Automatically bind secondary ENIs associated with EIPs to ECS instances - Auto Scaling

This topic describes how to use a lifecycle hook of Auto Scaling to put ECS instances into the wait state and then use an Operation Orchestration Service (OOS) template to automatically bind secondary elastic network interfaces (ENIs) associated with elastic IP addresses (EIPs) to the instances.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the account registration page.
A scaling group is created and enabled.
A RAM role is created for Operation Orchestration Service (OOS). The trusted entity type of the RAM role is Alibaba Cloud Service. The trusted service is Operation Orchestration Service. The RAM role has the permissions that are required to perform operations on the OOS template. For more information, see Grant RAM permissions to OOS.
Note In this topic, the OOSServiceRole RAM role is used as an example. You can also use other roles.

Background information

An ENI is a virtual network interface controller (NIC) that can be bound to a VPC-type ECS instance. You can use ENIs to deploy high-availability clusters and perform low-cost failovers and fine-grained network management. ENIs are classified into two types: primary ENIs and secondary ENIs. Primary ENIs are created along with ECS instances. You cannot unbind primary ENIs from instances. Secondary ENIs can be created separately. You can bind or unbind secondary ENIs to or from instances. For more information, see Overview.

An EIP is a public IP address that you can purchase and hold as an independent resource. You can use EIPs to own public IP addresses until the EIPs are released. You can associate or disassociate EIPs with or from resources such as ECS instances and ENIs to meet your business requirements. For more information, see Elastic IP addresses.

You cannot specify secondary ENIs or EIPs when you create a scaling configuration, but you can use a lifecycle hook and an OOS template to automatically bind secondary ENIs associated with EIPs to ECS instances. This is more efficient than manually binding secondary ENIs after you create ECS instances.

Note If you bind ENIs to ECS instances that use the images of Window Server 2008 R2 or later, CentOS 7.3 64-bit, or CentOS6.8 64-bit, you do not need to manually configure the ENIs after they are bound to the ECS instances. If you bind ENIs to ECS instances that use other images, you must manually configure the ENIs for the instances to identify them. For more information,see Configure a secondary ENI.

Procedure

In the following example, the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance OOS public template is used to demonstrate how to bind a secondary ENI to an ECS instance during a scale-out event and associate an EIP with the secondary ENI. Perform the following operations:

Step 1: Grant OOS permissions to the RAM user
Step 2: Create a lifecycle hook for scale-out events and trigger a scale-out event
Step 3: (Optional) View the execution status of the OOS template

Step 1: Grant OOS permissions to the RAM user

You must be granted the permissions to execute OOS templates. Resources of ECS, Auto Scaling, and Elastic IP Address are involved when the O&M operations specified in the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance template are performed.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
Find the RAM role OOSServiceRole and click Add Permissions in the Actions column.
Attach the policy to the RAM role OOSServiceRole that is assumed by OOS to complete the authorization.
In the Add Permissions panel, configure the parameters and click OK.
The following table describes the parameters used in this example. Use the default values for parameters that are not mentioned in the table.
Parameter Description
Authorization Select Alibaba Cloud account all resources.
Select Policy Select the AliyunECSFullAccess, AliyunESSFullAccess, and AliyunEIPFullAccess system policies.

Parameter	Description
Authorization	Select Alibaba Cloud account all resources.
Select Policy	Select the AliyunECSFullAccess, AliyunESSFullAccess, and AliyunEIPFullAccess system policies.

Step 2: Create a lifecycle hook for scale-out events and trigger a scale-out event

Log on to the Auto Scaling console.
In the left-side navigation pane, click Scaling Groups.
In the top navigation bar, select the region where Auto Scaling is activated.
Find a scaling group and use one of the following methods to go to the scaling group details page:
- Click the ID of the scaling group in the Scaling Group Name/ID column.
- Click Details in the Actions column.

Create a lifecycle hook for scale-out events.

In the upper part of the page, click the Lifecycle Hook tab.
Click Create Lifecycle Hook.

Configure parameters for the lifecycle hook and click OK.

The following table describes the parameters used in this example. Use the default values for parameters that are not mentioned in the table.


Parameter	Description
Name	Enter ESSHookForAttachNicWithEip.
Applicable Scaling Activity Type	Select Scale-out Event.
Timeout Period	Enter an appropriate value, such as 300. Note The timeout period is the period of time during which to perform customized operations. If the period is short, the operations may fail to be performed. Estimate the time required to perform the operations and set an appropriate timeout period.
Execution Policy	Select Continue.
Notification Method	Configure the following settings: Notification method: Select OOS Template. OOS template type: Select Public Templates. Public template: Select ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance from the drop-down list. The following section describes the parameters for the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance template: internetChargeType: PayByBandwidth indicates that you are charged based on the bandwidth. PayByTraffic indicates that you are charged based on the traffic volume that you used. PayByBandwidth is used in this example. bandwidth: 5 is used in this example. 5 indicates that the peak bandwidth is 5 Mbit/s when you use an EIP. Permissions: Select OOSServiceRole from the drop-down list. In Step 1, the OOSServiceRole RAM role is granted permissions to manage ECS, Auto Scaling, and Elastic IP Address resources. OSS owns the preceding permissions after it assumes the RAM role.

Trigger a scale-out event.
A scale-out event is triggered in this example by manually executing a scaling rule. You can also trigger scale-out events by using scheduled or event-triggered tasks.
Note If scaling activities are triggered when you manually execute scaling rules, lifecycle hooks take effect. Lifecycle hooks do not take effect when you manually add or remove ECS instances to or from a scaling group.
1. In the upper part of the page, click the Scaling Rules and Activities tab, and then click the Scaling Rules tab.
2. Click Create Scaling Rule.
3. In the Create Scaling Rule dialog box, configure the parameters and click OK.
  The following table describes the parameters used in this example. Use the default values for parameters that are not mentioned in the table.
  Parameter Description
  Rule Name Enter Add1.
  Rule Type Select Simple Scaling Rule.
  Operation Set this parameter to Add 1 Instances.
4. Find the created Add1 scaling rule and click Execute in the Actions column.
5. In the message that appears, click OK.
After the scaling rule is executed, an ECS instance is automatically created. The ESSHookForAttachNicWithEip lifecycle hook in the scaling group puts the ECS instance into the wait state. Auto Scaling notifies OOS to perform the O&M operations specified in the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance template on the ECS instance.
If the scaling activity fails and the following error information appears, go to the OOS console to view the execution result of O&M tasks. For more information, see Step 3: (Optional) View the execution status of the OOS template.
Check whether the automatically created ECS instance meets your expectations.
1. In the upper part of the page, click the Instances tab.
2. Find the automatically created instance and click its ID in the ECS Instance ID/Name column.
3. In the left-side navigation pane, click Elastic Network Interfaces.
  The following figure shows that the ECS instance is bound with a secondary ENI and the ENI is associated with an EIP as specified in the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance template.
  If an ECS instance is created but is not bound with a secondary ENI or is bound with a secondary ENI that is not associated with an EIP, go to the OOS console to view the execution results of O&M tasks. For more information, see Step 3: (Optional) View the execution status of the OOS template.

Parameter	Description
Rule Name	Enter Add1.
Rule Type	Select Simple Scaling Rule.
Operation	Set this parameter to Add 1 Instances.

Step 3: (Optional) View the execution status of the OOS template

Log on to the OOS console.
In the left-side navigation pane, click Executions.
Find the execution task by time and click Details in the Actions column.
In the upper part of the page, click Advanced View and view the execution status on the Execution Result tab.
- If the execution succeeds, the execution status appears on the Execution Result tab.
- If the execution fails, an error message appears on the Execution Result tab.

FAQ

If you fail to execute an O&M task, find the cause based on the error message in the execution result. The following section describes the common error messages and solutions:

Error message: Forbidden.Unauthorized message: A required authorization for the specified action is not supplied.
Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the RAM role OOSServiceRole. Before OOS can manage the resources that are described in the OOS template, you must grant the required permissions to the RAM role.
Error message: Forbidden.RAM message: User not authorized to operate on the specified resource, or this API doesn't support RAM.
Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the RAM role OOSServiceRole. Before OOS can manage the resources that are described in the OOS template, you must grant the required permissions to the RAM role.
Error message: LifecycleHookIdAndLifecycleActionToken.Invalid message: The specified lifecycleActionToken and lifecycleActionId you provided does not match any in process lifecycle action.
Solution: Estimate the timeout period of the lifecycle hook to make sure that the O&M task specified in the OOS template can be completed within the timeout period.