Tencent Cloud -- Operations¶
Deployment patterns, CLI recipes, monitoring, and troubleshooting for day-2 operations on Tencent Cloud.
Deployment Patterns¶
Account Structure¶
Tencent Cloud Organization (TCO) provides multi-account governance. The recommended approach is to create a management account, then organize member accounts into OUs by lifecycle stage (Core, Production, Non-Prod, Sandbox). SCPs applied at the OU level restrict allowed services and regions.
For IaC-driven provisioning, the tencentcloud Terraform provider covers
CVM, VPC, CLB, CDB, TKE, CCN, and most other services.
provider "tencentcloud" {
region = "ap-guangzhou"
secret_id = var.secret_id
secret_key = var.secret_key
}
resource "tencentcloud_vpc" "main" {
name = "prod-vpc"
cidr_block = "10.0.0.0/16"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.main.id
name = "app-subnet"
cidr_block = "10.0.1.0/24"
availability_zone = "ap-guangzhou-3"
}
Resource Tagging¶
Tencent Cloud supports resource tags (key-value pairs) across most services. Tags are essential for cost allocation, access control (CAM tag-based policies), and automation.
# Tag a CVM instance
tccli tag AddResourceTag \
--cli-unfold-argument \
--Resource qcs::cvm:ap-guangzhou:uin/100000000001:instance/ins-xxxxxxxx \
--TagKey env \
--TagValue production
Mandatory tags via CAM
Create a CAM policy with a Condition block that denies resource creation
when required tags (env, team, cost-center) are missing. Attach
this policy to all user groups.
CLI & SDK¶
Installation¶
# Install tccli (Python-based)
pip install tccli
# Configure a profile
tccli configure \
--secretId AKIDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
--secretKey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
--region ap-guangzhou \
--output json
CVM (Cloud Virtual Machine)¶
# List all CVM instances in ap-guangzhou
tccli cvm DescribeInstances --region ap-guangzhou
# Describe a specific instance
tccli cvm DescribeInstances \
--cli-unfold-argument \
--InstanceIds ins-xxxxxxxx
# Start a stopped instance
tccli cvm StartInstances \
--cli-unfold-argument \
--InstanceIds ins-xxxxxxxx
# Create a system disk snapshot
tccli cbs CreateSnapshot \
--cli-unfold-argument \
--DiskId disk-xxxxxxxx \
--SnapshotName "pre-deploy-2026-04-17"
VPC & Networking¶
# List VPCs
tccli vpc DescribeVpcs --region ap-guangzhou
# List subnets in a VPC
tccli vpc DescribeSubnets \
--cli-unfold-argument \
--Filters.0.Name vpc-id \
--Filters.0.Values vpc-xxxxxxxx
# Describe route table entries
tccli vpc DescribeRouteTables \
--cli-unfold-argument \
--RouteTableIds rtb-xxxxxxxx
# Create a security group rule (allow HTTPS inbound)
tccli vpc CreateSecurityGroupPolicies \
--cli-unfold-argument \
--SecurityGroupId sg-xxxxxxxx \
--SecurityGroupPolicySet.Ingress.0.Protocol TCP \
--SecurityGroupPolicySet.Ingress.0.Port 443 \
--SecurityGroupPolicySet.Ingress.0.CidrBlock 0.0.0.0/0 \
--SecurityGroupPolicySet.Ingress.0.Action ACCEPT
TKE (Tencent Kubernetes Engine)¶
# List clusters
tccli tke DescribeClusters --region ap-guangzhou
# Get cluster kubeconfig
tccli tke DescribeClusterKubeconfig \
--cli-unfold-argument \
--ClusterId cls-xxxxxxxx
# Describe node pools
tccli tke DescribeClusterNodePools \
--cli-unfold-argument \
--ClusterId cls-xxxxxxxx
TDSQL / CDB (Databases)¶
# List CDB (TencentDB for MySQL) instances
tccli cdb DescribeDBInstances --region ap-guangzhou
# Create a manual backup for a CDB instance
tccli cdb CreateBackup \
--cli-unfold-argument \
--InstanceId cdb-xxxxxxxx \
--BackupMethod physical
# Initiate a failover (switch to standby)
tccli cdb SwitchForUpgrade \
--cli-unfold-argument \
--InstanceId cdb-xxxxxxxx
# List TDSQL instances
tccli dcdb DescribeDCDBInstances --region ap-guangzhou
CCN (Cloud Connect Network)¶
# List CCN instances
tccli vpc DescribeCcns
# Describe CCN routes
tccli vpc DescribeCcnRoutes \
--cli-unfold-argument \
--CcnId ccn-xxxxxxxx
# Attach a VPC to a CCN instance
tccli vpc AttachCcnInstances \
--cli-unfold-argument \
--CcnId ccn-xxxxxxxx \
--Instances.0.InstanceId vpc-xxxxxxxx \
--Instances.0.InstanceRegion ap-guangzhou \
--Instances.0.InstanceType VPC
Monitoring & Alerting¶
Cloud Monitor¶
Cloud Monitor collects host-level and service-level metrics automatically. It supports custom metrics, alarm policies, and event monitoring.
# List available metrics for CVM
tccli monitor DescribeBaseMetrics \
--cli-unfold-argument \
--Namespace QCE/CVM
# Get CPU utilization for a CVM instance (last hour, 5-minute granularity)
tccli monitor GetMonitorData \
--cli-unfold-argument \
--Namespace QCE/CVM \
--MetricName CpuUsage \
--Period 300 \
--StartTime "2026-04-17T00:00:00+08:00" \
--EndTime "2026-04-17T01:00:00+08:00" \
--Instances.0.Dimensions.0.Name InstanceId \
--Instances.0.Dimensions.0.Value ins-xxxxxxxx
# Create an alarm policy (CPU > 80% for 3 consecutive periods)
tccli monitor CreateAlarmPolicy \
--cli-unfold-argument \
--Module monitor \
--PolicyName "cpu-high-prod" \
--Namespace QCE/CVM \
--MonitorType MT_QCE \
--Remark "Alert when CPU exceeds 80 percent" \
--Condition.Rules.0.MetricName CpuUsage \
--Condition.Rules.0.Period 300 \
--Condition.Rules.0.Operator gt \
--Condition.Rules.0.Value 80 \
--Condition.Rules.0.ContinuePeriod 3
CLS (Cloud Log Service)¶
CLS is Tencent Cloud's centralized log management service. It supports real-time collection, search, dashboards, and alarming.
# Create a logset
tccli cls CreateLogset \
--cli-unfold-argument \
--LogsetName prod-logs \
--Period 90
# Create a topic within the logset
tccli cls CreateTopic \
--cli-unfold-argument \
--LogsetId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
--TopicName app-logs \
--Period 30 \
--Partition 2
# Search logs (CLS query syntax)
tccli cls SearchLog \
--cli-unfold-argument \
--TopicId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
--From 1713340800000 \
--To 1713344400000 \
--Query "status:>=500 | SELECT count(*) as error_count, host GROUP BY host"
Centralized logging across accounts
In a TCO multi-account setup, configure CLS log shipping from each member account to a central COS bucket in the security account. Use CloudAudit tracking sets for API-level audit logs, and CLS for application and infrastructure logs.
Troubleshooting¶
CCN Connectivity Issues¶
| Symptom | Likely Cause | Resolution |
|---|---|---|
| VPC-to-VPC traffic fails across CCN | CIDR overlap between VPCs | Check CCN route table for conflicting routes: tccli vpc DescribeCcnRoutes --CcnId ccn-xxx. CCN rejects overlapping CIDR routes by default. Reconfigure VPC CIDRs to eliminate overlap. |
| Cross-region latency exceeds SLA | Insufficient CCN bandwidth tier | Upgrade from Silver to Gold or Platinum tier. Verify bandwidth limit: tccli vpc DescribeCcnRegionBandwidthLimits --CcnId ccn-xxx. |
| CCN routes not propagating | VPC attachment pending acceptance | For cross-account CCN, the peer account must accept the attachment. Check status: tccli vpc DescribeCcnAttachedInstances --CcnId ccn-xxx. |
Cross-Region Replication Issues¶
# Check DTS synchronization job status
tccli dts DescribeSyncJobs \
--cli-unfold-argument \
--JobId sync-xxxxxxxx
# Check COS cross-region replication status
tccli cos GetBucketReplication \
--cli-unfold-argument \
--Bucket source-bucket-1250000000 \
--Region ap-guangzhou
COS CRR requires versioning
Cross-region replication will fail if versioning is not enabled on both source and destination buckets. Always enable versioning before configuring CRR rules.
CLB & CVM Connectivity¶
| Symptom | Likely Cause | Resolution |
|---|---|---|
| CLB health checks failing | Security group blocking health check probes | CLB probes originate from the CLB VIP range. Ensure the backend CVM security group allows inbound on the health check port from the CLB subnet CIDR. |
| 502 errors from CLB | Backend CVM not listening on the configured port | Verify the application is running and listening: tccli cvm DescribeInstances --InstanceIds ins-xxx. SSH into the CVM and check ss -tlnp. |
| Cross-region CLB binding not working | CCN not configured or VPC not attached | CLB cross-region binding 2.0 requires the source and target VPCs to be connected via CCN. Verify CCN attachment status. |
General Diagnostic Commands¶
# Describe CVM network interfaces
tccli vpc DescribeNetworkInterfaces \
--cli-unfold-argument \
--Filters.0.Name attachment.instance-id \
--Filters.0.Values ins-xxxxxxxx
# Check security group rules applied to an instance
tccli vpc DescribeSecurityGroupAssociationStatistics \
--cli-unfold-argument \
--SecurityGroupIds sg-xxxxxxxx
# Describe NAT Gateway
tccli vpc DescribeNatGateways \
--cli-unfold-argument \
--NatGatewayIds nat-xxxxxxxx
# Check CloudAudit events (last API calls)
tccli cloudaudit LookUpEvents \
--cli-unfold-argument \
--MaxResults 10 \
--LookupAttributes.0.AttributeKey EventName \
--LookupAttributes.0.AttributeValue TerminateInstances