# Fault-tolerant website with load balancing via Yandex Application Load Balancer using the management console


To create an infrastructure for your [website with load balancing](index.md) in three [availability zones](../../../overview/concepts/geo-scope.md) with an ALB using the Yandex Cloud management console:

1. [Get your cloud ready](#before-you-begin).
1. [Create a cloud network](#create-network).
1. [Create security groups](#create-security-groups).
1. [Create an instance group](#create-vms).
1. [Upload the website files](#upload-files).
1. [Create a backend group](#create-backend-group).
1. [Create an HTTP router](#create-http-routers-sites).
1. [Create an L7 load balancer](#create-alb).
1. [Configure DNS](#configure-dns).
1. [Test the fault tolerance](#test-ha).

If you no longer need the resources you created, [delete them](#clear-out).

## Get your cloud ready {#before-you-begin}

Sign up for Yandex Cloud and create a [billing account](../../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../../billing/quickstart/index.md) and [link](../../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../../resource-manager/concepts/resources-hierarchy.md).

### Required paid resources {#paid-resources}

The infrastructure support cost includes:
* Fee for continuously running [VMs](../../../compute/concepts/vm.md) (see [Yandex Compute Cloud pricing](../../../compute/pricing.md)).
* Fee for a dynamic [public IP address](../../../vpc/concepts/address.md#public-addresses) (see [Yandex Virtual Private Cloud pricing](../../../vpc/pricing.md)).
* Fee for load balancing (see [Application Load Balancer pricing](../../pricing.md)).
* Fee for public DNS queries and [DNS zones](../../../dns/concepts/dns-zone.md) if using [Yandex Cloud DNS](../../../dns/index.md) (see [Cloud DNS pricing](../../../dns/pricing.md)).

## Create a cloud network {#create-network}

All resources created in this tutorial will belong to the same [cloud network](../../../vpc/concepts/network.md).

To create a network:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Virtual Private Cloud**.
  1. Click **Create network**.
  1. Specify the network **Name**: `mysite-network`.
  1. In the **Advanced** field, select **Create subnets**.
  1. Click **Create network**.

{% endlist %}

## Create security groups {#create-security-groups}

[Security groups](../../concepts/application-load-balancer.md#security-groups) include rules that allow the [load balancer](../../concepts/application-load-balancer.md) to receive incoming traffic and redirect it to the VMs so they can receive the traffic.

To create security groups for the load balancer and an [instance group](../../../compute/concepts/instance-groups/index.md):

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/shield.svg) **Security groups**. 
  1. Create a security group for the load balancer:
     1. Click **Create security group**.
     1. Name the group, e.g., `alb-sg`.
     1. Select the network to assign the security group to.
     1. Under **Rules**, create the following rules using the instructions below the table:

        Traffic<br>direction | Description | Port<br>range | Protocol | Source type /<br>destination type | Source /<br>destination
        --- | --- | --- | --- | --- | ---
        `Outbound` | `any` | `All` | `Any` | `CIDR` | `0.0.0.0/0`
        `Inbound` | `ext-http` | `80` | `TCP` | `CIDR` | `0.0.0.0/0`
        `Inbound` | `ext-https` | `443` | `TCP` | `CIDR` | `0.0.0.0/0`
        `Inbound` | `healthchecks` | `30080` | `TCP` | `Load balancer healthchecks` | —

        1. Select the **Egress** or **Ingress** tab.
        1. Click **Add**.
        1. In the **Port range** field of the window that opens, specify a single port or a port range for traffic to come to or from.
        1. In the **Protocol** field, specify the required protocol or leave **Any** to allow traffic over any protocol.
        1. In the **Destination name** or **Source** field, select the rule purpose:
           * `CIDR`: Rule will apply to the range of IP addresses. In the **CIDR blocks** field, specify the CIDRs and masks of subnets traffic will move to/from. To add multiple CIDRs, click **Add**.
           * `Security group`: Rule will apply to the current or selected security group VMs.
           * `Load balancer healthchecks`: Rule allowing a load balancer to health-check VMs.
        1. Click **Save**. Repeat these steps to create all rules from the table.
     1. Click **Save**.
  1. Similarly, create a security group named `alb-vm-sg` for an instance group, with the same network and the following rules:

     Traffic<br>direction | Description | Port<br>range | Protocol | Source type | Source
     --- | --- | --- | --- | --- | ---
     `Inbound` | `balancer` | `80` | `TCP` | `Security group` | `alb-sg`
     `Inbound` | `ssh` | `22` | `TCP` | `CIDR` | `0.0.0.0/0`

{% endlist %}

## Create an instance group {#create-vms}

Your application [backends](../../concepts/backend-group.md) will be deployed on the VM instance of the [target group](../../concepts/target-group.md). The target group will be associated with the load balancer to enable requests to the application backend endpoints.

To create an instance group with the minimum configuration:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Compute Cloud**.
  1. Open the **Instance groups** tab and click **Create group of virtual machines**.
  1. Under **Basic parameters**:
     * Name the instance group, e.g., `website-vm-group`.
     * Select the [service account](../../../iam/concepts/users/service-accounts.md) from the list or create a new one. To be able to create, update, and delete VMs in the group, assign the `editor` [role](../../../iam/concepts/access-control/roles.md) to the service account. By default, all operations with security groups are performed on behalf of the service account.
  1. Under **Allocation**, select three availability zones (`ru-central1-a`, `ru-central1-b`, and `ru-central1-d`) to ensure fault tolerance of your hosting.
  1. Under **Instance template**, click **Define** and specify your VM [template](../../../compute/concepts/instance-groups/instance-template.md):
     * Under **Boot disk image**, navigate to the **Marketplace** tab, select [LEMP](https://yandex.cloud/en/marketplace/products/yc/lemp) and click **Use**.
     * Under **Disks and file storages**, specify:
       * [Disk](../../../compute/concepts/disk.md) **Type**: `HDD`
       * **Size**: `3 GB`
     * Under **Computing resources**, specify:
       * **Platform**: `Intel Cascade Lake`
       * **Guaranteed vCPU performance**: `5%`
       * **vCPU**: `2`
       * **RAM**: `1 GB`
     * Under **Network settings**:
       * Select a cloud network and its subnets.
       * In the **Public IP address** field, select **Auto**.
       * Select the `alb-vm-sg` security group.
     * Under **Access**, specify the VM access credentials:
       * In the **Service account** field, select the service account to attach to the VM.
       * In the **Login** field, enter the username.
       * In the **SSH key** field, paste the contents of the public key file.

       To establish an SSH connection, you need to create a key pair. For more information, see [Connecting to a Linux VM via SSH](../../../compute/operations/vm-connect/ssh.md#creating-ssh-keys).
     * Click **Save**.
  1. Under **Scaling**, specify the instance group **Size**: `3`.
  1. Under **Integration with Application Load Balancer**, select **Create target group** and enter `alb-tg` as the group name.
  1. Click **Create**.

{% endlist %}

It may take a few minutes to create an instance group. As soon as all VMs change their [status](../../../compute/concepts/vm-statuses.md) to `RUNNING`, you can [upload the website files to them](#upload-files).

## Upload the website files {#upload-files}

To test the web server, upload the website files to each VM. You can use the `index.html` file from [this archive](https://storage.yandexcloud.net/doc-files/index.html.zip) as an example.

For each VM in the [created group](#create-vms), do the following:
1. On the **Virtual machines** tab, click the VM name in the list.
1. Copy **Public IPv4 address** from the **Network** section.
1. [Connect](../../../compute/operations/vm-connect/ssh.md#vm-connect) to the VM over SSH.
1. Grant your user write permissions for the `/var/www/html` directory:

   ```bash
   sudo chown -R "$USER":www-data /var/www/html
   ```

1. Upload the website files to the VM via [SCP](https://en.wikipedia.org/wiki/Secure_copy_protocol).

   {% list tabs group=operating_system %}

   - Linux/macOS {#linux-macos}

     Use the `scp` command line utility:

     ```bash
     scp -r <path_to_directory_with_files> <VM_user_name>@<VM_IP_address>:/var/www/html
     ```

   - Windows {#windows}

     Use [WinSCP](https://winscp.net/eng/download.php) to copy the local file directory to `/var/www/html` on the VM.

   {% endlist %}

## Create a backend group {#create-backend-group}

You must link the target group created with the VM group to the [backend group](../../concepts/backend-group.md) that defines traffic allocation settings.

For the backends, the groups will implement [health checks](../../concepts/backend-group.md#health-checks): the load balancer will periodically send health check requests to the VMs and expect a response for a certain period.

To create a backend group:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you created the instance group.
  1. Navigate to **Application Load Balancer**.
  1. Open the **Backend groups** tab.
  1. Click **Create backend group**.
  1. Name the backend group, e.g., `website-bg`.
  1. Under **Backends**, click **Add**.
  1. Name the backend, e.g., `backend-1`.
  1. In the **Target groups** field, select the `alb-tg` target group you created earlier.
  1. Specify the **Port** the backend VMs will use to receive inbound traffic from the load balancer: `80`.
  1. Click **Add health check**.
  1. Specify the **Port** the backend VMs will use to accept health check connections: `80`.
  1. Specify the **Path** the load balancer will use for health checks: `/`.
  1. Click **Create**.

{% endlist %}

## Create an HTTP router {#create-http-routers-sites}

The backend group should be associated with the [HTTP router](../../concepts/http-router.md) that defines HTTP routing rules.

To create an HTTP router and add a route to it:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the **HTTP routers** tab.
  1. Click **Create HTTP router**.
  1. Name the router, e.g., `website-router`.
  1. Click **Add virtual host**.
  1. Name the virtual host, e.g., `alb-host`.
  1. In the **Authority** field, enter the website's domain name: `alb-example.com`.
  1. Click **Add route**.
  1. Enter a name, e.g., `route-1`.
  1. In the **Backend group** field, select `website-bg`, which you created earlier.
  1. Do not change other settings. Click **Create**.

{% endlist %}

## Create an L7 load balancer {#create-alb}

To create a load balancer:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the **Load balancers** tab.
  1. Click **Create L7 load balancer**.
  1. Name the load balancer, e.g., `website-alb`.
  1. Under **Network settings**, select the network your VM group is connected to and the [previously created](#create-security-groups) security group, `alb-sg`.
  1. Under **Allocation**, select the subnets for the load balancer's nodes in each availability zone and enable inbound traffic.
  1. Under **Listeners**, click **Add listener**.
  1. Name the listener, e.g., `alb-listener`.
  1. Under **Public IP address**, enable outbound traffic.
  1. Set the port to `80`.
  1. In the **HTTP router** field, select the previously created `website-router`.
  1. Click **Create**.

{% endlist %}

## Configure DNS {#configure-dns}

You need to link the `alb-example.com` domain name you want to use for your website to the load balancer's IP address using [DNS records](../../../dns/concepts/resource-record.md).

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Application Load Balancer**.
  1. Copy the IP address of the load balancer that you created.
  1. On the website of your DNS hosting provider, navigate to the DNS settings.
  1. Create or edit the [A record](../../../dns/concepts/resource-record.md#a) and [CNAME record](../../../dns/concepts/resource-record.md#cname) for `alb-example.com`:

      ```text
      alb-example.com. A <L7_load_balancer_IP_address>
      alb-example.com. CNAME
      ```

      If you use [Yandex Cloud DNS](../../../dns/index.md), follow this guide to configure the records:

      {% cut "Configuring DNS records for Cloud DNS" %}

      To get access to public zone domain names, you need to delegate the domain. Specify the addresses of the `ns1.yandexcloud.net` and `ns2.yandexcloud.net` servers in your account on your registrar's website.

      1. In the [management console](https://console.yandex.cloud), select **Cloud DNS**.
      1. If you do not have a public [DNS zone](../../../dns/concepts/dns-zone.md), create one:
          1. Click **Create zone**.
          1. Specify the zone **Name**: `alb-zone`.
          1. In the **Zone** field, enter the website domain name with a trailing dot: `alb-example.com.`.
          1. Select a **Type** of the zone: `Public`.
          1. Click **Create**.
      1. Create an A record in the zone:
          1. Click **Create record**.
          1. **Name**: Leave empty.
          1. **Type**: Leave set to `A`.
          1. **TTL** (record time to live): Keep the default value.
          1. **Data**: Enter the public IP address of the `website-alb` load balancer.
          1. Click **Create**.
      1. Create a CNAME record:
          1. Click **Create record**.
          1. **Name**: `www`.
          1. **Type**: Select `CNAME`.
          1. **TTL** (record time to live): Keep the default value.
          1. **Data**: Enter `alb-example.com`.
          1. Click **Create**.

      {% endcut %}

{% endlist %}

## Test the fault tolerance {#test-ha}

1. Open the [management console](https://console.yandex.cloud).
1. Navigate to **Compute Cloud**.
1. Navigate to the page of the VM from the previously created group.
1. Copy **Public IPv4 address** from the **Network** section.
1. [Connect](../../../compute/operations/vm-connect/ssh.md#vm-connect) to the VM over SSH.
1. Stop the web service to simulate a failure on the web server:

   ```bash
   sudo service nginx stop
   ```

1. Open your website in a browser. The website should open, even though one of the web servers has failed.
1. After the check is complete, restart the web service:

   ```bash
   sudo service nginx start
   ```

## How to delete the resources you created {#clear-out}

To stop paying for the resources you created:

1. Delete the non-billable resources that block the deletion of billable resources:
   1. [Delete](../../operations/application-load-balancer-delete.md) the `website-alb` L7 load balancer.
   1. [Delete](../../operations/http-router-delete.md) the `website-router` HTTP router.
   1. [Delete](../../operations/backend-group-delete.md) the `website-bg` backend group.
1. [Delete](../../../compute/operations/instance-groups/delete.md) the `website-vm-group` instance group.
1. If you used Yandex Cloud DNS, [delete](../../../dns/operations/resource-record-delete.md) the DNS records and [delete](../../../dns/operations/zone-delete.md) the DNS zone.

#### See also {#see-also}

* [Fault-tolerant website with load balancing via Yandex Application Load Balancer using Terraform](terraform.md)