This topic describes how to combine the lifecycle hook feature of Auto Scaling and a CloudOps Orchestration Service (OOS) template to put Elastic Compute Service (ECS) instances into a Pending state and then automate the task for adding or removing the private IP addresses of the ECS instances to or from the IP address whitelists of Tair (Redis OSS-compatible) instances.
Prerequisites
A scaling group is created and is in the Enabled state.
A Tair (Redis OSS-compatible) instance is created.
A Resource Access Management (RAM) role is created for OOS. The trusted entity of the RAM role must be Alibaba Cloud Service, the trusted service must be CloudOps Orchestration Service, and the RAM role must have the permissions to perform operations on the OOS template. For more information, see Use RAM to grant permissions to OOS.
NoteIn this topic, the OOSServiceRole RAM role is used as an example. You can also use other roles.
Background information
Scaling groups can be associated with Server Load Balancer (SLB) or ApsaraDB RDS instances, but cannot be associated with Tair (Redis OSS-compatible) instances. If you store your application data on a Tair (Redis OSS-compatible) instance, manually adding or removing the private IP addresses of your ECS instances to or from an IP address whitelist of the Tair (Redis OSS-compatible) instance can be inefficient. To enhance operational efficiency, you can use the lifecycle hook feature of Auto Scaling and an OOS template to automatically add or remove the private IP addresses of the ECS instances to the IP address whitelist of the Tair (Redis OSS-compatible) instance.
Procedure
In this example, a public OOS template named ACS-ESS-LifeCycleModifyRedisIPWhitelist is used to show how to automate the addition of private IP addresses of ECS instances to an IP address whitelist of a Tair (Redis OSS-compatible) instance during a scale-out event. Perform the following steps.
If you want to automate the removal of private IP addresses of ECS instances from the IP address whitelist of your Tair (Redis OSS-compatible) instance, you can create a lifecycle hook for scale-in purposes and apply the lifecycle hook during a scale-in event.
Step 1: Grant a RAM role the permissions on OOS
You must have the permissions to execute OOS templates. The ACS-ESS-LifeCycleModifyRedisIPWhitelist template includes ECS, Auto Scaling, and Tair (Redis OSS-compatible) resources that are required to perform O&M tasks.
Log on to the RAM console.
Create a permission policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab, configure parameters based on your business requirements, and then click OK.
The following table describes the parameter settings that are used in this example. For parameters that are not included in the following table, use the default settings.
Parameter
Description
Name
Enter ESSHookPolicyForRedisWhitelist.
Policy document
Enter the following content:
{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeInstances" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kvstore:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ess:CompleteLifecycleAction" ], "Resource": "*", "Effect": "Allow" } ] }
Attach the policy to the OOSServiceRole RAM role.
In the left-side navigation pane, choose .
Find the OOSServiceRole RAM role and click Grant Permission in the Actions column.
Add the required permissions for the OOSServiceRole RAM role that is assumed by OOS to complete the authorization.
In the Grant Permission panel, configure Resource Scope and Policy. After you complete the configuration, click Grant permissions.
The following table describes the parameter settings that are used in this example. For parameters that are not included in the following table, use the default settings.
Parameter
Description
Resource Scope
Select Account.
Policy
Select the following custom policy: ESSHookPolicyForRedisWhitelist.
Step 2: Create a lifecycle hook and trigger a scale-out
When you create a lifecycle hook for scale-out purposes, you must set Send Notification When Lifecycle Hook Takes Effect to OOS Template. This way, the automatic addition of private IP addresses of ECS instances to the IP address whitelist of the Tair (Redis OSS-compatible) instance is triggered during the scale-out event.
Log on to the Auto Scaling console.
In the left-side navigation pane, click Scaling Groups.
In the top navigation bar, select a region.
Find the desired scaling group and use one of the following methods to open the scaling group details page.
Click the ID of the scaling group in the Scaling Group Name/ID column.
Click Details in the Actions column.
Create a lifecycle hook.
In the upper part of the details page, click the Lifecycle Hook tab.
Click Create Lifecycle Hook.
Configure parameters based on your business requirements and click OK.
The following table describes the parameter settings that are used in this example. For parameters that are not included in the following table, use the default settings.
Parameter
Description
Name
Enter ESSHookForAddRedisWhitelist.
Scaling Activity
Select Scale-out Event.
Timeout Period
Configure the Timeout Period parameter based on your business requirements. Unit: seconds. In this example, the Timeout Period parameter is set to 300.
NoteThe timeout period is the period of time during which you can perform custom operations on instances. If the timeout period is shorter than the period of time that is required to perform custom operations, the operations may fail. We recommend that you estimate the period of time that is required to perform custom operations on instances and configure Timeout Period based on your estimates.
Default Execution Policy
Select Continue.
Send Notification When Lifecycle Hook Takes Effect
In this example, perform the following operations:
Select OOS Template.
Select Public Templates.
Select ACS-ESS-LifeCycleModifyRedisIPWhitelist.
In the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template, you must also configure the following parameters:
dbInstanceId: Enter the ID of the instance.
modifyMode: Select Append. This value applies to the scale-out event during which Auto Scaling adds the private IP address of an ECS instance to the IP address whitelist of the Tair instance.
OOSAssumeRole: Select OOSServiceRole. In Step 1, OOSServiceRole is granted the permissions on the ECS, Auto Scaling, and Tair (Redis OSS-compatible) resources. OOS obtains the preceding permissions after it assumes the RAM role.
Trigger a scale-out event.
In this example, a scale-out event is manually triggered by executing a scaling rule. You can also trigger scale-out events by using scheduled or event-triggered tasks.
NoteIf scaling events are triggered when you manually execute scaling rules, lifecycle hooks take effect. However, lifecycle hooks do not take effect if you manually add or remove ECS instances to or from a scaling group.
In the upper part of the page that appears, click the Scaling Rules and Event-triggered Tasks tab.
On the Scaling Rules tab, click Create Scaling Rule.
In the Create Scaling Rule dialog box, configure parameters based on your business requirements and click OK.
The following table describes the parameter settings that are used in this example. For parameters that are not included in the following table, use the default settings.
Parameter
Description
Rule Name
Enter Add1.
Rule Type
Select Simple Scaling Rule.
Operation
Set the value to Add 1 Instances.
On the Scaling Rules tab, find the Add1 scaling rule and click Execute in the Actions column.
In the Execute Scaling Rule message, click OK.
After the scaling rule is executed, Auto Scaling adds one ECS instance to the scaling group. However, the ECS instance enters the Pending Add state because of the ESSHookForAddRedisWhitelist lifecycle hook that is in effect. During the timeout period of the lifecycle hook, Auto Scaling notifies OOS to execute the O&M tasks that are defined in the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template.
Step 3: Check the IP address whitelist of the Tair (Redis OSS-compatible) instance
Log on to the Tair (Redis OSS-compatible) console.
In the left-side navigation pane, click Instances.
Find the desired instance and click its ID in the Instance ID/Name column.
In the left-side navigation pane, click Whitelist Settings.
If the private IP address of the ECS instance is added to the IP address whitelist of the Tair (Redis OSS-compatible) instance, the ACS-ESS-LifeCycleModifyRedisIPWhitelist public template takes effect as expected.
If the ECS instance is created but its private IP address is not added to the IP address whitelist of the Tair (Redis OSS-compatible) instance, go to the OOS console to view the execution of the O&M tasks. For more information, see (Optional) Step 4: View the OOS execution.
(Optional) Step 4: View the OOS execution
Log on to the OOS console.
In the left-side navigation pane, choose .
Find the execution task by time and click Details in the Actions column.
On the execution details page, view the related information.
For example, in the Basic Information section, you can view the execution ID and status. In the Execution Steps and Results section, you can click a task node to view the execution details. For more information, see View the details of an execution.
NoteIf the execution fails, an error message is displayed on the execution details page.
FAQ
If you fail to execute an O&M task, troubleshoot the issue based on the error message in the execution result. For more information, see FAQ.
The following table describes the common error message.
Error message | Cause | Solution |
Forbidden.Unauthorized message: A required authorization for the specified action is not supplied. | You have not authorized Auto Scaling to perform the current action. | Check whether the OOSServiceRole RAM role has the required permissions. |
Forbidden.RAM message: User not authorized to operate on the specified resource, or this API doesn't support RAM. | The RAM user or RAM role does not have the permissions to operate the corresponding resources. | Check whether the OOSServiceRole RAM role has the required permissions. For example, you can grant the OOS permissions to the RAM role. Before OOS can manage the resources that are declared in the OOS template, you must grant the required permissions to the RAM role. |
LifecycleHookIdAndLifecycleActionToken.Invalid message: The specified lifecycleActionToken and lifecycleActionId you provided does not match any in process lifecycle action. | The ongoing lifecycle hook action has ended or been stopped. | Assess the timeout period of the lifecycle hook to make sure that the O&M tasks specified in the OOS template can be complete within the allotted time limit. |