This topic describes the background, scenarios, and default rules of the resource stability best practices.
Business background
Risk control is a key concern for cloud customers. Many businesses choose Alibaba Cloud to improve business continuity by leveraging the platform's high availability. A critical part of improving business continuity is helping customers efficiently and comprehensively identify risks in their cloud resource configurations.
The following example illustrates a system failure caused by an improper cloud resource configuration:
A company's core system used a Basic Edition ApsaraDB RDS instance, which is designed for staging environments. The system ran smoothly because business fluctuations were minimal. However, during a sales promotion, the business volume increased by two to three times, and the real-time data processing volume increased by more than tenfold. This caused the database instance to respond slowly, which affected normal business operations. The issue was traced to the database instance configuration and resolved by upgrading the instance type.
Scenarios
Cloud Config inspects the static configurations of your core resources based on technical expertise and cloud service standards. It identifies potential issues and generates a report. You can then download the report and fix any misconfigurations, for example, by upgrading instance types or adjusting settings.
Static configurations refer to cloud resource settings, such as instance types and the zones where instances are deployed.
The following figure shows the workflow for using the resource stability best practices.
Default rules
Rule name | Rule description |
If log backup is not enabled, you risk being unable to restore data if binary logs are lost. An RDS instance with log backup enabled is compliant. | |
An RDS instance that uses a Dedicated instance type is compliant. | |
The retention period of SQL audit logs for an RDS instance meets the specified requirement | An RDS for MySQL instance with SQL Audit enabled and a log retention period greater than or equal to the specified value is compliant. The default value is 180 days. |
An RDS instance that is deployed across multiple zones is compliant. | |
An RDS instance without a public endpoint is compliant. We do not recommend configuring Direct Internet Access for RDS instances in a production environment because it makes them vulnerable to cyberattacks. | |
An RDS instance is compliant if its maintenance window is within a time range specified by the parameter. If the maintenance window overlaps with your business's peak hours, your services may be affected. | |
An RDS instance with deletion protection enabled is compliant. This feature is not supported for subscription instances. Therefore, the rule does not apply to them. | |
An RDS instance that has a whitelist configured and the whitelist does not contain 0.0.0.0/0 is compliant. | |
A subscription Redis instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances. | |
A Redis instance is compliant if its automatic backup window is within a time range specified by the parameter. If the backup window overlaps with your business's peak hours, your services may be affected. | |
The IP address whitelist for a Redis instance is not set to all CIDR blocks | A Redis instance whose IP address whitelist is not set to 0.0.0.0/0 is compliant. |
A Redis instance that has high-risk commands disabled is compliant. | |
A Redis instance that uses the Cluster Edition architecture is compliant. | |
A subscription MongoDB cluster is compliant if it expires in more than the specified number of days. The default value is 30 days. Clusters with auto-renewal enabled are also considered compliant. | |
A MongoDB instance with log backup enabled is compliant. | |
A MongoDB instance that is not a shared-resource instance is compliant. | |
The IP address whitelist for a MongoDB instance is not set to all CIDR blocks | A MongoDB instance whose IP address whitelist is not set to 0.0.0.0/0 is compliant. |
Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances. | |
A PolarDB instance that is a Cluster Edition or Multi-master Cluster Edition instance is compliant. Use Single Node Edition databases with caution because they have slow fault recovery. | |
A PolarDB cluster is compliant if its maintenance window is within a time range specified by the parameter. If the maintenance window overlaps with your business's peak hours, your services may be affected. | |
The IP address whitelist for a PolarDB instance is not set to all CIDR blocks | A PolarDB instance whose IP address whitelist is not set to 0.0.0.0/0 is compliant. |
A NAT Gateway where SNAT and DNAT do not use the same EIP is compliant. This rule does not apply to VPC NAT gateways. | |
The peak bandwidth is consistent for multiple EIPs bound to an SNAT entry | An SNAT entry in a NAT Gateway is compliant if its multiple bound EIPs are added to an Internet Shared Bandwidth instance or have the same peak bandwidth. This rule does not apply to VPC NAT gateways. |
Health checks are configured for all listeners of an SLB instance | An SLB instance is compliant if health checks are enabled for all of its running listeners. |
Health checks are configured for all listeners and forwarding rules of an ALB instance | An ALB instance is compliant if health checks are configured for all of its listeners and forwarding rules. |
An ALB instance is compliant if the default forwarding rules associated with all its listeners have at least the specified number of backend servers added. By default, at least one server must be added for the instance to be compliant. | |
Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances. | |
Enabling release protection prevents instances from being released due to accidental operations. An instance with this feature enabled is compliant. | |
An SLB instance with release protection enabled is compliant. | |
An SLB instance is compliant if its instance type is one of those specified by the parameter. Use SLB instances that meet your performance requirements. Use shared-resource instances, which cannot guarantee performance metrics, with caution. | |
A CEN instance is compliant if the bandwidth allocated to all its inter-region connections is greater than the value specified by the parameter. The default value of the parameter is 1 Mbps. | |
Health checks are configured for all VBR connections in a CEN instance | A CEN instance is compliant if health checks are configured for all associated VBRs. |
No overlapping CIDR blocks exist among vSwitches in the same region | The resource is compliant if no overlapping CIDR blocks exist among all vSwitches in the same region. |
An ECS instance that is not in the Stopped state is compliant. | |
Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule does not apply to pay-as-you-go instances. | |
Set reasonable creation times for an automatic snapshot policy | An automatic snapshot policy is compliant if the snapshot creation times are within the time range specified by the parameter. Creating a snapshot temporarily reduces the I/O performance of block storage, typically by less than 10%, causing a brief slowdown. We recommend that you schedule snapshots during off-peak hours. |
A specified protocol in a security group does not open high-risk ports to all CIDR blocks | A security group is compliant if its inbound rule is set to 0.0.0.0/0 and the port range for the specified protocol does not include the specified high-risk ports. If the inbound rule is not set to 0.0.0.0/0, the security group is compliant even if the port range includes the specified high-risk ports. If a detected high-risk port is denied by a higher-priority authorization policy, the security group is compliant. This rule does not apply to security groups used by Alibaba Cloud services or virtual service providers. |
A domain name with CDN caching and a time-to-live (TTL) configured is compliant. | |
The origin configuration for an OSS-type CDN accelerated domain name is consistent | A CDN accelerated domain name is compliant if its origin type is set to OSS when its Origin Domain Name is an OSS domain name. |
The public IP address whitelist for a Kafka instance is not open to all IP addresses | A Kafka instance whose public IP address whitelist is not open to all IP addresses is compliant. |
An Elasticsearch instance is compliant if it does not have public network access enabled or its whitelist is not open to all IP addresses. | |
Kibana public access is not enabled for an Elasticsearch instance | An Elasticsearch instance is compliant if it does not have Kibana public network access enabled or its whitelist is not open to all IP addresses. |
If versioning is not enabled, data cannot be recovered if it is overwritten or deleted. A bucket with versioning enabled is compliant. | |
An OSS bucket whose ACL policy prohibits public-read-write access is compliant. | |
The resource is compliant if it does not use an ECS instance from the instance families specified by the parameter. By default, the parameter specifies retired or shared-resource instance families. | |
The resource is compliant if it does not use an Elasticsearch instance of the types specified by the parameter. | |
The resource is compliant if it uses an RDS instance from the series specified by the parameter. The default value of the parameter is Cluster Edition or High-availability Edition. | |
A managed cluster of the Professional Edition is compliant. This rule does not apply to unmanaged clusters. | |
A Redis instance of the Enterprise Edition is compliant. | |
A MongoDB instance that is deployed across multiple zones is compliant. | |
A RocketMQ instance of the Platinum Edition is compliant. | |
Businesses can standardize their internal OS versions and require all hosts in the production environment to use the same operating system. Operating systems that are no longer officially maintained must be upgraded promptly to prevent security vulnerabilities. An ECS instance is compliant if the English name of its operating system is in the specified whitelist or is not in the specified blacklist. | |
An Elasticsearch instance is compliant if its version is not in the range of deprecated versions specified by the parameter. | |
A PolarDB database whose current minor version is | |
An ACK cluster that is upgraded to the latest version is compliant. | |
A Redis instance that is upgraded to the latest minor version is compliant. | |
An ECS instance with release protection enabled is compliant. | |
An Elastic IP Address (EIP) with deletion protection enabled is compliant. This rule does not apply to EIPs that are created by a service account or are subscription-based because they do not support deletion protection. | |
A PolarDB cluster with deletion protection enabled is compliant. | |
An ACK cluster with release protection enabled is compliant. | |
A Redis instance with release protection enabled is compliant. | |
A MongoDB instance with release protection enabled is compliant. | |
An ADB cluster is compliant if its maintenance window is within a time range specified by the parameter. | |
A container group of an ECI instance that has a volume mounted is compliant. | |
An Elasticsearch instance with automatic backup enabled is compliant. | |
An ADB cluster with log backup enabled is compliant. | |
The level-2 backup retention period for a PolarDB cluster meets the specified requirement | A PolarDB cluster is compliant if its level-2 backup retention period is greater than or equal to the specified number of days. The default value of the parameter is 30 days. A cluster is not compliant if level-2 backup is disabled or the retention period is less than the specified number of days. |
A Redis instance with incremental backup enabled is compliant. This rule applies only to Tair instances. | |
An ECS disk with an automatic snapshot policy configured is compliant. | |
An Elasticsearch instance that is deployed across multiple zones is compliant. | |
Use a multi-zone SLB instance and configure resources from multiple zones for the server group | An SLB instance is compliant if it is a multi-zone instance and resources from multiple zones are added to the server groups used by all its listeners. |
An SLB instance that is a multi-zone instance is compliant. | |
A PolarDB cluster is compliant if it has a hot standby storage cluster enabled and its data is distributed across multiple zones. | |
A Redis instance that is a multi-zone instance is compliant. | |
If zone-redundant storage is not enabled, OSS cannot provide consistent service when a data center becomes unavailable, which affects data restoration objectives. An OSS bucket with zone-redundant storage enabled is compliant. | |
A MongoDB instance that is deployed across multiple zones is compliant. | |
Check the expiration of an Internet Shared Bandwidth instance | An Internet Shared Bandwidth instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule applies only to subscription resources and does not apply to pay-as-you-go instances. |
Renew subscription resources in advance to prevent service interruptions due to payment issues. A subscription instance is compliant if it expires in more than the specified number of days. The default value is 30 days. This rule does not apply to pay-as-you-go instances. | |
A Bastionhost instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. | |
An Elastic IP Address (EIP) is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule does not apply to pay-as-you-go instances. | |
Check the expiration of an ADB Data Warehouse Edition instance | An ADB Data Warehouse Edition instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. Instances with auto-renewal enabled are also considered compliant. This rule applies only to subscription resources and does not apply to pay-as-you-go instances. |
A CEN bandwidth plan is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. | |
A PolarDB-X 1.0 instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule applies only to subscription resources and does not apply to pay-as-you-go instances. | |
A PolarDB-X 2.0 instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. This rule applies only to subscription resources and does not apply to pay-as-you-go instances. | |
A DDoS instance is compliant if it expires in more than the number of days specified by the parameter. The default value is 30 days. |