SLB - Resource Compliance Audit| Alibaba Cloud Documentation Center

slb-delete-protection-enabled

Check whether release protection is enabled for your SLB instance. Enabled release protection is considered compliance.

Trigger type: configuration change

Resource: ACS::SLB::LoadBalancer

Request parameters: none

Check whether release protection is enabled for your SLB instance. If release protection is disabled, this rule is not compliant.

Open Delete protection Switch. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: Enter the server load balancer console, instance management> instance details> basic information, open Delete protection Switch.

API operation: Call the SetLoadBalancerDeleteProtection API to set the deletion protection status of the instance and set the DeletionProtection value to on.

slb-listener-https-enabled

Check whether HTTPS is enabled for the SLB instance.

Trigger type: configuration change

Resource: ACS::SLB::LoadBalancer

Request parameters: none

Troubleshooting Guide:

If HTTPS listening is enabled for an SLB instance, this rule is not compliant.

Configure an HTTPS listener for the server load balancer instance. Config detects your changes within 10 minutes and automatically starts the audit.

Console operation: go to the server load balancer console and configure an HTTPS listener through instance management-Port/health check/backend server configuration or operation-listener configuration wizard. Set the SLB protocol to HTTPS.

API operation: call CreateLoadBalancerHTTPSListener to create an HTTPS listener.

slb-loadbalancer-in-vpc

Check whether the SLB instance is associated with the VPC. If you set the threshold, the associated VpcId must exist in the threshold you listed. If no threshold value is set, all VPC-connected instances are compliant.

Trigger type: configuration change

Resource: ACS::SLB::LoadBalancer

Request parameters:

vpcIds

The ID of the VPC that contains these instances. Separate multiple VPC IDs with commas (,), for example, vpc-25vk5xwn8, vpc-6wesmaymqkgiuru5xmkvx, vpc-8vbc16loavvujlzli1yc8.

Troubleshooting: if the VpcId bound to the SLB instance under your account is not listed in the rule parameter threshold, the rule is not compliant.

Method 1: create a new SLB instance and bind the instance to one of the VpcId listed in the rule parameter threshold. Config detects your changes within 10 minutes and automatically starts the audit.

Solution to non-compliant old SLB instances: release SLB instances (only pay-as-you-go SLB instances are supported). You cannot manually release a subscription server load balancer instance. If you need to release a server load balancer instance, open a ticket to apply for a refund. The server load balancer instance can be refunded without reason within five days.

For more information about instance release risks and procedures, see Release an SLB instance.

When you purchase an SLB instance, select the VPC listed in the rule parameter threshold in network type.

Method 2: Edit the rule parameter threshold and add the VpcId bound to the SLB instance to the rule parameter threshold. Edit the content and click re-audit. Then, refresh the page for verification.

slb-no-public-ip

If the SLB instance is not directly bound to a public IP address, it is considered as compliance. This rule applies only to IPv4.

Trigger type: configuration change

Resource: ACS::SLB::LoadBalancer

Request parameters: none

If you bind a public IP address to an SLB instance under your account, this rule may be invalid.

The network type of the SLB instance cannot be changed. You can purchase a server load balancer instance again and select intranet as the instance type. Config detects your changes within 10 minutes and automatically starts the audit.

For non-compliant old server load balancer instances, release the server load balancer instance (for pay-as-you-go instances). You cannot manually release a subscription server load balancer instance. If you need to release a server load balancer instance, open a ticket to apply for a refund. The server load balancer instance can be refunded without reason within five days.

Risk: Your data will be cleared after the SLB instance is released.

For more information about instance release risks and procedures, see Release an SLB instance.

Console operation: Select intranet as the instance type on the purchase page.

API operation: call CreateLoadBalancer to create an SLB instance. Set AddressType to intranet.