Overview
Managed Service for Prometheus is upgrading its multi-tenant monitoring feature for cloud products.
What is multi-tenant monitoring for cloud products? This feature allows Alibaba Cloud products such as ApsaraMQ for Kafka and Lindorm to integrate Prometheus capabilities, providing each user with out-of-the-box monitoring dashboards, alerts, and PromQL query services at the product level.
Why is this upgrade happening? As Managed Service for Prometheus migrates from Application Real-Time Monitoring Service (ARMS) to Cloud Monitor, the Alibaba Cloud Observability team is performing a unified upgrade of the multi-tenant monitoring feature to deliver a more stable and feature-rich monitoring experience.
What are the core changes? The multi-tenant monitoring feature previously provided by Managed Service for Prometheus in ARMS stopped receiving version updates in September 2025 and will be migrated to Managed Service for Prometheus in Cloud Monitor.
After the upgrade, public network endpoint access will no longer be supported. Only access through Virtual Private Cloud (VPC) endpoints will remain available. If you currently rely on public network endpoints for metric queries, make the necessary network adjustments in advance. Refer to the following for details.
Comparison of capabilities before and after upgrade
Category | Comparison item | Before upgrade (Managed Service for Prometheus in ARMS) | After upgrade (Managed Service for Prometheus in Cloud Monitor) |
Metric query | Supported network endpoints | Public network, VPC | VPC only (public network no longer supported) |
Metric storage duration | ≤ 30 days | Depends on the metric storage policy of each cloud product. See the corresponding cloud product documentation for details. | |
Maximum time range for a single query | 7 days | 7 days (no change) | |
Protocol support | HTTP Query, Labels/LabelValues, Series. RemoteRead is not supported. | HTTP Query, Labels/LabelValues, and Series. RemoteRead is not supported. (no change) | |
Authentication method | Endpoint password authentication | Endpoint password authentication (no change) | |
Dashboard | Dashboard engine | Grafana Shared Edition | Cloud Monitor 2.0 self-developed dashboard engine, Managed Service for Grafana, self-built Grafana |
Cloud product dashboard templates | Visualization provided based on Grafana Shared Edition | Visualization provided based on Cloud Monitor's self-developed dashboard engine. The effect is largely consistent with Grafana, but some display details may differ. | |
Alerting | Alert rule quantity limit | 10 rules per region, per product, per user | 10 rules per region, per product, per user (no change) |
Alert event management | Integrated with ARMS Information Technology Service Management (ITSM) | Integrated with Event Center in Cloud Monitor, and ARMS ITSM | |
API integration | API ownership | APIs under ARMS | APIs under Cloud Monitor |
API permissions | ARMS-related RAM permissions | Cloud Monitor-related RAM permissions (see the access policy in the attachment for details) | |
Console | Instance display | Multi-tenant instances displayed in the instance list of Managed Service for Prometheus in ARMS | The Managed Service for Prometheus console no longer displays multi-tenant instances. Each cloud product decides whether to display data access endpoints. |
Data access endpoint retrieval | Retrieve from the console instance details page | Retrieve data access endpoint via APIs (see API reference for details) | |
Billing | Cost | Free | Free (no change) |
Prerequisites | Activate Managed Service for Prometheus | Activate Managed Service for Prometheus (no change) |
Impact on customers
Data continuity: All existing cloud product monitoring data has been fully migrated. Data from multi-tenant instances of Managed Service for Prometheus in ARMS transitions seamlessly to Cloud Monitor, with no impact on historical data queries.
Network access changes: After the upgrade, only VPC access is supported. Public network endpoints will no longer be available. If you currently rely on public network endpoints, complete your network adjustments before the upgrade.
API permission changes: After the upgrade, RAM users require Cloud Monitor API permissions to access monitoring features. Refer to the attachment for the required permission policy.
Dashboard display changes: The Grafana Shared Edition dashboards will be replaced by Cloud Monitor’s self-developed dashboard engine. The core monitoring experience remains consistent, though some visualization details such as chart styles and layouts may differ.
Alert rule migration: Existing alert rules will automatically migrate to the new version on a per-region basis during the upgrade. Existing ARMS alert rules will not be affected.
Affected products
Product | Description |
Confluent | None |
Microservices Engine (MSE) Microservices Registry | None |
MSE Ingress Envoy | None |
Opensergo | None |
API Gateway | None |
ApsaraMQ for RabbitMQ | None |
Managed Service for Grafana | None |
Serverless App Engine (SAE) basic metrics | SAE basic netrics have been discontinued. Future support will be announced separately. Contact the SAE product team for details. |
ApsaraMQ for Kafka | None |
ApsaraMQ for RocketMQ | None |
Elasticsearch | None |
ApsaraDB for SelectDB | None |
ApsaraDB for ClickHouse | None |
ApsaraDB RDS-AI | None |
Data Management (DMS) | None |
InfluxDB | None |
Lindorm | None |
ApsaraDB for MongoDB | None |
Eflo (Intelligent Computing LINGJUN) | None |
FAQs
Do I need to perform any manual operations for this upgrade?
In most cases, no. The platform completes the upgrade automatically. However, you must take action in advance if you currently access metric data through public network endpoints, or if your RAM user lacks Cloud Monitor permissions.
Public network access is unavailable after the upgrade. What should I do?
After the upgrade, only access through VPC endpoints is supported. To access from outside the VPC, set up a network connection to the VPC by using VPN Gateway or Cloud Enterprise Network (CEN).
Will my Grafana dashboards still work after the upgrade?
The Grafana Shared Edition dashboards will be replaced by Cloud Monitor’s self-developed dashboard engine. Core monitoring views remain consistent. If you have a self-built Grafana instance, you can continue using it by configuring a new data source endpoint. Integration with Managed Service for Grafana is also supported.
How do I handle permission errors for RAM users?
In the RAM console, attach the least-privilege policy from the attachment to the RAM user. This policy grants the required Cloud Monitor API permissions, replacing the original ARMS permissions.
Do I need to reconfigure alert rules?
No. Existing alert rules will automatically migrate with the upgrade. Integration with the original ARMS Alert Center remains unaffected.
Attachment
Least-privilege RAM policy for Cloud Monitor Managed Service for Prometheus:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cms:GetCmsService", "cms:OpenCmsService", "cms:CreatePrometheusVirtualInstance", "cms:ListPrometheusVirtualInstances", "cms:GetPrometheusInstance", "cms:ListPrometheusDashboards" ], "Resource": "*" } ] }