automatically release EIPs of ECS instances - - Alibaba Cloud Documentation Center

If you enable the lifecycle hook feature of Auto Scaling for an Elastic Compute Service (ECS) instance, you can perform custom operations on the ECS instance before the ECS instance is stopped. This provides an opportunity for you to release the elastic IP address (EIP) assigned to the ECS instance. If you combine the lifecycle hook feature with a CloudOps Orchestration Service (OOS) template, the process for releasing an EIP of an ECS instance is more simplified and automated.

Prerequisites

A scaling group is created. The scaling group is in the Enabled state. For information about how to create a scaling group, see Manage scaling groups.
EIPs are bound to ECS instances of the scaling group. For information about how to bind an EIP, see Associate or disassociate an EIP.
A RAM role is created for CloudOps Orchestration Service (OOS). The trusted entity of the RAM role must be Alibaba Cloud Service, the trusted service must be CloudOps Orchestration Service, and the RAM role must have the permissions to perform operations on the OOS template. For more information, see Use RAM to grant permissions to OOS.
Note
In this topic, the OOSServiceRole RAM role is used as an example. You can also use other roles.

Procedure

If EIPs are bound to the ECS instances of your scaling group, the EIPs are not automatically released when you delete the ECS instances. If you want the EIPs to be automatically released in this case, you can combine the lifecycle hook feature with an OOS template. In this topic, the ACS-ESS-LifeCycleReleaseEipAddressFromInstance public template is used as an example to implement automatic release of EIPs during a scale-in. You must complete the following steps:

Step 1: Grant a RAM role the permissions on OOS

You must have the permissions to execute OOS templates. In the ACS-ESS-LifeCycleReleaseEipAddressFromInstance OOS template, the following resources are included for O&M purposes: ECS instances, Auto Scaling resources, and EIPs.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
Find OOSServiceRole and click Grant Permission in the Actions column.
Add the required permissions for the OOSServiceRole RAM role that is assumed by OOS to complete the authorization.
In the Grant Permission panel, complete configuration based on your business requirements and click Grant permissions.
The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
Parameter
Description
Resource Range
Set the value to Account.
Policy
Select the following system policies: AliyunECSFullAccess, AliyunESSFullAccess, and AliyunEIPFullAccess.

Step 2: Create a lifecycle hook of the scale-in type and trigger a scale-in

Log on to the Auto Scaling console.
In the left-side navigation pane, click Scaling Groups.
In the top navigation bar, select the region where Auto Scaling is activated.
Find a scaling group and use one of the following methods to go to the scaling group details page:
- Click the ID of the scaling group in the Scaling Group Name/ID column.
- Click Details in the Actions column.

Create a lifecycle hook.

In the upper part of the scaling group details page, click the Lifecycle Hook tab.
Click Create Lifecycle Hook.

Configure parameters based on your business requirements and click OK.

The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.

Parameter	Description
Name	Enter ESSHookForReleaseEip.
Scaling Activity	Select Scale-in Event.
Timeout Period	Configure the Timeout Period parameter based on your business requirements. Unit: seconds. In this example, the Timeout Period parameter is set to 300. Note The timeout period is the period of time during which you can perform custom operations on ECS instances. If the timeout period is shorter than what is required to perform the custom operations, the operations may fail. We recommend that you assess the time required and configure the Timeout Period parameter based on your business requirements.
Default Execution Policy	Select Continue.
Send Notification When Lifecycle Hook Takes Effect	In this example, the following configurations are used: Select OOS Template. Select Public Templates. Select the `ACS-ESS-LifeCycleReleaseEipAddressFromInstance` public template. In the `ACS-ESS-LifeCycleReleaseEipAddressFromInstance` public template, select OOSServiceRole for OOSAssumeRole. In Step 1, the permissions on ECS, Auto Scaling, and EIP are granted to the OOSServiceRole RAM role. OSS obtains these permissions after it assumes the OOSServiceRole RAM role.

Trigger a scale-in.
A scale-in is triggered in this example by manually executing a scaling rule. You can also trigger scale-ins by using scheduled or event-triggered tasks.
Note
If scaling activities are triggered when you manually execute scaling rules, lifecycle hooks take effect. Lifecycle hooks do not take effect when you manually add or remove ECS instances to or from a scaling group.
1. In the upper part of the page that appears, click the Scaling Rules and Event-triggered Tasks tab.
2. On the Scaling Rules tab, click Create Scaling Rule.
3. In the Create Scaling Rule dialog box, configure parameters based on your business requirements and click OK.
  The following table describes the parameters that are used in this example. For parameters that are not described in the table, use the default settings.
  Parameter
  Description
  Rule Name
  Enter Delete1.
  Rule Type
  Select Simple Scaling Rule.
  Operation
  Set the value to Remove 1 Instances.
4. On the Scaling Rules tab, find the Delete1 scaling rule and click Execute in the Actions column.
5. In the Execute Scaling Rule message, click OK.
After the Delete1 scaling rule is executed, one ECS instance is to be removed. Due to the ESSHookForReleaseEip lifecycle hook, the ECS instance enters the Pending state and Auto Scaling notifies OOS to execute the O&M operations defined in the ACS-ESS-LifeCycleReleaseEipAddressFromInstance public template.
Check whether the execution result meets your expectations.
You can go to the Elastic IP Addresses page to check whether the corresponding EIP exists. If the EIP does not exist, the operation is successful.
Note
If the ECS instance is deleted but the EIP is not released, go to the OOS console to check the execution of the O&M task.

(Optional) Step 3: Check the execution of an O&M task

Log on to the OOS console.
In the left-side navigation pane, choose Automated Tasks > Task Execution Management.
Filter the O&M task by start time and click Details in the Actions column.
On the execution details page that appears, view the related information.
For example, you can view the execution ID and execution status in the Basic Information section. You can also click output or Log on the Execution Steps and Results page to view the execution details or logs. For more information, see View the details of an execution.
Important
If the O&M task failed, an error message is displayed on the execution details page.

Common errors and troubleshooting

If you fail to execute an O&M task, troubleshoot the issue based on the error message in the execution result. The following section describes the common error messages and solutions:

Error message: Forbidden.Unauthorized message: A required authorization for the specified action is not supplied.
Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the OOSServiceRole RAM role. Before OOS can manage the resources that are declared in the OOS template, you must grant the required permissions to the RAM role.
Error message: Forbidden.RAM message: User not authorized to operate on the specified resource, or this API doesn't support RAM.
Solution: Check whether the required permissions, such as the sample permissions in Step 1, are granted to the OOSServiceRole RAM role. Before OOS can manage the resources that are declared in the OOS template, you must grant the required permissions to the RAM role.
Error message: LifecycleHookIdAndLifecycleActionToken.Invalid message: The specified lifecycleActionToken and lifecycleActionId you provided does not match any in process lifecycle action.
Solution: Check whether the timeout period of the lifecycle hook is sufficient for the O&M task specified in the OOS template to complete.

References

If secondary elastic network interfaces (ENIs) that provide EIPs are bound to the ECS instances of your scaling group, the secondary ENIs are released but the EIPs are not when you delete the ECS instances. You can combine the lifecycle hook feature with OOS templates to implement automatic release of secondary ENIs and EIPs. For more information, see Automatically unbind secondary ENIs from ECS instances.
You can also combine the lifecycle hook feature with CloudOps Orchestration Service (OOS) to implement automatic binding of EIPs or ENIs that provide EIPs to ECS instances. For more information, see the following references:
- Automatically associate EIPs with ECS instances
- Automatically bind secondary ENIs to ECS instances

Parameter	Description
Resource Range	Set the value to Account.
Policy	Select the following system policies: `AliyunECSFullAccess`, `AliyunESSFullAccess`, and `AliyunEIPFullAccess`.

Parameter	Description
Rule Name	Enter Delete1.
Rule Type	Select Simple Scaling Rule.
Operation	Set the value to Remove 1 Instances.