This topic describes how to use the lifecycle hook feature of Auto Scaling to put Elastic Compute Service (ECS) instances into the Pending state and then use an Operation Orchestration Service (OOS) template to automatically add or remove the private IP addresses of the ECS instances to or from the IP address whitelist of an ApsaraDB for Redis instance.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the account registration page.
  • A scaling group is created and enabled.
  • An ApsaraDB for Redis instance is created.
  • A RAM role is created for OOS. The trusted entity type of the RAM role is Alibaba Cloud Service. The trusted service is Operation Orchestration Service. The RAM role has the permissions to perform the O&M operations that are defined in OOS templates. For more information, see Grant RAM permissions to OOS.
    Note In this topic, the OOSServiceRole RAM role is used as an example. You can also use other roles.

Background information

A scaling group can be associated with Server Load Balancer (SLB) or ApsaraDB RDS instances, but cannot be associated with ApsaraDB for Redis instances. If your business data is stored on an ApsaraDB for Redis instance, you can use a lifecycle hook and an OOS template to automatically add or remove the private IP addresses of ECS instances in your scaling group to or from the IP address whitelist of the ApsaraDB for Redis instance. This is more efficient than manually adding or removing the private IP addresses of the ECS instances to or from the IP address whitelist of the ApsaraDB for Redis instance.

Procedure

In this example, the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template is used to show how to automatically add the private IP address of an ECS instance in the scaling group to the IP address whitelist of an ApsaraDB for Redis instance during a scale-out.
Note If you want to remove the private IP address of an ECS instance from the IP address whitelist of the ApsaraDB for Redis instance during a scale-in, you can create a lifecycle hook for scale-in and trigger a scale-in.

Step 1: Grant OOS permissions to the RAM role

You must have the permissions to execute OOS templates. In this example, the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template is used. The template defines the ECS, Auto Scaling, and ApsaraDB for Redis resources that are required to perform O&M operations.

  1. Log on to the RAM console.
  2. Create a policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Policy page, click the JSON tab, configure parameters as prompted, and then click OK.
      The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
      ParameterDescription
      NameEnter ESSHookPolicyForRedisWhitelist.
      Policy documentEnter the following content:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "ecs:DescribeInstances"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "kvstore:ModifySecurityIps"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "ess:CompleteLifecycleAction"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
  3. Attach the policy to the OOSServiceRole RAM role.
    1. In the left-side navigation pane, choose Identities > Roles.
    2. Find the RAM role OOSServiceRole and click Add Permissions in the Actions column.
      Grant the required permissions to OOSServiceRole.
    3. In the Add Permissions panel, configure parameters as prompted and click OK.
      The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
      ParameterDescription
      Authorized ScopeSelect Alibaba Cloud Account.
      Select PolicySelect the following custom policy: ESSHookPolicyForRedisWhitelist.

Step 2: Create a lifecycle hook and trigger a scale-out

To automatically add the private IP address of an ECS instance to the IP address whitelist of the ApsaraDB for Redis instance during a scale-out, you must specify an OOS template as the notification method when you create a lifecycle hook.

  1. Log on to the Auto Scaling console.
  2. In the left-side navigation pane, click Scaling Groups.
  3. In the top navigation bar, select the region where Auto Scaling is activated.
  4. Find a scaling group and use one of the following methods to go to the scaling group details page:
    • Click the ID of the scaling group in the Scaling Group Name/ID column.
    • Click Details in the Actions column.
  5. Create a lifecycle hook.
    1. In the upper part of the page, click the Lifecycle Hook tab.
    2. Click Create Lifecycle Hook.
    3. Configure parameters of the lifecycle hook and click OK.
      The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
      ParameterDescription
      NameEnter ESSHookForAddRedisWhitelist.
      Scaling ActivitySelect Scale-out Event.
      Timeout PeriodConfigure the Timeout Period parameter based on your business requirements. Unit: seconds. In this example, the Timeout Period parameter is set to 300.
      Note The timeout period is the period of time during which you can perform custom operations on ECS instances. If the timeout period is shorter than the period of time that is required to perform the custom operations, the operations may fail. We recommend that you estimate the period of time that is required to perform custom operations on ECS instances and configure the Timeout Period parameter based on your business requirements.
      Default Execution PolicySelect Continue.
      Send Notification When Lifecycle Hook Takes EffectSpecify a notification method or the action that you want Auto Scaling to perform after the lifecycle hook times out. In this example, perform the following operations:
      • Select OOS Template.
      • Select Public Templates.
      • Select ACS-ESS-LifeCycleModifyRedisIPWhitelist.
      In the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template, you must configure the following parameters:
      • dbInstanceId: Enter the ID of the ApsaraDB for Redis instance.
      • modifyMode: Select Append. This value applies to the scale-out during which Auto Scaling adds the private IP address of an ECS instance to the IP address whitelist of the ApsaraDB for Redis instance.
      • OOSAssumeRole: Select OOSServiceRole. In Step 1: Grant OOS permissions to the RAM role, OOSServiceRole is granted the permissions on the ECS, Auto Scaling, and ApsaraDB for Redis resources. OOS obtains the preceding permissions after it assumes the RAM role.
  6. Trigger a scale-out.
    In this example, a scale-out is manually triggered by executing a scaling rule. You can also trigger scale-outs by using scheduled or event-triggered tasks.
    Note If scaling activities are triggered when you manually execute scaling rules, lifecycle hooks take effect. However, lifecycle hooks do not take effect when you manually add or remove ECS instances to or from a scaling group.
    1. In the upper part of the scaling group details page, click the Scaling Rules and Event-triggered Tasks tab.
    2. Click the Scaling Rules tab, and then click Create Scaling Rule in the upper-right corner.
    3. In the Create Scaling Rule dialog box, configure parameters of the scaling rule and click OK.
      The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
      ParameterDescription
      Rule NameEnter Add1.
      Rule TypeSelect Simple Scaling Rule.
      OperationSet the value to Add 1 Instances.
    4. On the Scaling Rules page, find the Add1 scaling rule and click Execute in the Actions column.
    5. In the Execute Scaling Rule message, click OK.
    After the scaling rule is executed, Auto Scaling adds one ECS instance to the scaling group. However, the ECS instance enters the Pending Add state because of the ESSHookForAddRedisWhitelist lifecycle hook that is in effect before the ECS instance is added. During the timeout period of the lifecycle hook, Auto Scaling notifies OOS to execute the O&M operations that are defined in the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template.

Step 3: Check the IP address whitelist of the ApsaraDB for Redis instance

  1. Log on to the ApsaraDB for Redis console.
  2. In the left-side navigation pane, click Instances.
  3. Find the ApsaraDB for Redis instance and click its ID in the Instance ID/Name column.
  4. In the left-side navigation pane, click Whitelist Settings.
    • If the private IP address of the ECS instance is added to the IP address whitelist of the ApsaraDB for Redis instance, the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template takes effect.
    • If the ECS instance is created but its private IP address is not added to the IP address whitelist of the ApsaraDB for Redis instance, go to the OOS console to view the execution of the O&M operations. For more information, see Step 4 (Optional) View the OOS execution.

Step 4 (Optional) View the OOS execution

  1. Log on to the OOS console.
  2. In the left-side navigation pane, click Executions.
  3. Find the execution task by time and click Details in the Actions column.
  4. On the execution details page, view information about the OOS execution.
    For example, in the Basic Information section, you can view the execution ID and status. In the Execution Result section, you can click a task node to view the execution details. For more information, see View the details of an execution.
    Note If an execution failed, the error message is displayed in the Execution Result section.

FAQ

If you fail to execute an O&M task, find the cause based on the error message in the execution result. The following section describes the common error messages and solutions:
  • Error message: Forbidden.Unauthorized message: A required authorization for the specified action is not supplied.

    Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the RAM role OOSServiceRole. Before OOS can manage the resources that are described in the OOS template, you must grant the required permissions to the RAM role.

  • Error message: Forbidden.RAM message: User not authorized to operate on the specified resource, or this API doesn't support RAM.

    Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the RAM role OOSServiceRole. Before OOS can manage the resources that are described in the OOS template, you must grant the required permissions to the RAM role.

  • Error message: LifecycleHookIdAndLifecycleActionToken.Invalid message: The specified lifecycleActionToken and lifecycleActionId you provided does not match any in process lifecycle action.

    Solution: Estimate the timeout period of the lifecycle hook to make sure that the O&M task specified in the OOS template can be completed within the timeout period.