Best practices for resource stability

更新时间:
复制 MD 格式

This topic describes the background, scenarios, and default rules of the resource stability best practices.

Business background

Risk control is a key concern for cloud customers. Many businesses choose Alibaba Cloud to improve business continuity by leveraging the platform's high availability. A critical part of improving business continuity is helping customers efficiently and comprehensively identify risks in their cloud resource configurations.

The following example illustrates a system failure caused by an improper cloud resource configuration:

A company's core system used a Basic Edition ApsaraDB RDS instance, which is designed for staging environments. The system ran smoothly because business fluctuations were minimal. However, during a sales promotion, the business volume increased by two to three times, and the real-time data processing volume increased by more than tenfold. This caused the database instance to respond slowly, which affected normal business operations. The issue was traced to the database instance configuration and resolved by upgrading the instance type.

Scenarios

Cloud Config inspects the static configurations of your core resources based on technical expertise and cloud service standards. It identifies potential issues and generates a report. You can then download the report and fix any misconfigurations, for example, by upgrading instance types or adjusting settings.

Static configurations refer to cloud resource settings, such as instance types and the zones where instances are deployed.

The following figure shows the workflow for using the resource stability best practices.场景流程

Default rules

Rule name

Rule description

Enable log backup for RDS instances

If log backup is not enabled, you risk being unable to restore data if binary logs are lost. An RDS instance with log backup enabled is compliant.

Use Dedicated RDS instances

An RDS instance that uses a Dedicated instance type is compliant.

The retention period of SQL audit logs for an RDS instance meets the specified requirement

An RDS for MySQL instance with SQL Audit enabled and a log retention period greater than or equal to the specified value is compliant. The default value is 180 days.

Use multi-zone RDS instances

An RDS instance that is deployed across multiple zones is compliant.

Prohibit public endpoints for RDS instances

An RDS instance without a public endpoint is compliant. We do not recommend configuring Direct Internet Access for RDS instances in a production environment because it makes them vulnerable to cyberattacks.

Set a reasonable maintenance window for RDS instances

An RDS instance is compliant if its maintenance window is within a time range specified by the parameter. If the maintenance window overlaps with your business's peak hours, your services may be affected.

Enable deletion protection for RDS instances

An RDS instance with deletion protection enabled is compliant. This feature is not supported for subscription instances. Therefore, the rule does not apply to them.

Correctly configure a whitelist for an RDS instance

An RDS instance that has a whitelist configured and the whitelist does not contain 0.0.0.0/0 is compliant.

Check the expiration of subscription Redis instances

A subscription Redis instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances.

Set a reasonable backup window for Redis instances

A Redis instance is compliant if its automatic backup window is within a time range specified by the parameter. If the backup window overlaps with your business's peak hours, your services may be affected.

The IP address whitelist for a Redis instance is not set to all CIDR blocks

A Redis instance whose IP address whitelist is not set to 0.0.0.0/0 is compliant.

Disable high-risk commands for Redis instances

A Redis instance that has high-risk commands disabled is compliant.

Use Redis Cluster Edition instances

A Redis instance that uses the Cluster Edition architecture is compliant.

Check the expiration of subscription MongoDB clusters

A subscription MongoDB cluster is compliant if it expires in more than the specified number of days. The default value is 30 days. Clusters with auto-renewal enabled are also considered compliant.

Enable log backup for MongoDB instances

A MongoDB instance with log backup enabled is compliant.

Use Dedicated or Exclusive MongoDB instances

A MongoDB instance that is not a shared-resource instance is compliant.

The IP address whitelist for a MongoDB instance is not set to all CIDR blocks

A MongoDB instance whose IP address whitelist is not set to 0.0.0.0/0 is compliant.

Check the expiration of subscription PolarDB clusters

Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances.

Use PolarDB Cluster Edition instances

A PolarDB instance that is a Cluster Edition or Multi-master Cluster Edition instance is compliant. Use Single Node Edition databases with caution because they have slow fault recovery.

Set a reasonable maintenance window for PolarDB clusters

A PolarDB cluster is compliant if its maintenance window is within a time range specified by the parameter. If the maintenance window overlaps with your business's peak hours, your services may be affected.

The IP address whitelist for a PolarDB instance is not set to all CIDR blocks

A PolarDB instance whose IP address whitelist is not set to 0.0.0.0/0 is compliant.

SNAT and DNAT in a NAT Gateway do not use the same EIP

A NAT Gateway where SNAT and DNAT do not use the same EIP is compliant. This rule does not apply to VPC NAT gateways.

The peak bandwidth is consistent for multiple EIPs bound to an SNAT entry

An SNAT entry in a NAT Gateway is compliant if its multiple bound EIPs are added to an Internet Shared Bandwidth instance or have the same peak bandwidth. This rule does not apply to VPC NAT gateways.

Health checks are configured for all listeners of an SLB instance

An SLB instance is compliant if health checks are enabled for all of its running listeners.

Health checks are configured for all listeners and forwarding rules of an ALB instance

An ALB instance is compliant if health checks are configured for all of its listeners and forwarding rules.

The default forwarding rules for all listeners of an ALB instance have at least the specified number of servers added

An ALB instance is compliant if the default forwarding rules associated with all its listeners have at least the specified number of backend servers added. By default, at least one server must be added for the instance to be compliant.

Check the expiration of subscription SLB instances

Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances.

Enable release protection for ALB instances

Enabling release protection prevents instances from being released due to accidental operations. An instance with this feature enabled is compliant.

Enable release protection for SLB instances

An SLB instance with release protection enabled is compliant.

The SLB instance type meets requirements

An SLB instance is compliant if its instance type is one of those specified by the parameter. Use SLB instances that meet your performance requirements. Use shared-resource instances, which cannot guarantee performance metrics, with caution.

The bandwidth allocation for inter-region connections in a CEN instance meets the specified requirement

A CEN instance is compliant if the bandwidth allocated to all its inter-region connections is greater than the value specified by the parameter. The default value of the parameter is 1 Mbps.

Health checks are configured for all VBR connections in a CEN instance

A CEN instance is compliant if health checks are configured for all associated VBRs.

No overlapping CIDR blocks exist among vSwitches in the same region

The resource is compliant if no overlapping CIDR blocks exist among all vSwitches in the same region.

The ECS instance is not in the Stopped state

An ECS instance that is not in the Stopped state is compliant.

Check the expiration of subscription ECS instances

Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances.

Set reasonable creation times for an automatic snapshot policy

An automatic snapshot policy is compliant if the snapshot creation times are within the time range specified by the parameter. Creating a snapshot temporarily reduces the I/O performance of block storage, typically by less than 10%, causing a brief slowdown. We recommend that you schedule snapshots during off-peak hours.

A specified protocol in a security group does not open high-risk ports to all CIDR blocks

A security group is compliant if its inbound rule is set to 0.0.0.0/0 and the port range for the specified protocol does not include the specified high-risk ports. If the inbound rule is not set to 0.0.0.0/0, the security group is compliant even if the port range includes the specified high-risk ports. If a detected high-risk port is denied by a higher-priority authorization policy, the security group is compliant. This rule does not apply to security groups used by Alibaba Cloud services or virtual service providers.

Configure CDN caching for a domain name

A domain name with CDN caching and a time-to-live (TTL) configured is compliant.

The origin configuration for an OSS-type CDN accelerated domain name is consistent

A CDN accelerated domain name is compliant if its origin type is set to OSS when its Origin Domain Name is an OSS domain name.

The public IP address whitelist for a Kafka instance is not open to all IP addresses

A Kafka instance whose public IP address whitelist is not open to all IP addresses is compliant.

An Elasticsearch instance does not have public access enabled or does not allow access from any IP address

An Elasticsearch instance is compliant if it does not have public network access enabled or its whitelist is not open to all IP addresses.

Kibana public access is not enabled for an Elasticsearch instance

An Elasticsearch instance is compliant if it does not have Kibana public network access enabled or its whitelist is not open to all IP addresses.

Enable versioning for an OSS bucket

If versioning is not enabled, data cannot be recovered if it is overwritten or deleted. A bucket with versioning enabled is compliant.

The ACL of an OSS bucket prohibits public-read-write access

An OSS bucket whose ACL policy prohibits public-read-write access is compliant.

Do not use deprecated ECS instance families

The resource is compliant if it does not use an ECS instance from the instance families specified by the parameter. By default, the parameter specifies retired or shared-resource instance families.

Do not use deprecated Elasticsearch instances

The resource is compliant if it does not use an Elasticsearch instance of the types specified by the parameter.

Use RDS Cluster Edition instances

The resource is compliant if it uses an RDS instance from the series specified by the parameter. The default value of the parameter is Cluster Edition or High-availability Edition.

Use managed ACK clusters of the Professional Edition

A managed cluster of the Professional Edition is compliant. This rule does not apply to unmanaged clusters.

Use Redis Enterprise Edition instances

A Redis instance of the Enterprise Edition is compliant.

Use multi-node MongoDB instances

A MongoDB instance that is deployed across multiple zones is compliant.

Use Platinum Edition RocketMQ instances

A RocketMQ instance of the Platinum Edition is compliant.

An ECS instance uses a specified operating system version

Businesses can standardize their internal OS versions and require all hosts in the production environment to use the same operating system. Operating systems that are no longer officially maintained must be upgraded promptly to prevent security vulnerabilities. An ECS instance is compliant if the English name of its operating system is in the specified whitelist or is not in the specified blacklist.

Do not use deprecated Elasticsearch instance versions

An Elasticsearch instance is compliant if its version is not in the range of deprecated versions specified by the parameter.

The minor version of a PolarDB database is stable

A PolarDB database whose current minor version is stable is compliant.

An ACK cluster is upgraded to the latest version

An ACK cluster that is upgraded to the latest version is compliant.

A Redis instance is upgraded to the latest minor version

A Redis instance that is upgraded to the latest minor version is compliant.

Enable release protection for ECS instances

An ECS instance with release protection enabled is compliant.

Enable deletion protection for an Elastic IP Address

An Elastic IP Address (EIP) with deletion protection enabled is compliant. This rule does not apply to EIPs that are created by a service account or are subscription-based because they do not support deletion protection.

Enable deletion protection for PolarDB clusters

A PolarDB cluster with deletion protection enabled is compliant.

Release protection is recommended for ACK clusters

An ACK cluster with release protection enabled is compliant.

Enable release protection for Redis instances

A Redis instance with release protection enabled is compliant.

Enable release protection for MongoDB instances

A MongoDB instance with release protection enabled is compliant.

Set a reasonable maintenance window for ADB clusters

An ADB cluster is compliant if its maintenance window is within a time range specified by the parameter.

Mount a volume to a container group of an ECI instance

A container group of an ECI instance that has a volume mounted is compliant.

Enable automatic backup for Elasticsearch instances

An Elasticsearch instance with automatic backup enabled is compliant.

Enable log backup for ADB clusters

An ADB cluster with log backup enabled is compliant.

The level-2 backup retention period for a PolarDB cluster meets the specified requirement

A PolarDB cluster is compliant if its level-2 backup retention period is greater than or equal to the specified number of days. The default value of the parameter is 30 days. A cluster is not compliant if level-2 backup is disabled or the retention period is less than the specified number of days.

Enable incremental backup for Redis instances

A Redis instance with incremental backup enabled is compliant. This rule applies only to Tair instances.

Configure an automatic snapshot policy for an ECS disk

An ECS disk with an automatic snapshot policy configured is compliant.

Use multi-zone Elasticsearch instances

An Elasticsearch instance that is deployed across multiple zones is compliant.

Use a multi-zone SLB instance and configure resources from multiple zones for the server group

An SLB instance is compliant if it is a multi-zone instance and resources from multiple zones are added to the server groups used by all its listeners.

Use multi-zone SLB instances

An SLB instance that is a multi-zone instance is compliant.

Enable a Hot Standby Cluster for a PolarDB cluster

A PolarDB cluster is compliant if it has a hot standby storage cluster enabled and its data is distributed across multiple zones.

A Redis instance is a multi-zone instance

A Redis instance that is a multi-zone instance is compliant.

Enable zone-redundant storage for an OSS bucket

If zone-redundant storage is not enabled, OSS cannot provide consistent service when a data center becomes unavailable, which affects data restoration objectives. An OSS bucket with zone-redundant storage enabled is compliant.

Use multi-zone MongoDB instances

A MongoDB instance that is deployed across multiple zones is compliant.

Check the expiration of an Internet Shared Bandwidth instance

An Internet Shared Bandwidth instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule applies only to subscription resources and does not apply to pay-as-you-go instances.

Check the expiration of subscription RDS instances

Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. This rule does not apply to pay-as-you-go instances.

Check the expiration of a Bastionhost instance

A Bastionhost instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days.

Check the expiration of a subscription Elastic IP Address

An Elastic IP Address (EIP) is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule does not apply to pay-as-you-go instances.

Check the expiration of an ADB Data Warehouse Edition instance

An ADB Data Warehouse Edition instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule applies only to subscription resources and does not apply to pay-as-you-go instances.

Check the expiration of a CEN bandwidth plan

A CEN bandwidth plan is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days.

Check the expiration of a PolarDB-X 1.0 instance

A PolarDB-X 1.0 instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule applies only to subscription resources and does not apply to pay-as-you-go instances.

Check the expiration of a PolarDB-X 2.0 instance

A PolarDB-X 2.0 instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule applies only to subscription resources and does not apply to pay-as-you-go instances.

Check the expiration of a DDoS instance

A DDoS instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days.