# Terminating TLS connections using the management console

To create an infrastructure for [terminating TLS connections](index.md) using the management console:

1. [Get your cloud ready](#before-begin).
1. [Create a cloud network](#create-network).
1. [Reserve a static public IP address](#reserve-ip).
1. [Create security groups](#create-security-groups).
1. [Import the website's TLS certificate into Certificate Manager](#import-certificate).
1. [Create an instance group for the website](#create-ig).
1. [Create a backend group](#create-backend-group).
1. [Create and configure an HTTP router](#create-http-router).
1. [Create an L7 load balancer](#create-l7-balancer).
1. [Configure the website DNS](#configure-dns).
1. [Test the hosting](#test).

We will use the `my-site.com` domain name as an example.

If you no longer need the resources you created, [delete them](#clear-out).

## Get your cloud ready {#before-begin}

Sign up for Yandex Cloud and create a [billing account](../../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../../billing/quickstart/index.md) and [link](../../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../../resource-manager/concepts/resources-hierarchy.md).

### Required paid resources {#paid-resources}

The cost of supporting the infrastructure for terminating TLS connections includes:
* Fee for continuously running [VMs](../../../compute/concepts/vm.md) (see [Yandex Compute Cloud pricing](../../../compute/pricing.md)).
* Fee for using a [public static IP address](../../../vpc/concepts/address.md#public-addresses) (see [Yandex Virtual Private Cloud pricing](../../../vpc/pricing.md)).
* Fee for using computing resources of the [L7 load balancer](../../../application-load-balancer/concepts/index.md) (see [Application Load Balancer pricing](../../../application-load-balancer/pricing.md)).
* Fee for public DNS queries and [DNS zones](../../concepts/dns-zone.md) if using [Yandex Cloud DNS](../../index.md) (see [Cloud DNS pricing](../../pricing.md)).

### Create a cloud network {#create-network}

All resources created in this tutorial will belong to the same [cloud network](../../../vpc/concepts/network.md).

To create a network:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Virtual Private Cloud**.
  1. Click **Create network**.
  1. Specify the network **Name**: `mysite-network`.
  1. Select **Create subnets**.
  1. Click **Create network**.

{% endlist %}

### Reserve a static public IP address {#reserve-ip}

For your virtual hosting to run, you need to assign a static public IP address to the L7 load balancer.

To reserve an IP address:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Virtual Private Cloud**.
  1. Open the ![map-pin](../../../_assets/console-icons/map-pin.svg) **Public IP addresses** tab. Click **Reserve public IP address**.
  1. In the window that opens, select the `ru-central1-a` [availability zone](../../../overview/concepts/geo-scope.md). Click ** Reserve**.

{% endlist %}

### Create security groups {#create-security-groups}

[Security groups](../../../application-load-balancer/concepts/application-load-balancer.md#security-groups) include rules that allow the load balancer to receive inbound traffic and redirect it to the VMs so they can receive it. In this tutorial, we will create two security groups: one for the load balancer and another one for all VMs.

To create security groups:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Virtual Private Cloud**.
  1. Open the ![shield](../../../_assets/console-icons/shield.svg) **Security groups** tab.
  1. Create a security group for the load balancer:
      1. Click **Create security group**.
      1. Specify the security group **Name**: `mysite-sg-balancer`.
      1. Select **Network** `mysite-network`.
      1. Under **Rules**, create the following rules using the instructions below the table:
  
         Traffic<br/>direction | Description | Port range | Protocol | Destination name /<br/>Source | CIDR blocks
         --- | --- | --- | --- | --- | ---
         `Egress` | `any` | `Select entire range` | `Any` | `CIDR` | `0.0.0.0/0`
         `Ingress` | `ext-http` | `80` | `TCP` | `CIDR` | `0.0.0.0/0`
         `Ingress` | `ext-https` | `443` | `TCP` | `CIDR` | `0.0.0.0/0`
         `Ingress` | `healthchecks` | `30080` | `TCP` | `Load balancer healthchecks` | —
  
      1. Select the **Egress** or **Ingress** tab.
      1. Click **Add**.
      1. In the **Port range** field of the window that opens, specify a single port or a range of ports open for inbound or outbound traffic.
      1. In the **Protocol** field, specify the appropriate protocol or leave `Any` to allow traffic transmission over any protocol.
      1. In the **Destination name** or **Source** field, select the rule purpose:
         * `CIDR`: Rule will apply to the range of IP addresses. In the **CIDR blocks** field, specify the CIDRs and masks of [subnets](../../../vpc/concepts/network.md#subnet) traffic will move to/from. To add multiple CIDRs, click **Add**.
         * `Security group`: Rule will apply to the current or selected security group VMs.
         * `Load balancer healthchecks`: Rule allowing a load balancer to health-check VMs.
      1. Click **Save**. Repeat these steps to create all rules from the table.
      1. Click **Create**.
  1. In the same way, create a security group named `mysite-sg-vms` for the VMs. Place it in `mysite-network` and set the following rules:

      Traffic<br>direction | Description | Port range | Protocol | Source /<br>target | CIDR blocks
      --- | --- | --- | --- | --- | ---
      `Ingress` | `balancer` | `80` | `TCP` | `Security group` | `mysite-sg-balancer`
      `Ingress` | `ssh` | `22` | `TCP` | `CIDR` | `0.0.0.0/0`

{% endlist %}

### Import the website's TLS certificate into Certificate Manager {#import-certificate}

For users to access the website using the secure HTTPS protocol (HTTP over TLS), the website must have a TLS certificate issued. For use in the L7 load balancer, import the certificate into Certificate Manager.

If your website does not have a certificate, you can [use Certificate Manager to get one from Let's Encrypt®](../../../certificate-manager/operations/managed/cert-create.md). This does not require additional steps after creating a certificate. It is imported automatically.

To import an existing certificate for `my-site.com`:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Certificate Manager**.
  1. Click **Add certificate** and select **User certificate**.
  1. Specify the certificate **Name**: `mysite-cert`.
  1. In the **Certificate** field, click **Add certificate**. Upload the **File** with your certificate or enter its **Content** and click **Add**.
  1. If your certificate is issued by a third-party certificate authority, click **Add chain** in the **Intermediate certificate chain** field. Upload the **File** with the certificate chain or enter its **Content** and click **Add**.
  1. In the **Private key** field, click **Add private key**. Upload the **File** with the key or enter its **Content** and click **Add**.
  1. Click **Create**.

{% endlist %}

### Create an instance group for the website {#create-ig}

To create an [instance group](../../../compute/concepts/instance-groups/index.md) for `my-site.com`:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/layers-3-diagonal.svg) **Instance groups**. Click **Create group of virtual machines**.
  1. Specify the VM group **Name**: `mysite-ig`.
  1. Under **Allocation**, select multiple availability zones to ensure the fault tolerance of your hosting.
  1. Under **Instance template**, click **Define**.
  1. Under **Boot disk image**, open the **Marketplace** tab and click **Show all Marketplace products**. Select [LEMP](https://yandex.cloud/en/marketplace/products/yc/lemp) and click **Use**.
  1. Under **Computing resources**:
      * Choose a VM [platform](../../../compute/concepts/vm-platforms.md).
      * Specify the required number of vCPUs and the amount of RAM.

      This minimum configuration will do for functional website testing:
      * **Platform**: `Intel Cascade Lake`
      * **Guaranteed vCPU performance**: `5%`
      * **vCPU**: `2`
      * **RAM**: `1 GB`
  1. Under **Network settings**, select the **Network** named `mysite-network` that you [created earlier](#create-network) and its subnets.
  1. Select the `mysite-sg-vms` security group you [created earlier](#create-security-groups).
  1. Specify the VM access credentials:
      * In the **Login** field, enter the username.
      * In the **SSH key** field, paste the contents of the public key file.

        You need to create a key pair for the SSH connection on your own. To learn how, see [Connecting to a VM over SSH](../../../compute/operations/vm-connect/ssh.md).

      {% note alert %}

      Once created, the VM gets an IP address and a [host name (FQDN)](../../../compute/concepts/network.md#hostname) for connections. If you selected `No address` in the **Public address** field, you will not be able to access the VM from the internet.

      {% endnote %}

  1. Click **Save**.
  1. Under **Scaling**, specify the instance group **Size**: `2`.
  1. Under **Integration with Application Load Balancer**, select **Create target group** and specify `mysite-tg` as the instance group name. [Read more about target groups](../../../application-load-balancer/concepts/target-group.md).
  1. Click **Create**.


It may take a few minutes to create an instance group. Wait until the group [status](../../../compute/concepts/instance-groups/statuses.md#group-statuses) switches to `RUNNING` and the [status](../../../compute/concepts/instance-groups/statuses.md#vm-statuses) of all its VMs, to `RUNNING_ACTUAL`.

Copy the public IP addresses of the VMs you created: they will be listed on the VM page in the **Network** section. You will need the IP addresses later to [test the hosting](#test).

{% endlist %}

### Create a backend group {#create-backend-group}

You must link the target group created along with the instance group to the backend group that defines traffic allocation settings.

For the backends, groups will implement [health checks](../../../application-load-balancer/concepts/backend-group.md#health-checks): the load balancer will periodically send health check requests to the VMs and expect a response after a certain delay.

To create a backend group for `my-site.com`:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Application Load Balancer**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/cubes-3-overlap.svg) **Backend groups**. Click **Create backend group**.
  1. Enter the backend group **Name**: `my-site-bg`.
  1. Under **Backends**, click **Add**.
  1. Enter the backend **Name**: `mysite-backend`.
  1. In the **Target groups** field, select the `mysite-tg` group.
  1. Specify the **Port** the backend VMs will use to receive inbound traffic from the load balancer: `80`.
  1. Click **Add health check**.
  1. Specify the **Port** the backend VMs will use to accept health check connections: `80`.
  1. Specify the **Path** the load balancer will use for health checks: `/`.
  1. Click **Create**.

{% endlist %}

### Create and configure an HTTP router {#create-http-router}

You need to link the backend group to an [HTTP router](../../../application-load-balancer/concepts/http-router.md) that defines routing rules.

To create an HTTP router:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Application Load Balancer**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/route.svg) **HTTP routers**. Click **Create HTTP router**.
  1. Specify the HTTP router **Name**: `mysite-router`.
  1. Click **Add virtual host**.
  1. Specify the virtual host **Name**: `mysite-host`.
  1. In the **Authority** field, specify the website domain name: `my-site.com`.
  1. Click **Add route**.
  1. Specify the route **Name**: `mysite-route`.
  1. In the **Backend group** field, select the `my-site-bg` group.
  1. Click **Create**.

{% endlist %}

### Create an L7 load balancer {#create-l7-balancer}

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Application Load Balancer**.
  1. Click **Create L7 load balancer**.
  1. In the menu that opens, select **Manual**.
  1. Enter the load balancer **Name**: `mysite-alb`.
  1. Under **Network settings**, select the `mysite-sg-balancer` security group you [created earlier](#create-security-groups).
  1. Create a listener to redirect HTTP requests to HTTPS:
      1. Under **Listeners**, click **Add listener**.
      1. Enter the listener **Name**: `listener-http`.
      1. Under **Public IP address**, select **Type** `List` and the IP address you [reserved earlier](#reserve-ip).
      1. In the **Protocol** field, select `Redirect to HTTPS`.
  1. Create an HTTPS request listener:
      1. Click **Add listener** again.
      1. Enter the listener **Name**: `listener-https`.
      1. Under **Public IP address**, select **Type** `List` and the IP address you [reserved earlier](#reserve-ip).
      1. In the **Protocol** field, select `HTTPS`.
      1. Under **Main listener**, select `mysite-cert` as the certificate and `mysite-router` as the HTTP router.
      1. Add an SNI match for `my-site.com`:
        1. Click **Add SNI match**.
        1. Specify the **Name** for the SNI match: `mysite-sni`.
        1. In the **Server names** field, specify `my-site.com`.
        1. Select `mysite-cert` as the certificate and `mysite-router` as the HTTP router.
  1. Click **Create**.

{% endlist %}

### Configure the website DNS {#configure-dns}

The `my-site.com` domain name must be mapped to the L7 load balancer’s IP address using [DNS records](../../concepts/resource-record.md). To do this:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. [Go](../../../console/operations/select-service.md#select-service) to **Application Load Balancer**.
  1. Copy the IP address of the load balancer that you created.
  1. On the website of your DNS hosting provider, navigate to the DNS settings.
  1. Create or edit the [A record](../../concepts/resource-record.md#a) for `my-site.com` so that it points to the IP address you copied:

      ```text
      my-site.com. A <L7_load_balancer_IP_address>
      ```

      If you use [Yandex Cloud DNS](../../index.md), follow this tutorial to configure the record:

      {% cut "Configuring DNS records for Cloud DNS" %}

      To get access to public zone domain names, you need to delegate the domain. Specify `ns1.yandexcloud.net` and `ns2.yandexcloud.net` server addresses in your registrar's account settings.

      1. In the [management console](https://console.yandex.cloud), select a folder.
      1. [Go](../../../console/operations/select-service.md#select-service) to **Cloud DNS**.
      1. If you do not have a public [DNS zone](../../concepts/dns-zone.md), create one:
          1. Click **Create zone**.
          1. Specify the zone **Name**: `tls-termination-dns`.
          1. In the **Zone** field, enter the website domain name with a trailing dot: `my-site.com.`.
          1. Select the zone **Type**: `Public`.
          1. Click **Create**.
      1. Create a record in the zone:
          1. In the list of zones, click `tls-termination-dns`.
          1. Click **Create record**.
          1. Leave the **Name** field empty for the record to match the `my-site.com` domain name (rather than a name with a subdomain, e.g., `www.my-site.com`).
          1. Select the record **Type**: **A**.
          1. In the **Data** field, paste the load balancer's IP address.
          1. Click **Create**.

      {% endcut %}

{% endlist %}

After configuring DNS, [test the hosting](#test).

## Test the hosting {#test}

To test the hosting:

1. Create the website home page, i.e., the `index.html` file.

   {% cut "Example of the index.html file" %}

   ```html
   <!DOCTYPE html>
   <html>
     <head>
       <title>My site</title>
     </head>
     <body>
       <h1>This is my site</h1>
     </body>
   </html>
   ```

   {% endcut %}

1. Upload the `index.html` file to each VM:

   1. On the VM page of the [management console](https://console.yandex.cloud), under **Network**, find the VM's public IP address.
   1. [Connect](../../../compute/operations/vm-connect/ssh.md) to the VM over SSH.
   1. Grant your user write permissions for the `/var/www/html` directory:
   
      {% list tabs group=operating_system %}
   
      - Ubuntu {#ubuntu}
   
        ```bash
        sudo chown -R "$USER":www-data /var/www/html
        ```
   
      - CentOS {#centos}
   
        ```bash
        sudo chown -R "$USER":apache /var/www/html
        ```
   
      {% endlist %}
   
   
   1. Upload the website files to the VM via [SCP](https://en.wikipedia.org/wiki/Secure_copy_protocol).
   
      {% list tabs group=operating_system %}
   
      - Linux/macOS {#linux-macos}
   
        Use the `scp` command line utility:
   
        ```bash
        scp -r <path_to_directory_with_files> <VM_user_name>@<VM_IP_address>:/var/www/html
        ```
   
      - Windows {#windows}
   
        Use [WinSCP](https://winscp.net/eng/download.php) to copy the local file directory to `/var/www/html` on the VM.
   
      {% endlist %}

1. Open the website at `http://my-site.com` in your browser. A redirect to `https://my-site.com` should occur with the TLS certificate from Certificate Manager already enabled.

## How to delete the resources you created {#clear-out}

To stop paying for the resources you created:

1. [Delete](../../../application-load-balancer/operations/application-load-balancer-delete.md) the `mysite-alb` L7 load balancer.
1. [Delete](../../../application-load-balancer/operations/http-router-delete.md) the `mysite-router` HTTP router.
1. [Delete](../../../application-load-balancer/operations/backend-group-delete.md) the `my-site-bg` backend group.
1. [Delete](../../../compute/operations/instance-groups/delete.md) the `mysite-ig` instance group.
1. [Delete](../../../vpc/operations/address-delete.md) the static public IP address you reserved.
1. If you used Cloud DNS, [delete](../../operations/resource-record-delete.md) the DNS records and [delete](../../operations/zone-delete.md) the DNS zone.

## See also {#see-also}

* [Terminating TLS connections using Terraform](terraform.md)