How to configure monitoring and alerting and a real-time dashboard for Anti-DDoS Proxy - Anti-DDoS

Anti-DDoS Proxy is integrated with the alert monitoring feature of CloudMonitor. You can configure alert rules and real-time dashboards in the CloudMonitor console. After you configure an alert rule, CloudMonitor reports an alert when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity. You can also view the monitoring details in real-time dashboards and troubleshoot exceptions. This topic describes how to configure alert rules and real-time dashboards.

Background

CloudMonitor is a service that monitors Internet applications and Alibaba Cloud resources. For more information, see What is CloudMonitor?

Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) are integrated with the alert monitoring feature of CloudMonitor. You can configure alert notifications and real-time dashboards for the following events in the CloudMonitor console.

Event name	Event type	Description
IP address traffic alert	Service metric monitoring and alerting	After you configure an alert rule for a service metric, CloudMonitor reports an alert notification when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity.
Connection alerts
QPS alerts
Status code alerts
Alerts for DDoS blackhole filtering alerts	Event monitoring and alerting	After you configure an alert rule for an event, CloudMonitor notifies you when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity. The event that occurred on your Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance can be a blackhole filtering event, traffic scrubbing event, event of HTTP flood attacks at Layer 4, or event of HTTP flood attacks at Layer 7.
Alerts for DDoS mitigation events	Event monitoring and alerting
DDoS monitor dashboard	Real-time dashboard	CloudMonitor provides the dashboard feature. You can customize the monitoring data that is displayed on a dashboard and view the monitoring data on the dashboard. You can aggregate monitoring data of different services and instances that run the same type of workloads by using one dashboard. You can configure a real-time dashboard for Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) in the CloudMonitor console. Then, you can monitor workloads of Anti-DDoS Proxy in a visualized and comprehensive manner.

Click here to view the metrics that are provided by CloudMonitor for Anti-DDoS Proxy.

Metric	Dimension	Unit
Out_Traffic	Instance or IP address	bit/s
In_Traffic	Instance or IP address	bit/s
Back_Traffic (traffic that is scrubbed by Anti-DDoS Proxy and is forwarded to the origin server)	Instance or IP address	bit/s
AttackTraffic	Instance or IP address	bit/s
Active_connection	Instance or IP address	Count
Inactive_connection	Instance or IP address	Count
New_connection	Instance or IP address	Count
QPS	Domain name	Count/second
qps_ratio_down	Domain name	%
qps_ratio_up	Domain name	%
resp200	Domain name	Count
upstream_resp2xx Note This metric covers back-to-origin status codes 200 to 299.	Domain name	Count
upstream_resp2xx_ratio	Domain name	%
resp2xx Note This metric covers status codes 200 to 299.	Domain name	Count
resp2xx_ratio	Domain name	%
upstream_resp3xx	Domain name	Count
upstream_resp3xx_ratio	Domain name	%
resp3xx	Domain name	Count
resp3xx_ratio	Domain name	%
upstream_resp403	Domain name	Count
resp403	Domain name	Count
upstream_resp404	Domain name	Count
upstream_resp404_ratio	Domain name	%
resp404	Domain name	Count
resp404_ratio	Domain name	%
upstream_resp405	Domain name	Count
resp405	Domain name	Count
resp410	Domain name	Count
resp499	Domain name	Count
upstream_resp4xx Note This metric covers back-to-origin status codes 400 to 499.	Domain name	Count
upstream_resp4xx_ratio	Domain name	%
resp4xx Note This metric covers status codes 400 to 499.	Domain name	Count
resp4xx_ratio	Domain name	%
upstream_resp502	Domain name	Count
resp502	Domain name	Count
upstream_resp503	Domain name	Count
resp503	Domain name	Count
upstream_resp504	Domain name	Count
resp504	Domain name	Count
upstream_resp5xx Note This metric covers back-to-origin status codes between 500 and 599.	Domain name	Count
upstream_resp5xx_ratio	Domain name	%
resp5xx Note This metric covers status codes between 500 to 599.	Domain name	Count
resp5xx_ratio	Domain name	%

Prerequisites

An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

Procedure

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Investigation > CloudMonitor Alerts.

On the CloudMonitor Alerts page, find the event for which you want to configure an alert rule and click CloudMonitor Notification in the Interaction Configuration column.

Event name	Procedure
Traffic Alerts by IP Address, Connection Alerts, QPS Alerts, and Alerts on Status Codes	In the CloudMonitor console, create a threshold-triggered alert rule for Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Configure service metric monitoring and alerting.
Alerts on Blackhole Filtering Events and Alerts on Scrubbing Events	In the CloudMonitor console, create an event-triggered alert rule for Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Configure event monitoring and alerting.
DDoS Dashboard	In the CloudMonitor console, create a real-time dashboard and charts for Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Configure a real-time dashboard.

Configure service metric monitoring and alerting

In the CloudMonitor console, create an alert contact. If you have created an alert group, skip this step.
1. In the left-side navigation pane, choose Alerts > Alert Contacts.
2. On the Alert Contacts tab, click Create Alert Contact.
3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.
Create an alert contact group. If you have created an alert group, skip this step.
Note
CloudMonitor sends alert notifications only to alert contact groups. You can add one or more alert contacts to an alert contact group.
1. In the left-side navigation pane, choose Alerts > Alert Contacts.
2. On the Alert Contact Group tab, click Create Alert Contact Group.
3. In the Create Alert Contact Group panel, configure the Group Name parameter. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Confirm.

Create one or more threshold-triggered alert rules.

In the left-side navigation pane, choose Alerts > Alert Rules.
On the Alert Rules page, click Create Alert Rule.

In the Create Alert Rule panel, configure the parameters and click Confirm.

Parameter	Description
Product Type	Select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland).
Resource Range	The range of the resources to which the alert rule applies. Valid values: All Resources: The alert rule applies to all resources of the specified cloud service. Application Groups: The alert rule applies to all resources in the specified application group of the specified cloud service. Instances: The alert rule applies to the specified resources of the specified cloud service.
Rule Description	The content of the alert rule. The parameters in this section specify the conditions that trigger an alert. To specify the rule description, perform the following steps: Click Add Rule and select a metric type from the drop-down list. In the Configure Rule Description panel, enter a rule name in the Alert Rule field and configure the Metric Type parameter. Valid values of the Metric Type parameter: Simple Metric: Select a metric and set the threshold and alert level for the metric. Combined Metrics: Select an alert level and specify alert conditions for two or more metrics in the Multi-metric Alert Condition section. Note If a multi-metric alert rule is configured, the desired resource must have data on each metric. An alert can be triggered only if the related conditions are met. For example, if a multi-metric alert rule includes Internet metrics but the ECS instance is not configured with an elastic IP address (EIP), alerts cannot be triggered. Expression: Select an alert level and then configure an alert expression. Dynamic Threshold: For more information about dynamic thresholds, see Overview and Create dynamic threshold-triggered alert rules. Note The dynamic threshold feature is in invitational preview. To use the feature, you must submit a ticket. Click OK. Note For more information about how to specify complex alert conditions, see Alert rule expressions.
Mute For	The interval at which CloudMonitor resends alert notifications before an alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours. If a metric value reaches the threshold, CloudMonitor sends an alert notification. If the metric value reaches the threshold again within the mute period, CloudMonitor does not resend an alert notification. If the alert is not cleared after the mute period ends, CloudMonitor resends an alert notification. For example, if the Mute For parameter is set to 12 Hours and the alert is not cleared, CloudMonitor resends an alert notification after 12 hours.
Effective Period	The period during which the alert rule is effective. CloudMonitor sends alert notifications based on the alert rule only within the effective period. Note If an alert rule is not effective, no alert notification is sent. However, the alert history is still displayed on the Alert History page.
Alert Contact Group	Select the alert contact groups to which you want to send alert notifications.
Tag	The tag of the alert rule. A tag consists of a tag key and a tag value. Note You can set a maximum of six tags.
Alert Callback	The callback URL that can be accessed over the Internet. CloudMonitor sends HTTP POST requests to push alert notifications to the specified URL. Only HTTP requests are supported. For more information about how to configure alert callback, see Use the alert callback feature to send notifications about threshold-triggered alerts. To test the connectivity of an alert callback URL, perform the following steps: Click Test next to the callback URL. In the Webhook Test panel, you can check and troubleshoot the connectivity of the alert callback URL based on the returned status code and test result details. Note To obtain the details of the test result, configure the Test Template Type and Language parameters and click Test. Click Close. Note You can click Advanced Settings to configure this parameter.
Auto Scaling	You do not need to specify this parameter. For more information, see Create an alert rule.
Log Service
Simple Message Queue (formerly MNS)
Function Compute

Configure event monitoring and alerting

In the CloudMonitor console, create an alert contact. If you have created an alert group, skip this step.
1. In the left-side navigation pane, choose Alerts > Alert Contacts.
2. On the Alert Contacts tab, click Create Alert Contact.
3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.
Create an alert contact group. If you have created an alert group, skip this step.
Note
CloudMonitor sends alert notifications only to alert contact groups. You can add one or more alert contacts to an alert contact group.
1. In the left-side navigation pane, choose Alerts > Alert Contacts.
2. On the Alert Contact Group tab, click Create Alert Contact Group.
3. In the Create Alert Contact Group panel, configure the Group Name parameter. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Co

Create one or more event-triggered alert rules.

In the left-side navigation pane, choose Event Center > System Event.
On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner and then click Create Alert Rule.

In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.

Section	Parameter	Description
Basic Info	Alert Rule Name	Enter a name for the alert rule.
Event-triggered Alert Rules	Product Type	Select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland).
	Event Type	Select the type of event for which you want to send alert notifications. Valid values: DDoS Blackhole Filtering: blackhole filtering events DDoS Traffic Scrubbing: traffic scrubbing events Layer 4 Flood Attack: events of flood attacks at Layer 4 Layer 7 HTTP Flood Attack: events of HTTP flood attacks at Layer 7
	Event Level	Select the level of event for which you want to send alert notifications. Only CRITICAL is supported for the preceding types of events.
	Event Name	Select the event for which you want to send alert notifications. The valid values of this parameter vary based on the value of the Event Type parameter. The following list describes the events of each event type: Blackhole filtering events: ddosdip_event_blackhole_add or ddoscoo_event_blackhole_add and ddosdip_event_blackhole_end or ddoscoo_event_blackhole_end Traffic scrubbing events: ddosdip_event_defense_add or ddoscoo_event_defense_add and ddosdip_event_defense_end or ddoscoo_event_defense_end Events of flood attacks at Layer 4: ddosdip_event_cc4_add or ddoscoo_event_cc4_add and ddosdip_event_cc4_end or ddoscoo_event_cc4_end Events of HTTP flood attacks at Layer 7: ddosdip_event_cc7_add or ddoscoo_event_cc7_add and ddosdip_event_cc7_end or ddoscoo_event_cc7_end
	Keyword Filtering	The keywords that are used to filter alert rules. Valid values: Contains any of the keywords: If the alert rule contains any one of the specified keywords, CloudMonitor sends an alert notification. Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, CloudMonitor sends an alert notification. Note For more information about how to view the content of an event, see View system events.
	SQL Filter	The SQL statements that you want to use for filtering. You can use the `and` and `or` operators. For example, if you set this parameter to `Warn and i-hp368focau7dp0hw**`, CloudMonitor sends alert notifications only when the event content contains the instance `i-hp368focau7dp0hw**` and the alert level `Warn`.
	Resource Range	Select All Resources.
Notification Method	Alert Contact Group	Select the alert contact groups to which you want to send alert notifications.
	Alert Notification	Specify the severity level and notification method of the event alert. Valid values: Critical (Email + Webhook) Warning (Email + Webhook) Info (Email +Webhook)
	Simple Message Queue (formerly MNS)	You do not need to specify this parameter. For more information, see Manage system event-triggered alert rules (previous version).
	Function Compute
	URL Callback
	Log Service
	Mute For	Specify the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.

Optional. Query the events that recently occurred on Anti-DDoS Proxy in the CloudMonitor console.
1. On the Event Monitoring tab of the System Event page, select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland), specify the event type and the time range, and then click Search.
2. In the event list, click Details in the Actions column to view the details of an event.

Configure a real-time dashboard

In the left-side navigation pane of the CloudMonitor console, click Dashboard.
On the Custom Dashboard page, click Add Dashboard.
In the Add Dashboard Group dialog box, specify a dashboard name and click Confirm.
After the dashboard is created, you can view the dashboard on the Custom Dashboard tab.
Click the name of the dashboard and click Add View. In the Add Chart panel, configure a chart.
1. Select a chart type. The following chart types are supported: Line, Area, Table, Heat Map, and Pie Chart.
  For more information, see Manage the monitoring charts of a custom dashboard.
2. Configure one or more metrics. Click the Dashboards tab and select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). Then, configure the Metric Name and Resource parameters.
  - Metric Name: Select the metrics that you want to monitor.
  - Resource: Select Apply Group, Cloud product instance, or Monitoring Instance based on your business requirements. Then, select the Anti-DDoS Proxy instance and the IP address of the asset that you want to monitor.
  Note
  Click Add Metric if you want to add more metrics.
3. Click OK to create the chart.
You can repeat the preceding steps to add more charts to the dashboard.