Management Automation — Enterprises’ Inevitable Approach to Cloud Migration

Alibaba Cloud
9 min readNov 4, 2020

Catch the replay of the Apsara Conference 2020 at this link!

By Xuming from Alibaba Cloud Open Platform

Why Do We Need Automation on the Cloud?

While serving customers, we found that foreign customers are more dependent on automation tools than domestic customers. It is widely acknowledged that the technology orientation, high labor costs, and high compliance requirements in management boost the demand of foreign companies for the automation of IT systems. For business-oriented domestic companies with relatively sufficient employees that are at another development stage compared to foreign companies, they tend to employ more inexpensive employees to do the work that should be done by the IT system.

However, with the constant maturity of cloud computing, it is an inevitable trend for enterprises to migrate their business to the cloud. Under such circumstances, if domestic enterprises keep their old-fashioned ideas, their business operation will be negatively affected. The management automation on cloud resources can reduce financial costs and increase enterprises’ efficiency and competitiveness by lowering technical thresholds.

Automation Needs Enterprise Customers

Which dimensions of customers’ management automation on the cloud do we need to focus on? From a customer case, let’s learn the requirements of an enterprise’s cloud migration:

In the picture above, the customer wanted more than just the development of programming automation in the O&M field. The first thing the customer considered was how to manage budgets and staff. After communicating with the customer, we made a list of main requirements for the customer’s cloud migration:

1. Organization Management

Many enterprises have their own account and permission systems, which need to be interconnected with on-cloud systems. On Alibaba Cloud, enterprises can use Resource Access Management (RAM) (including identity management, permission management, and other components), resource management (including resource directories, resource groups, resource sharing, tags, and other components), and other products under the enterprise IT governance product line to interconnect those systems.

2. Orchestration Automation of Infrastructure

Alibaba Cloud has already provided more than 200 cloud services and more than 10,000 OpenAPIs. Resource orchestration tools, such as Terraform and Resource Orchestration Service (ROS), can help customers efficiently manage resources on the cloud and reduce the complexity of management with the concept of IaC.

3. Orchestration Automation of Application Programs

Open-source O&M tools, such as Ansible, Puppet, and Chef can be used for application deployment. Currently, Alibaba Cloud primarily supports Ansible and provides Operation Orchestration Service (OOS). The Open Application Model (OAM) specification was recently released as well, which further simplifies the application deployment process.

4. Security Requirements

Without automation, it is often too late to fix security loopholes manually. Powered by RAM and other security products, Alibaba Cloud’s OpenAPI system provides a high-level of security to prevent various security issues.

5. Compliance Requirements

Compliance, on the one hand, requires external compliance, such as compliance of audit data and financial data. On the other hand, it requires compliance of internal data. Alibaba Cloud provides customers with ActionTrial and Config, as well as the compliance capabilities of industries cloud. This topic will be described subsequently.

6. Monitoring Requirements

When monitoring the resources on the cloud, customers need to connect the monitoring system with operations of enterprises, including data integration and data visualization. Cloud Monitor is a useful tool for automatic monitoring on Alibaba Cloud. In addition to its visual interface, Cloud Monitor can connect to systems of customers through OpenAPI.

7. Cost Requirements

In addition to the financial compliance issues mentioned earlier (such as ledger account), it is also related to cost optimization. In this regard, Alibaba Cloud provides some methods for tagging resources, such as Tag and resource groups. These tags or resource groups enable a more refined resource allocation for customers.

8. Situation Awareness

Customers can reserve resources in advance and quickly allocate resources based on the current resource usage and historical records, or according to prior planning. This requires cloud computing products to be capable of rapid scaling as well as perceiving resource usage and planning.

Aiming at the enterprise scenarios mentioned above, I would like to introduce the sample solution launched by the Alibaba Cloud Open Platform team, which is integrated with preceding capabilities. The solution not only defines best practices for migrating enterprises’ IT to the cloud, but it also provides the automation codes for Terraform. You can download the latest codes from Github. Please visit this website and share your opinions with us.

Upgrade the OpenAPI Automation Capabilities

What technical problems with automation besides functions did customers encounter in the past? Again, let’s take a customer case as an example:

As shown in the picture above, Alibaba Cloud had several long-standing defects in terms of basic automation capabilities:

  • Insufficient coverage of orchestration products, such as Terraform, makes rapid orchestration impossible for some products.
  • Many ambiguous calling strategies at the OpenAPI level affect the efficiency optimization of the client. For example, the throttling threshold is not transparent, and the caller has some problems with unknown causes.
  • For important resources, it is difficult for customers to know the quota limit of resources. Therefore, customers can only raise the demand through tickets with limited response speed.
  • Due to some historical reasons, many Alibaba Cloud products need to be manually activated, which becomes a stumbling block on the automation process.
  • Customers must manually authorize the inter-access among Alibaba Cloud products in the console. This stops the progress of automatic connection.

To solve these issues, Alibaba Cloud has made efforts to eliminate barriers that affect user experience and made some achievements.

Supporting Terraform for Products

WeWork is a company that focuses on the joint office community. It has chosen Alibaba Cloud as its partner and has carried out in-depth cooperation with Alibaba Cloud in basic resources, global network, security, IoT, big data, and other aspects. According to Yu Liang, Director of O&M, the infrastructure team of WeWork built a manageable self-service portal based on Terraform with less than two people in a few months. This portal can be fully deployed automatically within seconds. It can also support the infrastructure O&M of over 40 business systems with a three-person team, ensuring WeWork’s security and compliance.

WeWork manages Terraform based on Github and Atlantis

Currently, the number of products supported by Alibaba Cloud’s Terraform has increased from 40 to 53, and the number of resources has grown to 249. It can meet the needs of most scenarios. Alibaba Cloud will launch some tools in the second half of this year, such as cloud-based Terraform workflows and the ability to visually write Terraform templates. The former can reduce the extra burden of customers in building and managing their own Terraform workflows, and the latter can improve the user experience while lowering usage costs.

Quota Management

Quota management is another major problem in the process of automation. Users often want to know how many quotas they have, how many quotas they have used, how to increase quotas, and how to manage quotas in a more refined manner. To resolve the issue that users cannot quickly obtain and adjust quotas, Alibaba Cloud provides a quota center at this address. The following picture shows the main workflow of the quota center:

The Quota Center Mainly Solves Three Problems:

  • Product Quotas Request: After logging on to the corresponding page, users can check the quota settings and use quotas of 15 cloud products.
  • Self-Service Application for Adjusting Quotas: Users can directly submit an application for adjusting quotas to the corresponding cloud product administrator at the quota center. The administrator will make a quick decision on whether the application should be approved or not according to the real situation of customers.
  • Providing OpenAPI and Alerts for Getting Quotas: The application on the client-side may need to acquire quota information in real-time to determine the next operation process. When the quota is insufficient, the application sends an alert to users to adjust the operation strategies in time.

Hundreds of enterprise customers have applied for quota increases through the quota center since its launch. In the future, more cloud products will be able to solve quota issues in the quota center.

Automation Activation for Cloud Products

Many cloud products must be activated manually in the Alibaba Cloud console, which restricts the customers’ automation process in some cases. For this difficulty in the automation process, Alibaba Cloud has upgraded some related products. Among the products that need to be manually activated in the past, 13 of them have been completely exempted from activation, and 9 of them have been provided with OpenAPI automatic activation. In addition, we will continue to upgrade products that need to be manually activated in the second half of this year to achieve 100% automation in the activation process.

Alibaba Cloud’s Terraform Provider has supported the automatic activation of these products. Users only need to add a DataSource corresponding to the cloud product activation in the template. Then, users need to set enable = "On" to run the terraform apply to enable automatic activation. For example, codes for activating log service Terraform automatically are listed below:

Data "alicloud_log_service" "open" {
2. Enable = "On"
3. }

Cross-Service Access to SLR

In real business scenarios, users may encounter a situation where they need to access the resources of cloud service B to use with cloud service A. For example, when you export images from ECS to OSS, you need to call the OSS upload interface of the customer directly from the backend of ECS. These resources belong to the customer, but they are not managed by the same cloud service. Essentially, this process requires obtaining user identities and permissions. In the past, to perform this operation, you had to create a service role and get permission granted through RAM on the quick authorization page (console.) This process cannot be operated automatically.

The flowchart above shows that the Service Linked Role (SLR) mechanism does not require user intervention. A sub-user with product management permission can trigger the SLR creation of the related product. At the same time, the modification and deletion are strictly controlled to avoid misoperations.

Currently, up to 36 products support SLR and more products will be supported in the second half of this year. At that time, automatic cross-service access will no longer be a problem on Alibaba Cloud.

OpenAPI Access Compliance

In the compliance field, operation audit and resource audit are generally performed in common scenarios. However, the industry supervision principle is also an important reference factor. For example, in the finance cloud industry, cross-network callings must be made under controllable and secure conditions. This requires that cloud-based network callings must comply with supervision requirements.

To meet such needs, Alibaba Cloud has upgraded its OpenAPI access compliance capability, as shown in the following picture:

In the past, customers would go through the public network when accessing OpenAPI, as shown in the picture. However, if customers need to access Alibaba Cloud OpenAPI in a VPC network, they can now change the target endpoint to xxx-vpc.[RegionId], when calling OpenAPI in a public cloud environment. Thus, all traffic destined for this target domain name is forwarded to the internal network of Alibaba Cloud instead of a public network. This enhances the security of specific industries.


The automation capability is an important topic for enterprises’ large-scale migration to the cloud. Even small and medium-sized enterprises can benefit from this capability. On the one hand, enterprises need to choose proper integration tools based on their real situations. On the other hand, they need to make plans and designs related to financial and property laws before cloud migration. Alibaba Cloud will keep improving on-cloud enterprise automation capabilities and help customers achieve business success.

Original Source:



Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: