Automatically bind secondary ENIs to ECS instances - Auto Scaling

This topic describes how to use the lifecycle hook feature of Auto Scaling to put Elastic Compute Service (ECS) instances into the Pending state and then use an Operation Orchestration Service (OOS) template to automatically bind secondary elastic network interfaces (ENIs) to the ECS instances and assign elastic IP addresses (EIPs) to the ENIs.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the account registration page.
A scaling group is created and enabled.
A RAM role is created for OOS. The trusted entity type of the RAM role is Alibaba Cloud Service. The trusted service is Operation Orchestration Service. The RAM role has the permissions to perform O&M operations that are defined in OOS templates. For more information, see Grant RAM permissions to OOS.
Note In this topic, the OOSServiceRole RAM role is used as an example. You can also use other roles.

Background information

An ENI is a virtual network interface controller (NIC) that can be bound to an ECS instance in a virtual private cloud (VPC). You can use ENIs to deploy high-availability clusters and perform cost-effective failovers and fine-grained network management. ENIs are classified into primary ENIs and secondary ENIs. Primary ENIs are created together with ECS instances. You cannot unbind primary ENIs from instances. Secondary ENIs can be separately created. You can bind or unbind secondary ENIs to or from ECS instances. For more information, see Overview.

An EIP is a public IP address that you can purchase and manage as an independent resource. You can use EIPs to serve as public IP addresses until the EIPs are released. You can associate EIPs with or disassociate EIPs from resources such as ECS instances and ENIs based on your business requirements. For more information, see Elastic IP addresses.

When you create a scaling configuration, you cannot specify secondary ENIs and EIPs. However, you can use the lifecycle hook feature and an OOS template to automatically bind a secondary ENI to an ECS instance. This is more efficient than manually binding a secondary ENI to an ECS instance.

Note If you want to bind a secondary ENI to an ECS instance that uses the images of Windows Server 2008 R2 or later, 64-bit CentOS 7.3, or 64-bit CentOS6.8, you do not need to configure the ENI after you bind the ENI to the ECS instance. If you want to bind a secondary ENI to an ECS instance that uses other types of images, you must configure the ENI after you bind the ENI to the ECS instance. This way, the secondary ENI can be detected by the ECS instance. For more information, see Configure a secondary ENI.

Procedure

In this example, the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance public template is used to show how to bind a secondary ENI to an ECS instance during a scale-out and assign an EIP to the ENI.

Step 1: Grant OOS permissions to the RAM role
Step 2: Create a lifecycle hook and trigger a scale-out
Step 3: (Optional) View the OOS execution

Step 1: Grant OOS permissions to the RAM role

You must have the permissions to execute OOS templates. In this example, the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance public template is used. The template defines the ECS, Auto Scaling, and EIP resources that are required to perform O&M operations.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
Find the RAM role OOSServiceRole and click Add Permissions in the Actions column.
Grant the required permissions to OOSServiceRole.
In the Add Permissions panel, configure parameters as prompted and click OK.
The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
Parameter Description
Authorized Scope Select Alibaba Cloud Account.
Select Policy Select the following system policies: AliyunECSFullAccess, AliyunESSFullAccess, and AliyunEIPFullAccess.

Parameter	Description
Authorized Scope	Select Alibaba Cloud Account.
Select Policy	Select the following system policies: AliyunECSFullAccess, AliyunESSFullAccess, and AliyunEIPFullAccess.

Step 2: Create a lifecycle hook and trigger a scale-out

Log on to the Auto Scaling console.
In the left-side navigation pane, click Scaling Groups.
In the top navigation bar, select the region where Auto Scaling is activated.
Find a scaling group and use one of the following methods to go to the scaling group details page:
- Click the ID of the scaling group in the Scaling Group Name/ID column.
- Click Details in the Actions column.

Create a lifecycle hook.

In the upper part of the scaling group details page, click the Lifecycle Hook tab.
Click Create Lifecycle Hook.

Configure parameters of the lifecycle hook and click OK.

The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.


Parameter	Description
Name	Enter ESSHookForAttachNicWithEip.
Scaling Activity	Select Scale-out Event.
Timeout Period	Configure the Timeout Period parameter based on your business requirements. Unit: seconds. In this example, the Timeout Period parameter is set to 300. Note The timeout period is the period of time during which you can perform custom operations on ECS instances. If the timeout period is shorter than the period of time that is required to perform the custom operations, the operations may fail. We recommend that you estimate the period of time that is required to perform custom operations on ECS instances and configure the Timeout Period parameter based on your business requirements.
Default Execution Policy	Select Continue.
Send Notification When Lifecycle Hook Takes Effect	Specify a notification method or the action that you want Auto Scaling to perform after the lifecycle hook times out. In this example, perform the following operations: Select OOS Template. Select Public Templates. Select ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance. In the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance public template, you must configure the following parameters: internetChargeType: Set the value to PayByBandwidth or PayByTraffic. PayByBandwidth specifies that you are charged based on the bandwidth that you use. PayByTraffic specifies that you are charged based on the data transferred. In this example, PayByBandwidth is used. Max bandwidth: In this example, the value is set to 5. The value 5 specifies that the peak bandwidth is 5 Mbit/s when you use the EIP. OOSAssumeRole: Select OOSServiceRole. In Step 1: Grant OOS permissions to the RAM role, OOSServiceRole is granted the permissions on the ECS, Auto Scaling, and EIP resources. OOS obtains the preceding permissions after it assumes the RAM role.

Trigger a scale-out.
In this example, a scale-out is manually triggered by executing a scaling rule. You can also trigger scale-outs by using scheduled or event-triggered tasks.
Note If scaling activities are triggered when you manually execute scaling rules, lifecycle hooks take effect. However, lifecycle hooks do not take effect when you manually add or remove ECS instances to or from a scaling group.
1. In the upper part of the scaling group details page, click the Scaling Rules and Event-triggered Tasks tab.
2. Click the Scaling Rules tab, and then click Create Scaling Rule in the upper-right corner.
3. In the Create Scaling Rule dialog box, configure parameters of the scaling rule and click OK.
  The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
  Parameter Description
  Rule Name Enter Add1.
  Rule Type Select Simple Scaling Rule.
  Operation Set the value to Add 1 Instances.
4. On the Scaling Rules page, find the Add1 scaling rule and click Execute in the Actions column.
5. In the Execute Scaling Rule message, click OK.
After the scaling rule is executed, Auto Scaling adds one ECS instance to the scaling group. However, the ECS instance enters the Pending Add state because of the ESSHookForAttachNicWithEip lifecycle hook that is in effect before the ECS instance is added. During the timeout period of the lifecycle hook, Auto Scaling notifies OOS to execute the O&M operations that are defined in the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance public template.
If the scale-out fails and the following error message is returned, go to the OOS console to check the execution of the O&M operations. For more information, see Step 3: (Optional) View the OOS execution.
Check whether the ECS instance is bound to a secondary ENI and whether the ENI is assigned an EIP.
1. In the upper part of the page, click the Instances tab.
2. Find the automatically created ECS instance and click its ID in the ECS Instance ID/Name column.
3. On the ECS instance details page, click the ENIs tab.
  The following figure shows that a secondary ENI is bound to the ECS instance and the ENI is assigned an EIP. This proves that the ACS-ESS-LifeCycleCreateNetworkInterfaceAndEipAndAttachToInstance public template takes effect.
  If the ECS instance is created but is not bound with a secondary ENI or the ECS instance is bound with a secondary ENI that has no EIP, go to the OOS console to check the execution of the O&M operations. For more information, see Step 3: (Optional) View the OOS execution.

Parameter	Description
Rule Name	Enter Add1.
Rule Type	Select Simple Scaling Rule.
Operation	Set the value to Add 1 Instances.

Step 3: (Optional) View the OOS execution

Log on to the OOS console.
In the left-side navigation pane, click Executions.
Find the execution task by time and click Details in the Actions column.
On the execution details page, view information about the OOS execution.
For example, in the Basic Information section, you can view the execution ID and status. In the Execution Result section, you can click a task node to view the execution details. For more information, see View the details of an execution.
Note If an execution failed, the error message is displayed in the Execution Result section.

FAQ

If you fail to execute an O&M task, find the cause based on the error message in the execution result. The following section describes the common error messages and solutions:

Error message: Forbidden.Unauthorized message: A required authorization for the specified action is not supplied.
Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the RAM role OOSServiceRole. Before OOS can manage the resources that are described in the OOS template, you must grant the required permissions to the RAM role.
Error message: Forbidden.RAM message: User not authorized to operate on the specified resource, or this API doesn't support RAM.
Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the RAM role OOSServiceRole. Before OOS can manage the resources that are described in the OOS template, you must grant the required permissions to the RAM role.
Error message: LifecycleHookIdAndLifecycleActionToken.Invalid message: The specified lifecycleActionToken and lifecycleActionId you provided does not match any in process lifecycle action.
Solution: Estimate the timeout period of the lifecycle hook to make sure that the O&M task specified in the OOS template can be completed within the timeout period.