Skip to content

Installing on Yandex.Cloud

These instructions describe how to configure a virtual machine with Wallarm WAF on Yandex.Cloud.


Yandex.Cloud configuration

  • Access to the Yandex.Cloud management console

  • Payment account in the status of ACTIVE or TRIAL_ACTIVE displayed on the billing page

  • Created folder. By default, the folder default will be created. To create a new folder, please follow these instructions

  • Created 2048‑bit RSA key pair for SSH connection. To create a key pair, please follow these instructions

Wallarm WAF configuration

  • Access to the account with the Administrator role and two‑factor authentication disabled in Wallarm Console in the EU Cloud or US Cloud

  • Access to for working with EU Wallarm Cloud or to for working with US Wallarm Cloud. Please ensure the access is not blocked by a firewall

  • Executing all commands as a superuser (e.g. root)


1. Create a virtual machine with the WAF node

  1. Log in to the management console and select the folder where the virtual machine will be created.

  2. Select Compute Cloud from the list of services.

  3. Click the Create VM button.

  4. Select Wallarm WAF from the list of images in the Image/boot disk selectionCloud Marketplace block.

  5. Configure other virtual machine parameters following these instructions.

Example of VM settings

2. Connect to the virtual machine with the WAF node

  1. Ensure the virtual machine is in the RUNNING status.

  2. Connect to the virtual machine via SSH following these instructions.

3. Connect the WAF node to Wallarm Cloud

Connect the WAF node to Wallarm Cloud using the cloud WAF node token or Wallarm Console account login and password.

Using the cloud WAF node token

  1. Open the Wallarm Console → Nodes section and create a cloud WAF node.

  2. Open the card of the created cloud WAF node and copy the Node token.

  3. On the virtual machine, run the addcloudnode script:

    sudo /usr/share/wallarm-common/addcloudnode
    sudo /usr/share/wallarm-common/addcloudnode -H
  4. Paste the copied token value.

The WAF node will now synchronize with the cloud every 5 seconds according to the default synchronization configuration. You can change synchronization configuration in the file /etc/wallarm/syncnode following these instructions.

Using the administrator login and password

  1. On the virtual machine, run the addnode script:

    sudo /usr/share/wallarm-common/addnode
    sudo /usr/share/wallarm-common/addnode -H
  2. Provide your Wallarm administrator account's login and password.

  3. Enter the name of the new WAF node or press Enter to use the virtual machine name.

4. Update Wallarm WAF configuration

Main configuration files of NGINX and Wallarm WAF node are located in the directories:

  • /etc/nginx/nginx.conf with NGINX settings

  • /etc/nginx/conf.d/wallarm.conf with global WAF node settings

    The file is used for settings applied to all domains. To apply different settings to different domain groups, use the file nginx.conf or create new configuration files for each domain group (for example, and More detailed information about NGINX configuration files is available in the official NGINX documentation.

  • /etc/nginx/conf.d/wallarm‑status.conf with WAF node monitoring settings. A detailed description is available within the link

  • /etc/default/wallarm-tarantool with the Tarantool database settings

Request filtering mode

By default, the WAF node is in the status monitoring and does not block requests. Change the filtering mode within the NGINX settings to block requests by:

  1. Open the file /etc/nginx/conf.d/wallarm.conf:

    sudo vim /etc/nginx/conf.d/wallarm.conf
  2. Comment out the line wallarm_mode monitoring;.

  3. Open the file /etc/nginx/nginx.conf:

    sudo vim /etc/nginx/nginx.conf
  4. Add the line wallarm_mode block; to the http block:

Example of the file /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;

http {
    wallarm_mode block;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # SSL Settings

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    # Logging Settings

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Gzip Settings

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    # Virtual Host Configs

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;


The WAF node uses the in-memory storage Tarantool. The recommended memory size for Tarantool is 75% of the total server memory. To allocate memory for Tarantool:

  1. Open the Tarantool configuration file in the editing mode:

    sudo vim /etc/default/wallarm-tarantool
  2. Specify memory size in GB in the SLAB_ALLOC_ARENA directive. For example, 24 GB:

  3. To apply changes, restart Tarantool:

    sudo systemctl restart wallarm-tarantool

Other configurations

To update other NGINX and Wallarm WAF configurations, use the NGINX documentation and the list of available Wallarm WAF directives.

5. Restart NGINX

To apply changes, restart NGINX:

sudo systemctl restart nginx

6. Test Wallarm WAF operation

  1. Get the WAF node statistics:


    The request will return statistics about analyzed requests. The response format is provided below, a more detailed description of parameters is available by the link.

    { "requests":0,"attacks":0,"blocked":0,"abnormal":0,"tnt_errors":0,"api_errors":0,
    "lom_id":16767,"proton_instances": { "total":1,"success":1,"fallback":0,"failed":0 },
    "stalled_workers_count":0,"stalled_workers":[] }

  2. Send the request with test SQLI and XSS attacks to the external IP address:


    If the WAF node mode is block, the request will be blocked with the response 403 Forbidden returned.

  3. Send the request to wallarm-status and ensure the values of parameters requests and attacks increased:

  4. Open Wallarm Console → Events section in the EU Cloud or US Cloud and ensure attacks are displayed in the list.

    Attacks in the interface

Settings customization

The WAF node with default settings is deployed in Yandex.Cloud. To customize Wallarm WAF settings, use the available directives.

Common customization options: