Best practices for Redis applications

更新时间:
复制 MD 格式

Cloud Config provides built-in rules to evaluate your Tair (Redis OSS-compatible) instances against best practices for security and stability. These rules check instance types, audit log settings, public network access, whitelists, multi-zone disaster recovery, renewal and expiration, and change management.

Rule name

Rule description

Audit log retention for Redis instances meets requirements

A Redis instance is considered "compliant" if its audit log is enabled and the log retention period is greater than or equal to the specified value. Default value: 180 days.

Redis instances are multi-zone instances

A Redis instance is considered "compliant" if it is a multi-zone instance.

Redis instances use the dual-replica node type

A Redis instance is considered "compliant" if its node type is dual-replica.

Redis instances have TDE enabled with a custom key

A Redis instance is considered "compliant" if transparent data encryption (TDE) is enabled with a custom key.

Audit logs are enabled for Redis instances

A Redis instance is considered "compliant" if audit logs are enabled. Instances of versions that do not support audit logs are considered "not applicable".

TLS encryption is configured for Redis instances

A Redis instance is considered "compliant" if TLS encryption is configured.

Redis instances are upgraded to the latest minor version

A Redis instance is considered "compliant" if it is upgraded to the latest minor version.

Release protection is enabled for Redis instances

A Redis instance is considered "compliant" if release protection is enabled. This rule does not apply to subscription instances, which are considered "not applicable".

High-risk commands are disabled for Redis instances

A Redis instance is considered "compliant" if high-risk commands are disabled.

Redis instances meet the specified QPS requirement

A Redis instance is considered "compliant" if its available queries per second (QPS) is greater than or equal to the specified parameter value. Default value: 1000.

Redis instances meet the specified bandwidth requirement

A Redis instance is considered "compliant" if its available bandwidth is greater than or equal to the specified parameter value. Default value: 1000 MB/s.

Redis instances meet the specified memory capacity requirement

A Redis instance is considered "compliant" if its total memory is greater than or equal to the specified parameter value. Default value: 1000 MB.

Public network access is disabled for Redis instances or the security whitelist is not configured to allow access from any source

A Redis instance is considered "compliant" if public network access is disabled or its security whitelist is not configured to allow access from any source. An instance is considered "non-compliant" if it has public network access enabled and its whitelist allows access from any source.

A reasonable backup time window is configured for Redis instances

A Redis instance is considered "compliant" if its automatic backup time falls within one of the time windows specified in the parameters. If the backup time window overlaps with your business peak hours, your services may be affected.

Expiration check for Redis subscription instances

A subscription Redis instance is considered "compliant" if its remaining subscription period is greater than the specified number of days. Default value: 30 days. Instances with auto-renewal enabled are also considered "compliant". This rule does not apply to pay-as-you-go instances, which are considered "not applicable".

Incremental backup is enabled for Redis instances

A Redis instance is considered "compliant" if incremental backup is enabled. This rule applies only to Tair instances. Other instance types are considered "not applicable".