select Virtual Private Cloud.
  2. Click Create network.
  3. Enter a Name for the network: mysite-network.
  4. In the Advanced field, select Create subnets.
  5. Click Create network.

Reserve a static public IP address

For your virtual hosting to run, you need to assign a static public IP address to the L7 load balancer.

To reserve an address:

  1. In the management console, select Virtual Private Cloud.
  2. Open the IP addresses tab. Click Reserve address.
  3. In the window that opens, select the il1-a availability zone. Click ** Reserve**.

Create security groups

Security groups include rules that allow the load balancer to receive incoming traffic and redirect it to the VMs so they can receive the traffic. In this use case, we will create two security groups: one for the load balancer and another one for all VMs.

To create security groups:

  1. In the management console, select Virtual Private Cloud.

  2. Open the Security groups tab.

  3. Create a security group for the load balancer:

    1. Click Create group.

    2. Enter a Name for the group: mysite-sg-balancer.

    3. Select the Network: mysite-network.

    4. Under Rules, create the following rules using the instructions below the table:

      Traffic
      direction      		 Description Port range Protocol Source /
      destination      		 CIDR blocks
      Outgoing any All Any CIDR 0.0.0.0/0
      Incoming ext-http 80 TCP CIDR 0.0.0.0/0
      Incoming ext-https 443 TCP CIDR 0.0.0.0/0
      Incoming healthchecks 30080 TCP Load balancer healthchecks N/A

      1. Select the Egress or Ingress tab.

      2. Click Add rule.

      3. In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.

      4. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.

      5. In the Destination name or Source field, select the purpose of the rule:

        • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
        • Security group: Rule will apply to the VMs from the current group or the selected security group.
        • Load balancer healthchecks: Rule that allows a load balancer to check the health of VMs.

      6. Click Save. Repeat the steps to create all the rules from the table.

    5. Click Save.

  4. In the same way, create a security group named mysite-sg-vms for the VM and a network named mysite-network with the following rules:

    Traffic
    direction    		 Description Port range Protocol Source /
    destination    		 CIDR blocks
    Incoming balancer 80 TCP Security group mysite-sg-balancer
    Incoming ssh 22 TCP CIDR 0.0.0.0/0

Import the site's TLS certificate into Certificate Manager

For users to access the site using the secure HTTPS protocol (HTTP over TLS), the site must have a TLS certificate issued. For use in the L7 load balancer, import the certificate into Certificate Manager.

If your site does not have a certificate, you can use to get a Certificate Managercertificate from Let's Encrypt®. This does not require additional steps after creating a certificate. It is imported automatically.

To import an existing certificate for my-site.com:

  1. In the management console, select Certificate Manager.
  2. Click Add certificate and select the User certificate option.
  3. Enter a Name for the certificate: mysite-cert.
  4. In the Certificate field, click Add certificate. Upload the File with your certificate or enter its Content and click Add.
  5. If your certificate is issued by a third-party certificate authority, click Add chain in the Intermediate certificate chain field. Upload the File with the certificate chain or enter its Content and click Add.
  6. In the Private key field, click Add private key. Upload the File with the key or enter its Content and click Add.
  7. Click Create.

Create a VM group for the site

To create a VM group for my-site.com:

  1. In the management console, select Compute Cloud.

  2. Open the Instance groups tab. Click Create group.

  3. Specify a VM group name: mysite-ig.

  4. Under Allocation, select multiple availability zones to ensure fault tolerance of your hosting.

  5. Under Instance template, click Define.

  6. Under Image/boot disk selection, open the Cloud Marketplace tab and click Show more. Select LEMP and click Use.

  7. Under Computing resources:

    • Select the VM's platform.
    • Specify the required number of vCPUs and the amount of RAM.

    The minimum configuration is enough for functional website testing:

    • Platform: Intel Cascade Lake
    • Guaranteed vCPU performance: 5%
    • vCPU: 2
    • RAM: 1 GB

  8. Under Network settings, select the Network named mysite-network that you created earlier and its subnets.

  9. Select the previously created mysite-sg-vms security group.

  10. Specify the data required for accessing the VM:

    • Enter the username in the Login field.

    • In the SSH key field, paste the contents of the public key file.

      You need to create a key pair for the SSH connection yourself. See Connecting to a VM via SSH.

    Alert

    The IP address and host name (FQDN) to connect to the VM are assigned at VM creation. If you selected No address in the Public address field, you will not be able to access the VM from the internet.

  11. Click Save.

  12. Under Scaling, enter the Size of the instance group: 2.

  13. Under Integration with Application Load Balancer, select Create target group and specify mysite-tg as the group name. You can read more about target groups here.

  14. Click Create.

It may take a few minutes to create an instance group. When the group status changes to RUNNING and the status of all its VMs to RUNNING_ACTUAL, you can upload the website files to them.

Upload the site files to the VM

To test the web servers, upload the index.html files to the virtual machines.

Example of the index.html file
<!DOCTYPE html>
<html>
  <head>
    <title>My site</title>
  </head>
  <body>
    <h1>This is my site</h1>
  </body>
</html>

To upload a file to a VM:

  1. Under Network on the VM page in the management console, find the VM public IP address.

  2. Connect to the VM via SSH.

  3. Grant your user write access to the /var/www/html directory:

    sudo chown -R "$USER":www-data /var/www/html

    sudo chown -R "$USER":apache /var/www/html

  4. Upload the website files to the VM via SCP.

    Use the scp command-line utility:

    scp -r <path to the file directory> <VM username>@<VM IP address>:/var/www/html

    Use WinSCP to copy the local file directory to /var/www/html on the VM.

Create a backend group

You must link the target group created with the VM group to the backend group that defines traffic allocation settings.

For the backends, groups will implement health checks: the load balancer will periodically send health check requests to the VMs and expect a response after a certain delay.

To create a backend group for my-site.com:

  1. In the management console, select Application Load Balancer.
  2. Open the Backend groups tab. Click Create backend group.
  3. Enter a Name for the backend group: my-site-bg.
  4. Under Backends, click Add.
  5. Enter a Name for the backend: mysite-backend.
  6. In the Target groups field, select the mysite-tg group.
  7. Specify the Port that the backend VMs will use to receive incoming traffic from the load balancer: 80.
  8. Click Add health check.
  9. Specify the Port that the backend VMs will use to accept health check connections: 80.
  10. Enter the Path to be accessed by the load balancer for health checks: /.
  11. Click Create.

Create and configure an HTTP router

The backend group should be linked to an HTTP router that defines routing rules.

To create an HTTP router:

  1. In the management console, select Application Load Balancer.
  2. Open the HTTP routers tab. Click Create HTTP router.
  3. Enter a Name for the HTTP router: mysite-router.
  4. Click Add virtual host.
  5. Enter a Name for the virtual host: mysite-host.
  6. In the Authority field, specify the site domain name: my-site.com.
  7. Click Add route.
  8. Enter a Name for the route: mysite-route.
  9. In the Backend group field, select the my-site-bg group.
  10. Click Create.

Create an L7 load Balancer

  1. In the management console, select Application Load Balancer.

  2. Click Create L7 load balancer.

  3. Enter a Name for the load balancer: mysite-alb.

  4. Under Network settings, select the mysite-sg-balancer security group that you previously created.

  5. Create a listener to redirect HTTP requests to HTTPS:

    1. Under Listeners, click Add listener.
    2. Enter a Name for the listener: listener-http.
    3. Under Public IP address, select the List type and the IP address you reserved earlier.
    4. In the Protocol field, select Redirect to HTTPS.

  6. Create an HTTPS request listener:

    1. Click Add listener again.

    2. Enter a Name for the listener: listener-https.

    3. Under Public IP address, select the List type and the IP address you reserved earlier.

    4. In the Protocol field, select HTTPS.

    5. Under Main listener, select the mysite-cert certificate and the mysite-router HTTP router.

    6. Add an SNI match for my-site.com:

      1. Click Add SNI match.
      2. Specify the Name for the SNI match: mysite-sni.
      3. In the Server names field, enter my-site.com.
      4. Select the mysite-cert certificate and the mysite-router HTTP router.

  7. Click Create.

Check that the hosting is running properly

To check that your hosting is functional, open the website at http://my-site.com in your browser. A redirect to https://my-site.com should occur with the TLS certificate from Certificate Manager already enabled.

Delete the resources you created

To shut down the hosting and stop paying for the created resources:

  1. Delete the non-billable resources that block the deletion of billable resources:

    1. Delete the mysite-alb L7 load balancer.
    2. Delete the mysite-router HTTP router.
    3. Delete the my-site-bg backend group.

  2. Delete the mysite-ig instance group.

  3. Delete the static public IP address that you reserved.

© 2023 Nebius Israel Ltd
In this article: