Abstract: The author of this article [Ziji ZJ], this article will mainly introduce the related introduction of early warning behavior of load balancing by configuring the custom rules of auditing and other services.
preface
Configure audit (CONFIG) integrates your resources scattered in various regions into a global resource list, which enables you to search global resources easily, evaluate resource configuration through rules, and filter out resource allocation operations that do not meet business requirements. This article introduces how to configure custom rules of audit (CONFIG) and log service (SLS) alarm cooperation to alarm specified load balancing (SLB) changes, so as to help enterprises quickly perceive changes and make corresponding countermeasures in time.
background
The cloud account mainly has Ali cloud main account, RAM sub-account, RAM role, Ali cloud main account has a complete control of all resources, some are given high-level authority RAM sub-account, RAM role and so on can also control resources. How to block this behavior before changing the operation is the scope of the Service Control Policy (SCP) (this service restriction can only be enforced if the enterprise authenticates the account and the Resource Directory is enabled), which is not discussed in this article. How to quickly sense the change after the change is also very important. Operations of company A classmate ask us A question: the company’s core business deployment in the cloud, ali is the elastic computing architecture used ECS + load balancing (SLB) + relational database RDS, every day to worry about the core service exceptions become worthy cause business interruption, we are looking forward to receiving the message in time after changing with notice, want to ask is there any solution. We recommend configuration auditing (CONFIG) combined with logging service (SLS) alerting for them. How does this product portfolio accomplish these goals?
The flow chart
The flow chart of the whole scheme is shown above. Employee A modifies the configuration of A core business load balancing (SLB) of the enterprise. The resource allocation data is perceived and stored by the configuration audit (CONFIG) and is evaluated by rules that listen for changes in the resource. The rules engine receives input parameters containing Diff data about resource changes. If the rule is a custom rule, the rules engine executes a function of the configured Function Calculation (FC). The function filters out changes to the target resource and writes the change data to the logging service (SLS). The logging service triggers alarms and notifies administrators by configuring alarm policies. The other two solid lines indicate that the administrator can go to the configuration audit (CONFIG) to view the resource timeline and log service (SLS) to view the specific configuration changes of the resource.
Create a new logstore
Create a new logstore to store the variable data of the target resource, and we can configure the alarm policy based on this logstore. I won’t go into details here about how to create a log project and logstore. You can refer to the documentation of the log service for operation. The corresponding log project in this case is: Aliyun-FC-CN-Hangzhou-26064C43-65DC-5734-8175-3C0FDFC784DF, and the log library is: specific-config-alert.
New function evaluates (FC) functions
Custom rules for configuring audit (CONFIG) are implemented based on function computation (FC). The region to which the function belongs is unlimited. The selected area of this case is East China 1 (Hangzhou).
I created a function based on the AliMebot-NodeJS template.
We create a new function named specific-config-change-alert under the configService service.
The internal business logic of the function is designed as follows:
- Support the user to specify an additional parameter ARN, convenient for us to alarm a specific resource; If you do not specify ARN, you are alerted to all resource changes of this type.
- Call the SDK of the logging service (SLS) and store the logs in the logstore.
The code logic is as follows
const ALY = require('aliyun-sdk'); // Nodejs SDK exports. Handler = function (event, context, callback) {const SLS = new Aly.sls ({"accessKeyId": The context. Credentials. AccessKeyId, / / ali cloud access key AccessKey ID. For more information, see Access Key. The main account AccessKey of Aliyun has access rights to all APIs, which is very risky. It is strongly recommended that you create and use a RAM account for API access or daily operations. "SecretAccessKey" : context. Credentials. AccessKeySecret, / / ali cloud access key AccessKey Secret. "SecurityToken" : context. Credentials. SecurityToken, / / RAM role of additional input securityToken endpoint: 'http://cn-hangzhou.log.aliyuncs.com', / / log service domain. For more information, see Service Entry. Take hangzhou as an example, please fill in other areas according to the actual situation. //SDK version number, fixed value. }); // ------------------------------- // put logs // ------------------------------- const projectName = "aliyun-fc-cn-hangzhou-26064c43-65dc-5734-8175-3c0fdfc784df"; // The newly created log item is const logStoreName = "specific-config-alert"; // const parsed = json.parse (event); // Convert the input parameter to a JS object if (! parsed || ! Parse. invokingEvent) {// The parameters passed in when configuring the audit call include: InvokingEvent (change data), ruleParameters(additional user-defined parameters passed to the function rule), resultToken callback(null, event); return; } const specificArn = parsed.ruleParameters && parsed.ruleParameters.arn; Arn const TransformData = Object.keys(parse.invokingEvent). Map (function(k) {return {key: const TransformData = Object.keys(parse.invokingEvent). k, value: JSON.stringify(parsed.invokingEvent[k])}}); // LogGroup = {Logs: [{Time: Math.Floor (new Date().getTime()/1000) /1000), Contents: transformData }], topic: 'special-config-change' }; const resourceArn = parsed.invokingEvent && parsed.invokingEvent.configurationItem && parsed.invokingEvent.configurationItem.arn; if (! SpecificArn | | specificArn = = = resourceArn) {/ / if the rule is not specified in the specific resources arn, all filter to the default resource types are written to the log service (SLS) SLS. PutLogs ({projectName: projectName, logStoreName: logStoreName, logGroup: logGroup }, function (err, data) { if (err) { callback(err); return; } callback(null, data); }); } else { callback(null); }}The function is executed on the specified RAM role, so the RAM role needs to be authorized. In this case, the RAM role needs to be authorized to write to the specified log library.
{ "Version": "1", "Statement": [ { "Action": [ "log:PostLogStoreLogs", "log:PutLogs" ], "Resource": "acs:log:*:*:project/aliyun-fc-cn-hangzhou-26064c43-65dc-5734-8175-3c0fdfc784df/logstore/*", // Allow" Effect": "Allow"}]}New Configuration Audit (CONFIG) rules
Go to the Configure Audit Console -> Rules -> New Rule -> New Custom Rule. Custom Rule is to hand the logic of rule evaluation to function calculation (FC).
Setting Basic Properties
We select the function we created earlier and configure the rule name, triggering the mechanism to select “Configuration Change” to indicate that we want to execute the custom rule rule whenever a new configuration changes.
Set up the scope of the estimated resources
Selecting SLB load balancing for the resource type means that we only want configuration changes of type SLB load balancing to trigger function execution.
Parameter Settings
In the previous function design, we added an option that allows users to configure custom rules if they want to support alarm requirements for a certain resource.
Since I did not enter any values in the expected value column, this means that the function will be triggered when all resources of the resource type Load Balanced (SLB) change. You can also enter the expected value, which is the ARN of the target resource.
Configure logging service alarms
Enter the log item (LogStore) of the newly created log service (SLS), set a query condition SELECT COUNT(1) AS C, click Save AS Alarm after query, then start to configure the log service alarm.
The alarm configuration I set is as follows: every 5 minutes, query the log data of the last 5 minutes, and if the query result is >0, SMS alarm will be triggered.
Verify the effect of
We add an SLB load balancing listener. After a while, we’ll see that a configuration change has been written to the LogStore.
The alarm was sent directly to my phone via text message.
conclusion
Configure auditing (CONFIG) triggers custom rules for resource allocation to implement many customer scenarios, such as custom compliance verification logic (refer to documentation), automated execution, and even automatic repair.
This paper mainly combined with the log service (SLS) alarm to help customers quickly perceive resource changes and alarm.
This article is the original content of Aliyun, shall not be reproduced without permission.