Prepare for high-traffic events with DMS

更新时间:
复制 MD 格式

This topic guides you on how to use Data Management Service (DMS) to assess your database performance and security. By implementing preventive measures, you can ensure business stability and prevent system crashes from database overload during high-traffic events, avoiding potential financial losses.

Prerequisites

The control mode for the instance must be Security Collaboration. For more information, see Control modes.

Background information

During high-traffic events, a surge in business activity can place immense pressure on your database performance and data security.

As a major promotional event approaches, your database will face a significant stress test from increased traffic. While preparing for the event, you should assess your current database usage, estimate the traffic volume during the event, and understand how your development team will interact with the database. This assessment helps you proactively implement preventive measures.

Without preventive measures, high-traffic events can cause database issues such as:

  • An operations team member ran a slow query to gather event statistics, which ultimately degraded business performance.

  • A developer executed a schema change that impacted another business line's event running on the same database.

Performance and security

Limit query and export timeouts

You can set the query timeout and export timeout for a target instance in DMS to prevent long-running SQL statements from impacting your business.

We recommend a 60s query timeout and a 600s export timeout during normal periods. For high-traffic events, reduce these to 5s and 60s, respectively.

For detailed steps, see Modify an instance.

In the Modify Instance dialog box, locate the Query timeout (s) and Export timeout (s) fields. Enter the desired timeout values and save your changes.

Limit maximum rows per query

You can configure the maximum number of rows returned by a single query in the security rule settings. This prevents large data returns from affecting the response time of normal business requests.

We recommend a limit of 200 rows during normal periods and 10 rows during high-traffic events. For detailed steps, see SQL Console security rules.

On the Basic configurations tab of the rule set, find the Maximum number of returned rows per query setting, and then click Edit to modify its value.

Limit full table scan size

In the security rule settings, you can configure the maximum table size allowed for a full table scan. This prevents developers from running full table scan operations on very large tables during high-traffic events, which could impact your business.

We recommend a limit of 10240 MB during normal periods and 1024 MB during high-traffic events. For detailed steps, see SQL Console security rules.

On the Basic configurations tab of the rule set, find the Limit the maximum allowed SQL full table scan (MB) setting, and then click Edit to modify its value.

Change security

Block high-risk SQL

Use a security rule to control high-risk SQL statements (DQL, DDL, DML, and DCL) and prevent executions that could impact your business.

During normal periods, enable rules as needed. During high-traffic events, we recommend that you block high-risk SQL statements such as DDL. For detailed steps, see Security rules for SQL changes. In the security rule configuration, click SQL change in the left-side navigation pane and select the SQL execution rules tab. This page shows execution rules for DML, DDL, and DCL statements. Each statement type has two rules: one that allows direct execution in the SQL Console (shown as disabled) and another that requires execution through a ticket (shown as enabled). You can manage these rules using the Edit, Enable/Disable, and Delete buttons. If no rule is enabled, all change-related SQL statements and commands are blocked.

Enhance the approval process

During high-traffic events, we recommend adding high-level managers or business stakeholders as approval nodes in the approval process.

For normal operations, you can configure a standard approval process as needed, for example, Developer-->data owner-->DBA. For high-traffic events, we recommend an enhanced process, such as Developer-->data owner-->data owner's supervisor-->DBA. For detailed steps, see Create an approval process.

Control changes with change windows

The execution engine enforces a change window for an instance using both block and allow policies.

During high-traffic events, we recommend setting up change windows to restrict when users can initiate DDL, DML, and SELECT statements.

In the Change window list dialog box for the instance, click Add to create a change window rule. Each rule includes a type (such as Deny changes - DDL), a start and end time, and an enable/disable switch. You can remove a single rule by clicking Delete or clear all rules by clicking Clear database change window.

Data security

Increase the security level of sensitive columns

You can use the field security level adjustment feature to apply data masking to sensitive data fields such as personal information, phone numbers, ID numbers, and financial data to enhance data security. For detailed steps, see Adjust field security levels.

After you increase the security level of a field, its value is displayed as ** (asterisks) in SQL query results within DMS, indicating that the data has been successfully masked.

Enable the digital watermark feature

Enable the Digital watermark for data leak prevention feature in DMS to add a watermark across the console. This helps prevent data leaks from screenshots. For detailed steps, see Digital watermark for data leak prevention.

On the Configuration management page, search for "watermark", find the [Data Security] Digital watermark for data leak prevention parameter, and click Edit. In the Modify configuration item dialog box that appears, turn on the switch and click Confirm.

Manage sensitive data

Effectively manage sensitive data by identifying its distribution, applying fine-grained permission controls and data masking, and implementing the principle of least privilege for data access. For detailed steps, see Manage sensitive data.

Sensitive data protection supports various data sources, such as PolarDB, ADB, and MySQL, and is compatible with environments on Alibaba Cloud, other cloud providers, and on-premises data centers. Deploy identification tasks (immediate, one-time, or periodic), to automatically classify and grade data based on compliance standards such as PIPL, CSL, DSL, GDPR, HIPAA, and PCI DSS. It provides various data masking algorithms, including hashing, replacement, masking, transformation, and encryption. Two modes are supported: static data masking (for environment setup, data integration, and data development) and dynamic data masking (for SQL Console queries, application access, and API access). Fine-grained permission control is divided into three levels: no permission (content displayed as **), semi-masked permission (content displayed as ***st), and plaintext permission.

Row-level access control

Use row-level access control to ensure users can access only their designated rows in a table. For detailed steps, see Row-level access control.

In the Control value details dialog box, you can view the list of row values under a Control group. The list includes columns like Row value, Last modified by, and Last modified at. The dialog box also supports searching for row values and provides options to Add row value and Delete.

Set user permissions for metadata access

This prevents specified users from accessing metadata (including databases, instances, and tables) for which they do not have permissions. For detailed steps, see Metadata access control.

In the user management list, find the target user, click More in the corresponding Actions column, and then select Access control from the drop-down menu.

Set metadata visibility scope

This prevents unauthorized users from searching for or accessing metadata. For detailed steps, see Metadata access control.

In the instance list, click More for the target instance, and then select Access control from the drop-down menu.

Emergency response

Operation audit

This feature helps you quickly determine if a user changed a specific database or table in DMS within a specified time frame. For detailed steps, see Operation audit.

In the upper-right corner of the DMS SQL Console page, click Operation audit to access this feature.

Data tracking

You can use this feature to quickly recover data that has been accidentally deleted or updated. For detailed steps, see Data tracking.

The data tracking ticket details page is organized into three sections: 1) Basic Information, which includes submission time, task name, time range, database (with environment tag), table name, and the type of DML to retrieve (such as Insert); 2) File Acquisition, which shows the data retrieval progress with a progress bar; and 3) Approval. After the ticket is completed, the status at the top of the page changes to Ticket completed. You can perform subsequent actions by using buttons such as Create sub-ticket, Operation logs, and Close ticket.

Lock-free DML operation

In an emergency, you can perform large-volume data updates (UPDATE, DELETE) without causing long-term locks, even for queries that do not use an index. For more information, see Lock-free DML operation.

Lock-free DDL operation

Use this feature in emergencies to perform operations such as resizing table fields or adding indexes. For detailed steps, see Enable lock-free schema change.

High-traffic event solution

If you have not yet activated DMS, take advantage of our special offers: purchase the Stable Change edition for 2 instances for 3 months at only CNY 9.9, or the Security Collaboration edition for 2 instances for 3 months at only CNY 19.9. These editions improve data security, management efficiency, and data value. For more information, see the Alibaba Cloud purchase page.

For additional support, join our DingTalk user group (Group ID: 21991247).