All Products
Search

This Product

    Tair (Redis® OSS-Compatible):Automatically manage ECS instances in a Tair whitelist

    Document Center

    Tair (Redis® OSS-Compatible):Automatically manage ECS instances in a Tair whitelist

    Last Updated:May 09, 2026

    This tutorial describes how to use an Auto Scaling lifecycle hook to put an ECS instance on hold and use an CloudOps Orchestration Service (OOS) template to automatically add the instance to or remove it from a Tair instance whitelist.

    Prerequisites

    • A scaling group is created and enabled.

    • A Tair instance is created.

    • A RAM role must be created for CloudOps Orchestration Service (OOS). The RAM role must trust Alibaba Cloud Service as an entity and CloudOps Orchestration Service as a trusted service. The role must also have permissions to execute OOS templates. For more information, see Create a RAM role for OOS and grant permissions.

      Note

      This topic uses the OOSServiceRole RAM role as an example. You can also use a custom RAM role.

    Background

    A scaling group can be associated with Server Load Balancer (SLB) instances and ApsaraDB RDS instances, but cannot be associated with Tair instances. If you store business data on a Tair instance, manually adding ECS instances to or removing them from the Tair instance whitelist is inefficient. You can use lifecycle hooks and OOS templates to automatically add ECS instances to and remove them from the Tair instance whitelist.

    Procedure

    This tutorial shows how to use the public OOS template ACS-ESS-LifeCycleModifyRedisIPWhitelist to add an ECS instance to a Tair instance whitelist during a scale-out.

    Note

    To remove an ECS instance from a Tair instance whitelist during a scale-in, create a lifecycle hook for scale-in activities and then trigger a scale-in.

    Step 1: Grant permissions to the OOS RAM role

    Executing the ACS-ESS-LifeCycleModifyRedisIPWhitelist OOS template requires permissions for the involved Elastic Compute Service, Auto Scaling, and Tair (Redis OSS-compatible) resources.

    1. Log on to the RAM console.

    2. Create a permission policy.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. Click Create Policy.

      3. On the Create Policy page, click the JSON Editor tab, configure the parameters, and then click OK.

        The following table describes the parameters. Use the default values for the parameters that are not mentioned.

        Parameter

        Description

        Name

        Enter ESSHookPolicyForRedisWhitelist.

        Policy Document

        Enter the following content:

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:ModifySecurityIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ess:CompleteLifecycleAction"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    3. Attach the permission policy to the OOSServiceRole RAM role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. Find OOSServiceRole and click Grant Permission in the Actions column.

        Grant the required permissions to the OOSServiceRole RAM role that OOS assumes. This completes the authorization.

      3. On the Grant Permission page, configure the authorization scope and permissions, and then click OK.

        The following table describes the parameters. Use the default values for the parameters that are not mentioned.

        Parameter

        Description

        Resource Range

        Select Account.

        Policies

        Attach the custom policy named ESSHookPolicyForRedisWhitelist.

    Step 2: Create and trigger a scale-out hook

    When creating a lifecycle hook, select OOS Template as the notification method and configure the required parameters. This ensures an ECS instance is automatically added to the Tair instance whitelist when a scale-out is triggered.

    1. Log on to the Auto Scaling console.

    2. In the navigation pane on the left, click Scaling Groups.

    3. In the top navigation bar, select a region.

    4. Find the scaling group that you want to manage and open its details page in one of the following ways:

      • In the Scaling Group Name/ID column, click the ID of the scaling group.

      • In the Actions column, click Details.

    5. Create a lifecycle hook for the scale-out.

      1. At the top of the page, click the Event and adhesive hook tab.

      2. Click Create Lifecycle Hook.

      3. Configure the lifecycle hook and click OK.

        The following table describes the parameters. Use the default values for the parameters that are not mentioned.

        Parameter

        Description

        Name

        Enter ESSHookForAddRedisWhitelist.

        Scaling Activity Type

        Select Scale-Out.

        Timeout Period

        Enter an appropriate timeout period, such as 300 seconds.

        Note

        The timeout period is the time available to perform custom actions. If this period is too short, the actions may fail. Evaluate the time required for your custom actions and set an appropriate timeout period.

        Default Execution Policy

        Select Continue.

        Send Notification When Lifecycle Hook Takes Effect

        Configure the template with the following settings:

        • Notification Method: Select OOS Template.

        • OOS Template Type: Select Public Templates.

        • Public Template: Select ACS-ESS-LifeCycleModifyRedisIPWhitelist.

        Configure the execution parameters for ACS-ESS-LifeCycleModifyRedisIPWhitelist with the following settings:

        • RedisInstanceId: Enter the ID of your Tair instance.

        • ModifyIPWhitelistMode: Select Append, which corresponds to a scale-out and adds the ECS instance to the Tair instance whitelist.

        • RAM role assumed by OOS: Select OOSServiceRole. In the procedure, permissions to manage ECS, Auto Scaling, and Redis resources have been added to the OOSServiceRole RAM role. The OOS service assumes this role to obtain the required permissions.

    6. Trigger a scale-out.

      This tutorial shows how to manually execute a scaling rule to trigger a scale-out. You can also use scheduled tasks or event-triggered tasks to trigger a scale-out.

      Note

      Lifecycle hooks take effect only when a scaling rule triggers a scale-out or scale-in. They do not take effect when you manually add or remove existing ECS instances.

      1. Click the Scaling Rules and Event-triggered Tasks tab.

      2. On the Scaling Rules tab, click Create Scaling Rule.

      3. Set the parameters for the scaling rule and click OK.

        The following table describes the parameters. Use the default values for the parameters that are not mentioned.

        Parameter

        Description

        Rule Name

        Enter Add1.

        Rule Type

        Select Simple Scaling Rule.

        Operation

        Set the value to Add 1 instance.

      4. Find the Add1 scaling rule that you created and click Perform in the Actions column.

      5. Click OK.

      After the scaling rule executes, an ECS instance is automatically created. The ESSHookForAddRedisWhitelist lifecycle hook then places the instance on hold and notifies the OOS service to execute the operations defined in the ACS-ESS-LifeCycleModifyRedisIPWhitelist template.

    Step 3: View the Tair instance whitelist

    1. Log on to the console of Tair (Redis OSS-compatible).

    2. In the left-side navigation pane, click Instance List.

    3. Find your Tair instance and click its ID in the Instance ID/Name column.

    4. In the left-side navigation pane, click Whitelist Settings.

      • If the new ECS instance's private IP address appears on the Tair instance whitelist, the ACS-ESS-LifeCycleModifyRedisIPWhitelist template has executed successfully.

      • If the ECS instance exists but its private IP address is not on the Tair instance whitelist, check the OOS task's execution status in the OOS console. For details, see (Optional) Step 4: Check the OOS execution.

    (Optional) Step 4: Check the OOS execution

    1. Log on to the OOS console.

    2. In the left-side navigation pane, choose Automated Task > Task Execution Management.

    3. Find the execution by its start time and click Details in the Actions column.

    4. On the execution details page, view the execution information.

      For example, you can view the execution ID and status in the Basic information section. You can also click a task node in the Execution Result section to view its details. For more information, see View the details of a task execution.

      Note

      If an execution fails, the execution details page displays the error message.

    FAQ

    If an orchestration task fails, refer to the error message in its execution result for troubleshooting. For more information, see FAQ.

    The following table describes common error messages:

    Error message

    Cause

    Solution

    Forbidden.Unauthorized message: A required authorization for the specified action is not supplied.

    Auto Scaling lacks the required authorization for the specified action.

    Check whether the required permissions are granted to the OOSServiceRole RAM role.

    Forbidden.RAM message: User not authorized to operate on the specified resource, or this API doesn't support RAM.

    The RAM user or RAM role does not have permission to operate on the specified resource.

    Ensure the OOSServiceRole RAM role has the necessary permissions to manage the resources specified in the OOS template. For example, you can grant the sample permissions for OOS to the role.

    LifecycleHookIdAndLifecycleActionToken.Invalid message: The specified lifecycleActionToken and LifecycleHookId you provided does not match any in process lifecycle action.

    The lifecycle action in progress has expired or has been aborted.

    Review the timeout value for the lifecycle hook. Ensure the timeout is long enough for the orchestration tasks defined in the OOS template to complete.