[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > [Tutorials](index.md) > Creating a distributed infrastructure with secure access

# Creating a distributed infrastructure with secure access

# Creating a distributed infrastructure with secure access

In this tutorial, you will create an infrastructure for secure access to web apps hosted in different Yandex Cloud folders. For traffic control purposes, all requests to your web applications will be forwarded to a single IP address and then checked by the [Yandex Smart Web Security](https://yandex.cloud/en/services/smartwebsecurity) profile rules.

This approach allows you to isolate resources used by different teams while also enforcing a common security policy for incoming traffic.

This tutorial explores a specific use case under [Centralized online publication and protection against DDoS attacks of applications hosted in different Yandex Cloud folders](different-folders-services.md), giving you an example of how to create the entire infrastructure from scratch.

The minimum [roles](../../iam/roles-reference.md) required for this tutorial are as follows:

* For a cloud:
    * `resource-manager.admin`: To create folders and assign roles.

* For folders:
    * `vpc.admin`: To create Yandex Virtual Private Cloud resources.
    * `smart-web-security.editor`: To create a security profile.
    * `compute.editor`: To create VM instances.
    * `alb.editor`: To create Yandex Application Load Balancer resources.


## Yandex Cloud resource placement chart {#resource-allocation-scheme}

![image](../../_assets/smartwebsecurity/different-folders-for-security.svg)

The chart displays the following resources:

* **IP address**: Public IP address or domain that receives requests to your web apps.
* **Security folder**, `secured-entry-point`: [Folder](../../resource-manager/concepts/resources-hierarchy.md#folder) accessible only to company resource administrators and information security employees. This folder will house the following resources:

    * **ALB**, `app-load-balancer`: [L7](../../application-load-balancer/concepts/application-load-balancer.md) Yandex Application Load Balancer used to publish web apps online.
    * **SWS** profile, `sws-profile`: Yandex Smart Web Security [profile](../concepts/profiles.md) to implement traffic protection at the application layer (L7).
    * **Management VM**, `work-station`: Yandex Compute Cloud [VM instance](../../compute/concepts/vm.md) to initiate connections to the VMs in your web app folders.

* **VPC**, `alb-network`: Yandex Virtual Private Cloud [cloud network](../../vpc/concepts/network.md) to consolidate [subnets](../../vpc/concepts/network.md#subnet) across different folders:

    * **alb-subnet-a**, **alb-subnet-b**, and **alb-subnet-d**: Subnets with ALB nodes in three availability zones.
    * **subnet-service-1** and **subnet-service-2**: Subnets hosting your web app resources.

* **Web app folders**, `service-1` and `service-2`: Folders housing web app targets, `vm-service-1` and `vm-service-2`. These folders will be accessible to teams developing your web services.

To create the infrastructure and set up secure access to your web applications:

1. [Get your cloud ready](#prepare-cloud).
1. [Create a security folder](#create-alb-folder).
1. [Create a virtual network and subnets](#create-vpc).
1. [Create web app folders](#create-web-folders).
1. [Connect the web app folders to the load balancer's internal subnets](#connect-folders).
1. [Configure security groups](#setup-security-groups).
1. [Configure the security profile](#setup-sws).
1. [Create resources](#create-resources).
1. [Configure the load balancer](#setup-alb).
1. [Test your infrastructure](#check-infrastructure).

If you no longer need the resources you created, [delete them](#clear-out).


## Get your cloud ready {#prepare-cloud}

Sign up for Yandex Cloud and create a [billing account](../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../billing/quickstart/index.md) and [link](../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../resource-manager/concepts/resources-hierarchy.md).


### Required paid resources {#paid-resources}

The infrastructure support cost includes:

* Fee for continuously running VMs (see [Yandex Compute Cloud pricing](../../compute/pricing.md)).
* Fee for using Application Load Balancer (see [Yandex Application Load Balancer pricing](../../application-load-balancer/pricing.md)).
* Fee for using public IP addresses and outgoing traffic (see [Yandex Virtual Private Cloud pricing](../../vpc/pricing.md)).
* Fee for the number of requests to Smart Web Security (see [Yandex Smart Web Security pricing](../pricing.md)).


## Create a security folder {#create-alb-folder}

The security folder will house your load balancer, cloud network, subnets, and security profile.


### Create a folder without a network {#folder-without-net}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a cloud and click ![create](../../_assets/console-icons/plus.svg) **Create folder**.
  1. Name your folder, e.g., `secured-entry-point`.
  1. In the **Advanced** field, disable **Create a default network**. You will create a network and subnets in the next step.
  1. Click **Create**.

{% endlist %}


### Assign roles for the folder {#set-access-binding}

Provide your infrastructure and security administrators with access to the folder to manage your network, load balancer, and security profile.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to `secured-entry-point`.
  1. Navigate to the **Access bindings** tab.
  1. Click **Configure access**.
  1. In the window that opens, select **User accounts**.
  1. Select a user from the list or use the user search option.
  1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select the [role](../../iam/roles-reference.md) from the list or use the search bar. The minimum required roles are as follows:

      * `alb.editor`: To manage [Application Load Balancer](../../application-load-balancer/index.md) resources.
      * `vpc.user`: To connect to and use [Virtual Private Cloud](../../vpc/index.md) network resources.
      * `smart-web-security.editor`: To use and manage [Smart Web Security](../index.md) profiles.
      * `compute.editor`: To be able to create, update, and delete [Compute Cloud](../../compute/index.md) instances.

  1. Click **Save**.

{% endlist %}


## Create a virtual network and subnets {#create-vpc}

In the security folder, create a network with subnets for your L7 load balancer and web app folders. This will ensure network connectivity between the load balancer and web app resources.

{% list tabs group=instructions %}

- Management console {#console}

  1. Go to the new folder, `secured-entry-point`.
  1. Navigate to **Virtual Private Cloud**.
  1. At the top right, click **Create network**.
  1. In the **Name** field, enter `alb-network`.
  1. In the **Advanced** field, disable **Create subnets**.
  1. Click **Create network**.
  1. In the left-hand panel, select ![subnets](../../_assets/vpc/subnets.svg) **Subnets**.
  1. At the top right, click **Create subnet** and specify the settings for the subnet to host the web app folder:

      1. **Name**: `subnet-service-1`.
      1. **Availability zone**: `ru-central1-a`.
      1. **Network**: `alb-network`.
      1. **CIDR**: `10.121.0.0/24`.
      1. Click **Create subnet**.

  1. Repeat the steps to create a subnet named `subnet-service-2` in the `ru-central1-b` availability zone with `10.122.0.0/24` as its IP address range.
  1. Create subnets for your L7 load balancer in different availability zones with the following address ranges:

      * `subnet-alb-a`: `ru-central1-a` and `10.131.0.0/24`
      * `subnet-alb-b`: `ru-central1-b` and `10.132.0.0/24`
      * `subnet-alb-d`: `ru-central1-d` and `10.133.0.0/24`

   {% endlist %}


## Create web app folders {#create-web-folders}

These folders will house resources of your web applications. In this tutorial, such resources include VM instances running your test web services. Create the folders and grant your users access permissions to connect to the network resources and manage the VMs.

{% list tabs group=instructions %}

- Management console {#console}

  1. Select a cloud and click ![create](../../_assets/console-icons/plus.svg) **Create folder**.
  1. Name your folder, e.g., `service-1`.
  1. In the **Advanced** field, disable **Create a default network**.
  1. Click **Create**.
  1. Repeat these steps to create the `service-2` folder.
  1. To restrict access to the folders, [assign user roles](#set-access-binding) based on the resources you will host in each folder. The minimum required roles for `service-1` and `service-2` are as follows:

      * `vpc.user`: To connect to and use [Virtual Private Cloud](../../vpc/index.md) network resources.
      * `compute.editor`: To be able to create, update, and delete VM instances.

{% endlist %}


## Connect the web app folders to the load balancer's internal subnets {#connect-folders}

To consolidate folder resources into a single network, [move](../../vpc/operations/subnet-move.md) the virtual network subnets to the web app folders.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to `secured-entry-point`.
  1. Navigate to **Virtual Private Cloud**.
  1. Select the `alb-network` cloud network.
  1. Click ![image](../../_assets/console-icons/ellipsis.svg) in the `subnet-service-1` row and select **Move**.
  1. Select `service-1` from the drop-sown list.
  1. Click **Move**.
  1. Similarly, move `subnet-service-2` to `service-2`.

{% endlist %}


## Configure security groups {#setup-security-groups}

With [security groups](../../vpc/concepts/security-groups.md), you can set up incoming and outgoing traffic rules. In this tutorial, a L7 load balancer receives incoming internet traffic and routes it over the internal network to your web app VMs. Follow [these best practices](../../application-load-balancer/concepts/application-load-balancer.md#security-groups) to configure security groups in each folder.


### Create security groups for your web app VMs {#sg-vm-apps}

The rules should allow outgoing and incoming traffic from the load balancer subnet.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `service-1`.
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/shield.svg) **Security groups**.
  1. At the top right, click **Create security group**.
  1. In the **Name** field, specify `service-1-security-group`.
  1. In the **Network** field, select `alb-network` from the `secured-entry-point` folder.
  1. Under **Rules**, create the following rules using the instructions below the table:

      | Traffic<br/>direction | Description | Port range | Protocol | Source /<br/>destination | CIDR blocks |
      | --- | --- | --- | --- | --- | --- |
      | `Ingress` | `http` | `8000` | `TCP` | `CIDR` | `10.131.0.0/24`<br/>`10.132.0.0/24`<br/>`10.133.0.0/24` |
      | `Ingress` | `ssh` | `22` | `TCP` | `CIDR` | `10.133.0.0/24` |
      | `Egress` | `any` | `0-65535` | `Any` | `CIDR` | `10.131.0.0/24`<br/>`10.132.0.0/24`<br/>`10.133.0.0/24` |

      To create a rule:
      
      1. Navigate to the **Ingress** or **Egress** tab.
      1. Click **Add**.
      1. Add the new rule in accordance with the table.
      1. Click **Save**.

  1. Click **Create**.
  1. Repeat these steps to create `service-2-security-group` in the `service-2` folder.

{% endlist %}


### Create a security group for the L7 load balancer {#sg-balancer}

The rules should allow incoming internet traffic on port `80` as well as traffic for load balancer node health checks on port `30080` with the `Load balancer healthchecks` source.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `secured-entry-point`.
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/shield.svg) **Security groups**.
  1. At the top right, click **Create security group**.
  1. In the **Name** field, specify `alb-security-group`.
  1. In the **Network** field, select `alb-network`.
  1. Under **Rules**, create the following rules using the instructions below the table:

      | Traffic<br/>direction | Description | Port range | Protocol | Source /<br/>destination | CIDR blocks |
      | --- | --- | --- | --- | --- | --- |
      | `Ingress` | `http` | `80` | `TCP` | `CIDR` | `0.0.0.0/0` |
      | `Inbound` | `healthchecks` | `30080` | `TCP` | `Load balancer healthchecks` | — |
      | `Egress` | `http` | `8000` | `Any` | `CIDR` | `10.121.0.0/24`<br/>`10.122.0.0/24` |

      To create a rule:
      
      1. Navigate to the **Ingress** or **Egress** tab.
      1. Click **Add**.
      1. Add the new rule in accordance with the table.
      1. Click **Save**.

  1. Click **Create**.

{% endlist %}


### Create security groups for the management VM {#sg-vm}

The rules should allow outgoing traffic from the management VM to port `22` on your web app VM.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `secured-entry-point`.
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/shield.svg) **Security groups**.
  1. At the top right, click **Create security group**.
  1. In the **Name** field, specify `vm-security-group`.
  1. In the **Network** field, select `alb-network`.
  1. Under **Rules**, create the following rules using the instructions below the table:

      | Traffic<br/>direction | Description | Port range | Protocol | Source /<br/>destination | CIDR blocks |
      | --- | --- | --- | --- | --- | --- |
      | `Ingress` | `ssh` | `22` | `TCP` | `CIDR` | `0.0.0.0/0` ^*^ |
      | `Egress` | `ssh` | `22` | `TCP` | `CIDR` | `10.121.0.0/24`<br/>`10.122.0.0/24` |

      ^*^ We recommend replacing `0.0.0.0/0` with CIDRs of the public IP addresses from which you want to allow connections to your management VM.

      To create a rule:
      
      1. Navigate to the **Ingress** or **Egress** tab.
      1. Click **Add**.
      1. Add the new rule in accordance with the table.
      1. Click **Save**.

  1. Click **Create**.

{% endlist %}


## Configure the security profile {#setup-sws}

A security profile contains traffic filtering [rules](../concepts/rules.md) for protecion against cybersecurity threats at OSI application layer (L7).

Create a security profile using a preset template:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `secured-entry-point`.
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/profiles.svg) **Security profiles** and click **Create profile**.
  1. Select **From a preset template**.
  1. Enter `sws-profile` as the profile name.
  1. In the **Action for the default base rule** field, select `Allow`.
  1. Click **Create profile**.

{% endlist %}


## Create resources {#create-resources}

Here, by resources we mean VM instances, one per folder. The VM residing in the `secured-entry-point` security folder will be used to access your web application VMs over the internal network. In this tutorial, we refer to it as the _management VM_.

To restrict external traffic, web app VMs will not have external IP addresses.


### Create the VM to manage your web applications {#vm-secured-entry-point}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `secured-entry-point`.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/server.svg) **Virtual machines**.
  1. Click **Create virtual machine**.
  1. Under **Boot disk image**, select [Ubuntu 24.04](https://yandex.cloud/en/marketplace/products/yc/ubuntu-2404-lts-oslogin).
  1. Under **Location**, select the `ru-central1-d` availability zone.
  1. Under **Network settings**:

      * In the **Subnet** field, make sure to select `subnet-alb-d`.
      * In the **Public IP address** field, leave `Auto`.
      * In the **Security groups** field, select `vm-security-group`.

  1. Under **Access**, select **SSH key**.
  1. Enter the VM user name in the **Login** field, Do not use `root`, `admin`, or any other usernames reserved for the OS purposes.
  1. In the **SSH key** field, select the SSH key saved in your [organization user](../../organization/concepts/membership.md) profile.

      To add a new key, do the following:

      1. Click **Add key**.
      1. Enter a name for the SSH key.
      1. Select one of the following:

          * `Enter manually`: Paste the contents of the public SSH key. You need to [create](../../compute/operations/vm-connect/ssh.md#creating-ssh-keys) an SSH key pair on your own.
          * `Load from file`: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
          * `Generate key`: Automatically create an SSH key pair.

      1. Click **Add**.

  1. Under **General information**, specify the VM name: `work-station`.
  1. Click **Create VM**.

{% endlist %}


### Create VMs for your web applications {#vm-web-app}

Repeat the above steps to create VMs in the `service-1` and `service-2` folders, configured as follows:

* Select the `ru-central1-a` and `ru-central1-b` availability zones, respectively.
* Select `subnet-service-1` and `subnet-service-2` as the subnets for your VMs, respectively.
* In the **Public IP address** field, select `No address`.
* In the **Security groups** field, select `service-1-security-group` and `service-2-security-group`.
* Specify the VM names, `vm-service-1` and `vm-service-2`.


## Configure the load balancer {#setup-alb}

To create and configure the load balancer, use the [wizard](../../application-load-balancer/concepts/index.md#alb-wizard).

{% note warning %}

You can only use the wizard to create and add resources from a single folder, i.e., one [target group](../../application-load-balancer/concepts/target-group.md) and one [backend group](../../application-load-balancer/concepts/backend-group.md). You will need to manually add resources from the second folder.

{% endnote %}


### Start the wizard {#start-wizard}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `secured-entry-point`.
  1. Navigate to **Application Load Balancer**.
  1. Click **Create L7 load balancer** and select **Wizard**. The wizard will take you to the target group creation page.

{% endlist %}


### Configure a target group {#setup-target-group}

Target groups include VMs created in the web app folders. These groups will be connected to your load balancer over the internal subnets.

Create a target group for the `service-1` folder:

{% list tabs group=instructions %}

- Management console {#console}

  1. Specify the target group name: `target-group-1`.
  1. The list of targets will only include the IP address of your management VM. Add a new target to the list of resources:

      1. Below the list of resources, in the section with the **Add target resource** button, specify the `vm-service-1` internal IP address.
      1. Also, select `subnet-service-1` from the drop-down list with the `Not selected` placeholder. To find the subnet, check `All folders`.
      1. Click **Add target resource**.
      1. Activate your new target in the list of resources.
      1. Make sure the management VM resource is deactivated.

  1. Click **Create and continue**. The wizard will take you to the backend group creation page.

{% endlist %}


### Configure backend groups {#settings-backend-group}

Backend groups contain settings for traffic balancing and target [health checks](../../application-load-balancer/concepts/best-practices.md). The wizard will automatically create one backend and one health check group. It will also use the group you created earlier as the target group.

{% list tabs group=instructions %}

- Management console {#console}

  1. Enable **Advanced settings**.
  1. Specify the backend group name: `backend-group-1`.
  1. Leave `HTTP` as the group type.
  1. To ensure the same backend resource handles requests from a single user session, activate **Session affinity**.
  1. Under **Backends**:

      * Specify the backend name: `backend-1`.
      * Leave `Target group` as the backend type.
      * Leave the target group you created earlier, `target-group-1`.
      * Specify your service's TCP port you opened in `service-1-security-group`. In this tutorial, this is port `8000`.

  1. Under **HTTP health check**:

      * Specify the same port as above, i.e., `8000`.
      * Do not change the **Path** value as the test service does not have a dedicated endpoint for health checks.

  1. Click **Create and continue**. The wizard will take you to the HTTP router setup page.

{% endlist %}


### Configure an HTTP router {#settings-http-router}

[HTTP routers](../../application-load-balancer/concepts/http-router.md) implement rules for client-to-backend traffic and allow you to modify requests at the load balancer layer. The wizard will automatically create a virtual host and a routing rule. It will also use the group you created earlier as the backend group.

{% list tabs group=instructions %}

- Management console {#console}

  1. Specify the router name: `alb-http-router`.
  1. Enable **Advanced settings**.
  1. Under **Virtual hosts**:

      * In the **Name** field, enter `alb-virtual-host`.
      * Leave the **Authority** field blank.
      * In the **Security profile** field, select the profile you created previously, `sws-profile`.

  1. Configure the route as follows:

      * Route name: `app-1`.
      * **Path**: **Starts with** followed by `/app1`.
      * **Action**: `Routing`.
      * **Backend group**: Leave the group you created earlier.
      * **Rewrite path or start**: Specify the `/` path.

  1. Click **Create and continue**. The wizard will take you to the load balancer setup page.

{% endlist %}


### Configure an L7 load balancer {#create-load-balancer}

A load balancer distributes incoming requests across target group VMs according to the rules specified in the HTTP router. Load balancers use [listeners](../../application-load-balancer/concepts/application-load-balancer.md#listener) to receive traffic. The wizard will create a listener automatically. It will also use the router you created earlier as the HTTP router in this configuration.

{% list tabs group=instructions %}

- Management console {#console}

  1. Specify the load balancer name: `app-load-balancer`.
  1. Enable **Advanced settings**.
  1. Under **Network settings**, select the network you created earlier, i.e., `alb-network`.
  1. For **Security groups**, select **From list** and then the security group associated with the `alb-security-group` load balancer.
  1. Under **Allocation**, select the subnets you created previously, i.e., `subnet-alb-a`, `subnet-alb-b`, and `subnet-alb-d`, in their respective [availability zones](../../overview/concepts/geo-scope.md) and enable incoming traffic in those subnets.
  1. Configure the listener:

      * Specify the listener name: `alb-listener`.
      * Under **Receiving and processing traffic**, specify:

          * **Listener type**: `HTTP`.
          * **Protocol**: `HTTP`.
          * **HTTP router**: Select the router you created earlier.

  1. Click **Create**.

{% endlist %}


### Add resources from the second folder {#add-second-folder}

When creating a load balancer using the wizard, you can add resources only from one folder. This means you need to manually create and add the target group and backend group from the `service-2` folder.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `secured-entry-point`.
  1. Navigate to **Application Load Balancer**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/target.svg) **Target groups**.
  1. Click **Create target group**.
  1. Repeat the steps you followed to [create a target group for the `service-1` folder](#setup-target-group) and create the `service-2` target group. Configure the target as follows:

      * Name: `target-group-2`.
      * VM internal IP address: `vm-service-2`.
      * Subnet: `subnet-service-2`.

  1. In the left-hand panel, select ![image](../../_assets/console-icons/cubes-3-overlap.svg) **Backend groups**.
  1. Click **Create backend group**.
  1. Create a backend group by repeating the steps you followed to [create a backend group for the `service-1` folder](#settings-backend-group). Configure the backend as follows:

      * Backend group name: `backend-group-2`.
      * Backend name: `backend-2`.
      * Target group: `target-group-2`.
      * Path: Use the same path as for `backend-group-1`.
      * Port: Specify your service's TCP port opened in `service-2-security-group`. In this tutorial, this is port `8000`.

  1. In the left-hand panel, select ![image](../../_assets/console-icons/route.svg) **HTTP routers**.
  1. Select `alb-http-router` as the HTTP router.
  1. Under **Virtual hosts**, to the right of `alb-virtual-host`, click ![image](../../_assets/console-icons/ellipsis.svg) → ![image](../../_assets/console-icons/pencil.svg) **Edit**.
  1. At the bottom of the window that opens, click **Add route**.
  1. Configure the route as follows:

      * Route name: `app-2`.
      * **Path**: **Starts with** followed by `/app2`.
      * **Action**: `Routing`.
      * **Backend group**: `backend-group-2`.
      * **Rewrite path or start**: Specify the `/` path.
      * **Timeout, s**: Clear the value and leave the field empty.

  1. Click **Save**.

{% endlist %}

## Test your infrastructure {#check-infrastructure}

1. [Run test web services on your web app VMs](#run-web-services).
1. [Review the health check details](#check-healthchecking).
1. [Check availability of your web applications](#check-accessibility).
1. [Test the security profile](#check-security-profile).

### Run test web services on your web app VMs {#run-web-services}

1. Connect to the `work-station` management VM in the security folder:

    ```bash
    ssh -l <username> <VM_public_IP_address>
    ```

    If using different keys for different VMs, specify the path to the relevant key in the connection command, as in this example:

    ```bash
    ssh -i ~/.ssh/<key_name> -l <username> <VM_public_IP_address>
    ```

    Where:

    * `<key_name>`: Name of the private SSH key file used to create the VM.
    * `<username>`: Username specified when creating the VM.
    * `<VM_public_IP_address>`: VM IP address.

    {% note tip %}

    You can copy the VM connection command from the VM description page under **Access**.

    {% endnote %}

1. Connect to `vm-service-1` from your management VM:

    1. Place the private SSH key file of `vm-service-1` in the `~/.ssh` folder of your management VM.
    1. Connect to `vm-service-1`:

        ```bash
        ssh -i ~/.ssh/<key_name> -l <username> <VM_internal_IP_address>
        ```

        Where:

        * `<key_name>`: Name of the private SSH key file used to create the VM.
        * `<username>`: Username specified when creating the VM.
        * `<VM_internal_IP_address>`: `vm-service-1` internal IP address.

1. Start the test web service by running this command:

    ```bash
    mkdir test-server; \
    echo 'HELLO!' > test-server/hello_3.txt; \
    echo 'TEST SERVER 1' > test-server/test_3.txt; \
    python3 -m http.server -d test-server 8000
    ```

    Running this command will:

    * Create a `test-server` folder containing two files, `hello_1.txt` and `test_1.txt`.
    * Start the built-in Python web service on port `8000`.

    Result:

    ```text
    Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
    10.133.0.10 - - [30/May/2025 09:55:41] "GET / HTTP/1.1" 200 -
    10.133.0.15 - - [30/May/2025 09:55:41] "GET / HTTP/1.1" 200 -
    10.133.0.10 - - [30/May/2025 09:55:42] "GET / HTTP/1.1" 200 -
    10.133.0.15 - - [30/May/2025 09:55:42] "GET / HTTP/1.1" 200 -
    10.133.0.10 - - [30/May/2025 09:55:43] "GET / HTTP/1.1" 200 -
    10.133.0.15 - - [30/May/2025 09:55:43] "GET / HTTP/1.1" 200 -
    ...
    ```

1. Open a new terminal window and repeat the above steps to start the test service on `vm-service-2`. Use different file names in the startup command so that your web applications’ responses vary.


### Review the health check details {#check-healthchecking}

1. Go to the `app-load-balancer` page.
1. Select ![healthcheck](../../_assets/application-load-balancer/healthchecks.svg) **Health checks** on the left.
1. Make sure the targets have the `HEALTHY` status in all load balancer subnets.


### Check availability of your web applications {#check-accessibility}

To check the availability of your web applications, go to the following address in your browser:

```text
http://<load_balancer_public_IP_address>/<route_prefix>
```

Where:

* `<load_balancer_public_IP_address>`: `app-load-balancer` IP address.
* `<route_prefix>`: Prefix specified in the **Starts with** field when configuring the HTTP router. In this tutorial, these are `app1` and `app2`.

A page will open, listing root folder files for the specified application, as in this example:

  ```text
  Directory listing for /
    hello_1.txt
    test_1.txt
  ```


### Test the security profile {#check-security-profile}

1. Check that the `Smart Protection` rule allows traffic:

    1. In the browser, go to:

        ```text
        http://<load_balancer_public_IP_address>/<route_prefix>
        ```

    1. In another browser tab, go to the `app-load-balancer` page.
    1. Select ![logs](../../_assets/console-icons/receipt.svg) **Logs** on the left.
    1. In the **Query** field, specify the [filter expression](../../logging/concepts/filter.md):

        ```text
        json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION
        and json_payload.smartwebsecurity.matched_rule.verdict = ALLOW
        ```

    1. Click **Run**.

        The log list will contain entries about successful GET requests.

1. Add a basic deny rule:

    1. Go to the `sws-profile` page.
    1. Under **Security rules**, click ![image](../../_assets/console-icons/plus.svg) **Add rule**.
    1. Enter the rule name, `deny-rule`.
    1. Set **Priority** to `1000`.
    1. Under **Rule type:**, keep the **Base** value.
    1. Leave **Action** set to **Deny**.
    1. Set **Traffic** to `On condition`.
    1. Then select the following values:

        * **Conditions**: `IP`.
        * **Conditions for IP**: `Matches or falls within the range`.
        * **IP matches or falls within the range**: Specify the IP address of the device you are using to test the web service.

    1. Click **Add**.

1. Test the basic rule:

    1. In the browser, go to:

        ```text
        http://<load_balancer_public_IP_address>/<route_prefix>
        ```

    1. In another browser tab, go to the `app-load-balancer` page.
    1. Select ![logs](../../_assets/console-icons/receipt.svg) **Logs** on the left.
    1. In the **Query** field, specify the filter expression:

        ```text
        json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION
        and json_payload.smartwebsecurity.matched_rule.verdict = DENY
        ```

    1. Click **Run**.

        The log list will contain entries about GET requests blocked by the rule.


## How to delete the resources you created {#clear-out}

To stop paying for the resources, [delete](../../resource-manager/operations/folder/delete.md) the folders where your infrastructure was deployed.

If you deployed the infrastructure in the existing folders, do the following:

1. [Delete](../../application-load-balancer/operations/application-load-balancer-delete.md) the `app-load-balancer` L7 load balancer.
1. [Delete](../../application-load-balancer/operations/http-router-delete.md) the HTTP router named `alb-http-router`.
1. [Delete](../../application-load-balancer/operations/backend-group-delete.md) the `backend-group-1` and `backend-group-2` backend groups.
1. [Delete](../../application-load-balancer/operations/target-group-delete.md) the `target-group-1` and `target-group-2` target groups.
1. [Delete](../../compute/operations/vm-control/vm-delete.md) the VMs:

    * `work-station`
    * `vm-service-1`
    * `vm-service-2`

1. [Delete](../operations/profile-delete.md) the `sws-profile` security profile.
1. [Delete](../../vpc/operations/security-group-delete.md) the security groups:

    * `alb-security-group`
    * `vm-security-group`
    * `service-1-security-group`
    * `service-2-security-group`

1. [Delete](../../vpc/operations/subnet-delete.md) the subnets:

    * `subnet-service-1`
    * `subnet-service-2`
    * `subnet-alb-a`
    * `subnet-alb-b`
    * `subnet-alb-d`

1. [Delete](../../vpc/operations/network-delete.md) the `alb-network` cloud network.