Use a global aggregation instance to monitor Prometheus instance data across Alibaba Cloud accounts - Managed Service for Prometheus

You can use the custom authentication provided by Alibaba Cloud Managed Service for Prometheus to aggregate the data of multiple Prometheus instances that are owned by different Alibaba Cloud accounts. This way, you can monitor Prometheus instance metrics, visualize them in Grafana dashboards, and configure alerting for them in a unified manner.

Background information

Generally, creating multiple Alibaba Cloud accounts for an enterprise increases the complexity of O&M. Managed Service for Prometheus provides global aggregation instances to help you centrally manage monitoring data across Alibaba Cloud accounts. This allows you to query and manage alerts, and implement O&M for multiple accounts in a unified manner.

Prerequisites

Two Alibaba Cloud accounts (Account A and Account B) are created. Account A and Account B have been used to activate Managed Service for Prometheus. For more information, see Billing.
Prometheus instances are created with Account A and Account B. For more information, see Use the integration center to integrate data.

Usage notes

This topic uses Account A and Account B as an example to describe how to use a global aggregation instance to aggregate the data of multiple Prometheus instances. This way, you can use Account A to query the monitoring data of two accounts, and manage alerts rules for them.

Step 1: Create a global aggregation instance

Managed Service for Prometheus allows you to aggregate data by using one of the following methods:

Method 1: Use a resource directory

The multi-account architecture of your enterprise is built by using a resource directory. For more information about resource directories, see Resource Directory overview.

Set a delegated administrator for the trusted service in one of the following ways.

Method 1

Log on to the Resource Management console by using the management account of your resource directory.
In the left-side navigation pane, choose Resource Directory > Trusted Services.
On the Trusted Services page, find the trusted service for which you want to add a delegated administrator account, and click Manage in the Actions column.
In the Delegated Administrator Accounts section, click Add and configure the Alibaba Cloud account with which you want to create a global aggregation instance as a delegated administrator.
Note
In this topic, Account A is configured as a delegated administrator.
Click OK.
Then, you can use the delegated administrator account to access the multi-account management module of the trusted service and perform administrative operations within the resource directory.

Method 2

Use the management account of your resource directory or a RAM role that has administrator permissions to call the RegisterDelegatedAdministrator operation in OpenAPI Explorer to configure the Alibaba Cloud account with which you want to create a global aggregation instance as a delegated administrator. Specify the following parameters.

Parameter	Description
Region	Chinese mainland: Select China (Shanghai). Other regions: Select Singapore.
AccountId	Enter the ID of the Alibaba Cloud account with which you want to create a global aggregation instance. In this topic, Account A is configured as a delegated administrator.
ServicePrincipal	Enter prometheus.aliyuncs.com.

Click Initiate Call.

Aggregate data.

Use Account A to log on to the Managed Service for Prometheus console.
In the left-side navigation pane, click Instances.

Click Create Prometheus Instance. On the Create Instance page, set the parameters as prompted and click Create.

Parameter	Description
Instance Type	Select Global Aggregation Instance.
Instance Name	Enter the name of the global aggregation instance.
Resource Group	Select a resource group.
Tags	Each tag is a case-sensitive key-value pair. You can add up to 20 tags.
Endpoint	Select the region where you want to configure alert rules. We recommend that you select the region with the largest number of Prometheus instances. Otherwise, the request duration and system stability may be affected.
Select the instances to be aggregated	Select Other Accounts (Resource Directory). Specify the Resource Directory Member Account parameter and select the Prometheus instance created with Account B. Note After you select Account B, Managed Service for Prometheus changes the status of the trusted service in the resource directory to Enabled. You can select Prometheus instances in a different region to aggregate data across regions. First, you must set the Endpoint parameter to the desired region.

Note

To modify the information of a global aggregate instance, click Edit in the Actions column. We recommend that you do not change the region after you create the global aggregation instance. Otherwise, the alert rules become invalid.

Method 2: Use a RAM role

Use Account B to create a RAM role.
1. Use Account B to log on to the Resource Access Management (RAM) console.
2. In the left-side navigation pane, choose Identities > Roles.
3. On the Roles page, click Create Role.
4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.
5. In the Configure Role step, set RAM Role Name to AliyunPrometheusQueryRole and Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, enter the ID of Account A, and then click OK.
6. Click the role. On the page that appears, click the Trust Policy tab, and then click Edit Trust Policy. In the editor, modify the trust policy to grant permissions to Account A.
  Note
  You can enter an array of Alibaba Cloud accounts in the trust policy to grant permissions to them.
Attach the AliyunRAMReadOnlyAccess and AliyunARMSReadOnlyAccess policies to AliyunPrometheusQueryRole.
1. In the left-side navigation pane, choose Identities > Roles. On the Roles page, find the role and click Add Grant Permission in the Actions column.
2. In the Policy section of the Grant Permission panel, search for the AliyunRAMReadOnlyAccess and AliyunARMSReadOnlyAccess policies in the search box, add them to the right-side section, and then click Grant permissions.
Optional. Create a RAM user for Account A.
Note
- If you want to aggregate Prometheus instance data from Account B into Account A, you need to create a RAM user for Account A.
- If you want to aggregate Prometheus instance data from Account B into an existing RAM user of Account A, proceed to the next step.
1. Use Account A to log on to the RAM console.
2. In the left-side navigation pane, choose Identities > Users.
3. On the Users page, click Create User.
4. In the User Account Information section of the Create User page, configure the following parameters:
  1. - Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    - Display Name: The display name can be up to 128 characters in length.
    - Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note
    You can click Add User to create multiple RAM users at a time.
5. In the Access Mode section, select an access mode and configure the required parameters.
  1. To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
    - Console Access
      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
      Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
      Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
      Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user or allow the RAM user to bind an MFA device. For more information, see Bind an MFA device to a RAM user.
    - OpenAPI Access
      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.
      Important
      An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
6. Click OK.
7. Complete security verification as prompted.
Grant permissions to the RAM user.
1. Click the name of the RAM user. On the page that appears, click the Permissions tab.
2. Click Grant Permission. In the Policy section of the panel that appears, search for the AliyunSTSAssumeRoleAccess and AliyunARMSFullAccess policies in the search box, add them to the right-side section, and then click Grant permissions.
Aggregate data.
1. Log on to the Managed Service for Prometheus console as the RAM user.
2. In the left-side navigation pane, click Instances.
3. Find the global aggregation instance and click Edit in the Actions column. In the Select the instances to be aggregated section in STEP3, select Other Accounts (Custom Authentication).
4. In the search box next to Alibaba Cloud Account, enter the ID of Account B in the search box and click OK. The system displays all Prometheus instances that belong to Account B. Select Prometheus instances and click Edit Aggregate Instance.
  Note
  Only RAM users that have permissions on another Alibaba Cloud account can modify the Prometheus instances within the account, whereas the Alibaba Cloud account that owns the RAM users cannot.

Step 2: Query data of the global aggregation instance

After you create the global aggregation instance, you can view the performance metric data of the global aggregation instance in built-in Grafana dashboards.

On the Instances page, click the name of the global aggregation instance. In the left-side navigation pane, click Dashboards.

Step 3: Create an alert rule for the global aggregation instance

On the Instances page, click the name of the global aggregation instance. In the left-side navigation pane, click Alert rules.
On the Prometheus Alert Rules page, click Create Prometheus Alert Rule and create an alert rule as prompted. For more information, see Create an alert rule for a Prometheus instance.
Note
In the Data Preview section of the Create Prometheus Alert Rule page, the unique_cluster_id and unique_cluster_name of the global aggregation instance are displayed. This feature helps you identify the instances that trigger alerts.

Other operations

Edit the global aggregation instance

On the Instances page, find the global aggregation instance and click Edit in the Actions column. If you change the Endpoint parameter, the alert rules configured in the current region become invalid. Therefore, we recommend that you do not change the Endpoint parameter unless it is necessary.

Uninstall the global aggregation instance

If you no longer use the global aggregation instance, you can uninstall the instance.

On the Instances page, find the Prometheus instance, and click Uninstall in the Actions column. In the message that appears, click OK. After the Prometheus instance is uninstalled, it is no longer displayed on the Instances page.

FAQ

Do global aggregation instances charge fees?

Global aggregation instances are in public preview free of charge.

Do global aggregation instances synchronize data from other Prometheus instances?

Global aggregation instances do not synchronize data from other Prometheus instances. Instead, they provide an entry for data query.