Anti-DDoS Pro and Anti-DDoS Premium are integrated with the alert monitoring feature of CloudMonitor. You can configure alert rules and real-time dashboards in the CloudMonitor console. After you configure an alert rule, CloudMonitor reports an alert when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity. You can also view the monitoring details in real-time dashboards and troubleshoot exceptions. This topic describes how to configure alert rules and real-time dashboards.

Background information

CloudMonitor is a service that monitors Internet applications and Alibaba Cloud resources. For more information, see What is CloudMonitor?.

Anti-DDoS Pro and Anti-DDoS Premium are integrated with the alert monitoring feature of CloudMonitor. You can configure alert notifications and real-time dashboards for the following events in the CloudMonitor console.

Event name Event type Description
IP address traffic alert Service metric monitoring and alerting

After you configure an alert rule for a service metric, CloudMonitor reports an alert notification when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity.

Connection alerts
QPS alerts
Status code alerts
DDoS blackhole event alerts Event monitoring and alerting

After you configure an alert rule for an event, CloudMonitor reports an alert notification when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity. The event that occurred on your Anti-DDoS Pro or Anti-DDoS Premium instance can be a blackhole filtering event, traffic scrubbing event, event of HTTP flood attacks at Layer 4, or event of HTTP flood attacks at Layer 7.

Alerts for DDoS mitigation events
DDoS monitor dashboard Real-time dashboard

CloudMonitor provides the dashboard feature. You can customize the monitoring data that is displayed on a dashboard and view the monitoring data on the dashboard. You can aggregate monitoring data of different services and instances that run the same type of workloads by using one dashboard.

You can configure a real-time dashboard for Anti-DDoS Pro or Anti-DDoS Premium in the CloudMonitor console. Then, you can monitor workloads of Anti-DDoS Pro or Anti-DDoS Premium in a visualized and comprehensive manner.

Click here to view the metrics that are provided by CloudMonitor for Anti-DDoS Pro and Anti-DDoS Premium.
Metric Dimension Unit
Out_Traffic Instance or IP address bit/s
In_Traffic Instance or IP address bit/s
Back_Traffic (traffic that is scrubbed by Anti-DDoS Pro or Anti-DDoS Premium and is forwarded to the origin server) Instance or IP address bit/s
AttackTraffic Instance or IP address bit/s
Active_connection Instance or IP address Count
Inactive_connection Instance or IP address Count
New_connection Instance or IP address Count
QPS Domain name Count/second
qps_ratio_down Domain name %
qps_ratio_up Domain name %
resp2xx Domain name Count
resp2xx_ratio Domain name %
resp3xx Domain name Count
resp3xx_ratio Domain name %
resp404 Domain name Count
resp404_ratio Domain name %
resp4xx
Note This metric indicates the number of status codes from 400 to 499, excluding 403, 404, and 405.
Domain name Count
resp4xx_ratio Domain name %
resp5xx
Note This metric indicates the number of status codes from 500 to 599, excluding 500, 502, 503, and 504.
Domain name Count
resp5xx_ratio Domain name %
upstream_resp2xx Domain name Count
upstream_resp2xx_ratio Domain name %
upstream_resp3xx Domain name Count
upstream_resp3xx_ratio Domain name %
upstream_resp404 Domain name Count
upstream_resp404_ratio Domain name %
upstream_resp4xx Domain name Count
upstream_resp4xx_ratio Domain name %
upstream_resp5xx Domain name Count
upstream_resp5xx_ratio Domain name %

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Investigation > Cloud monitor alerts.
  4. On the Cloud monitor alerts page, find the event for which you want to configure an alert rule and click Cloud monitor alerts in the collaboration config column.
    Event name Procedure
    IP address traffic alert, Connection alerts, QPS alerts, and Status code alerts Click Cloud monitor alerts. You are redirected to the CloudMonitor console. You can create a threshold-triggered alert rule for Anti-DDoS Pro or Anti-DDoS Premium in the CloudMonitor console. For more information, see Configure service metric monitoring and alerting.
    DDoS blackhole event alerts and Alerts to DDoS mitigation events Click Cloud monitor alerts. You are redirected to the CloudMonitor console. You can create an event-triggered alert rule for Anti-DDoS Pro or Anti-DDoS Premium in the CloudMonitor console. For more information, see Configure event monitoring and alerting.
    DDoS monitor dashboard Click Cloud monitor alerts. You are redirected to the CloudMonitor console. You can create a real-time dashboard and charts for Anti-DDoS Pro or Anti-DDoS Premium in the CloudMonitor console. For more information, see Configure a real-time dashboard.

Configure service metric monitoring and alerting

  1. In the CloudMonitor console, create an alert contact If you have created a contact, skip this step.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contacts tab, click Create Alert Contact.
    3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.
  2. Create an alert contact group. If you have created an alert contact group, skip this step.
    Note CloudMonitor sends alert notifications only to alert contact groups. You can add one or more alert contacts to an alert contact group.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contact Group tab, click Create Alert Contact Group.
    3. In the Create Alert Contact Group panel, configure the Group Name parameter. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Confirm.
  3. Create one or more threshold-triggered alert rules.
    1. In the left-side navigation pane, choose Alerts > Alert Rules.
    2. On the Alert Rules page, click Create Alert Rule.
    3. In the Create Alert Rule panel, configure the parameters and click OK.
      Parameter Description
      Product Select Anti-DDoS Pro or Anti-DDoS Premium.
      Resource Range Select the resources on which you want the alert rule to take effect. Valid values: All Resources, Application Groups, and Instances.
      • All Resources: The alert rule takes effect on all Anti-DDoS Pro or Anti-DDoS Premium instances.
      • Application Groups: The alert rule takes effect on all Anti-DDoS Pro or Anti-DDoS Premium instances in a specific application group.
      • Instances: The alert rule takes effect on the Anti-DDoS Pro or Anti-DDoS Premium instances that you select.
      Rule Description Specify the conditions that are used to trigger alerts.
      Click Add Rule. After you configure all the parameters, click OK.
      Note We recommend that you specify the thresholds of metrics based on your business requirements. A low threshold may frequently trigger alerts and affect user experience in a negative manner. A high threshold may prevent you from handling attacks in a timely manner.
      Examples:
      • New_connection | 5Minute cycle | Continue for 3 periods | Once | > | 200: In this rule, the detection period is 5 minutes, and 1 data point is reported each minute. The data point indicates the number of new connections. CloudMonitor checks the data points that are generated in three consecutive detection periods. In this case, the total number of data points is 15. If the value of a data point exceeds 200, an alert notification is sent.
      • Out_Traffic | 5Minute cycle | Continue for 3 periods | Once | ≥ | 50 Mbit/s: In this rule, the detection period is 5 minutes, and 1 data point is reported each minute. The data point indicates the transfer rate of outbound traffic. CloudMonitor checks the data points that are generated in three consecutive detection periods. In this case, the total number of data points is 15. If the value of a data point is greater than or equal to 50 Mbit/s, an alert notification is sent.
      Mute For Specify the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.

      If the conditions of an alert rule are met, an alert is triggered. CloudMonitor does not resend an alert notification if the alert is triggered within the mute period. If the alert is not cleared after the mute period ends, CloudMonitor resends alert notifications.

      Effective Period Specify the effective period for the alert rule. CloudMonitor sends alert notifications within the effective period and only records alerts beyond the effective period.
      Alert Contact Group Select the alert contact groups to which you want to send alert notifications.
      Alert Callback Specify the callback URL that can be accessed over the Internet. CloudMonitor sends POST requests to push alert notifications to the specified callback URL. Only HTTP requests are supported. For information about how to configure alert callbacks, see Use the alert callback feature to send notifications about threshold-triggered alerts.
      Note You can click Advanced Settings to configure this parameter.
      Auto Scaling If you turn on Auto Scaling and an alert is triggered, the specified scaling rule is enabled. In this case, you must configure the Region, ESS Group, and ESS Rule parameters.
      Note You can click Advanced Settings to configure this parameter.
      Log Service If you turn on Log Service and an alert is triggered, the alert information is written to the specified Logstore in Log Service. In this case, you must configure the Region, ProjectName, and Logstore parameters. For information about how to create a project and a Logstore, see Getting Started.
      Note You can click Advanced Settings to configure this parameter.
      Message Service - topic Specify the method that is used to handle alerts when no monitoring data is found. Valid values:
      • Do not do anything (default value)
      • Send alert notifications
      • Treated as normal
      Note You can click Advanced Settings to configure this parameter.
      Tag Specify tags for the alert rule. A tag consists of a name and a value.

Configure event monitoring and alerting

  1. In the CloudMonitor console, create an alert contact If you have created a contact, skip this step.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contacts tab, click Create Alert Contact.
    3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.
  2. Create an alert contact group. If you have created an alert contact group, skip this step.
    Note CloudMonitor sends alert notifications only to alert contact groups. You can add one or more alert contacts to an alert contact group.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contact Group tab, click Create Alert Contact Group.
    3. In the Create Alert Contact Group panel, configure the Group Name parameter. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Confirm.
  3. Create one or more event-triggered alert rules.
    1. In the left-side navigation pane, choose Event Monitoring > System Event.
    2. On the Event-triggered Alert Rules tab, click Create Alert Rule.
    3. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.
      Section Parameter Description
      Basic Info Alert Rule Name Enter a name for the alert rule.
      Event-triggered Alert Rules Product Type Select Anti-DDoS Pro or ddosdip (Anti-DDoS Premium).
      Event Type Select the type of event for which you want to send alert notifications. Valid values:
      • DDoS Blackhole Filtering: blackhole filtering events
      • DDoS Traffic Scrubbing: traffic scrubbing events
      • Layer 4 Flood Attack: events of flood attacks at Layer 4
      • Layer 7 HTTP Flood Attack: events of HTTP flood attacks at Layer 7
      Event Level Select the level of event for which you want to send alert notifications. Only CRITICAL is supported for the preceding types of events.
      Event Name Select the event for which you want to send alert notifications. The valid values of this parameter vary based on the value of the Event Type parameter. The following list describes the events of each event type:
      • Blackhole filtering events: ddosdip_event_blackhole_add and ddosdip_event_blackhole_end
      • Traffic scrubbing events: ddosdip_event_defense_add and ddosdip_event_defense_end
      • Events of flood attacks at Layer 4: ddosdip_event_cc4_add and ddosdip_event_cc4_end
      • Events of HTTP flood attacks at Layer 7: ddosdip_event_cc7_add and ddosdip_event_cc7_end
      Keyword Filtering Specify the keywords that are used in the alert rule. Valid values:
      • Contains any of the keywords: If the content of an event includes any one of the specified keywords, an alert notification is sent.
      • Does not contain any of the keywords: If the content of an event does not include any one of the specified keywords, an alert notification is sent.
      Note For more information about how to view the content of an event, see View system events.
      SQLFilter Specify the SQL statements that are used for filtering.

      Logical operators and and or are supported. For example, the SQL statement Warn and i-hp368focau7dp0hw**** indicates that CloudMonitor sends an alert notification only when the content of an event includes the i-hp368focau7dp0hw**** instance and the level of the event is WARN.

      Resource Range Select All Resources.
      Notification Method Contact Group Select the alert contact groups to which you want to send alert notifications.
      Alert Notification Specify the severity level and notification method of the event alert. Valid values:
      • Critical (Email + Webhook)
      • Warning (Email +Webhook)
      • Info (Email +Webhook)
      MNS Queue You do not need to specify this parameter.
      Function Compute You do not need to specify this parameter.
      URL Callback You do not need to specify this parameter.
      Log Service You do not need to specify this parameter.
      Mute For Specify the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.
  4. Optional:Query events. You can query the events that recently occurred on Anti-DDoS Pro or Anti-DDoS Premium in the CloudMonitor console.
    1. On the Event Monitoring tab, select Anti-DDoS Pro or ddosdip for All Products. Then, specify the event type and time range to query related events and click Search.
    2. In the event list, click Details to view the details of an event.

Configure a real-time dashboard

  1. In the left-side navigation pane of the CloudMonitor console, click Dashboard.
  2. On the Custom Dashboards tab, click Add Dashboard.
  3. In the Add Dashboard Group dialog box, specify a dashboard name and click Confirm.
    After you the dashboard is created, you can view the dashboard on the Custom Dashboards tab.
  4. Click the name of the dashboard and click Add View. In the Add Chart panel, configure a chart.
    1. Select a chart type. The following chart types are supported: Line, Area, Table, Heat Map, and Pie Chart.
    2. Configure one or more metrics. Click the Dashboards tab and select Anti-DDoS Pro or Anti-DDoS Premium. Then, configure the Metric Name and Resource parameters.
      • Metric Name: Select the metrics that you want to monitor
      • Resource: Select Apply Group, Cloud product instance, or Monitoring Instance based on your business requirements. Then, select the Anti-DDoS Pro or Anti-DDoS Premium instance and the IP address of the asset that you want to monitor.
      Note Click Add Metric if you want to add more metrics.
    3. Click OK to create the chart.
    You can repeat the preceding steps to add more charts to the dashboard.