Release candidate deployments for Amazon Managed Rules
This section explains how a temporary release candidate deployment works.
When Amazon has a candidate set of rule changes for a managed rule group, it tests them in a temporary release candidate deployment. Amazon evaluates the candidate rules in count mode against production traffic, and performs final tuning activities, including mitigating false positives. Amazon tests release candidate rules in this way for all customers who use the default version of the rule group. Release candidate deployments don't apply to customers who use a static version of the rule group.
If you use the default version, a release candidate deployment won't alter how your web traffic is managed by the rule group. You might notice the following while the candidate rules are being tested:
-
Default version name change from
Default (using Version_X.Y)
toDefault (using Version_X.Y_PLUS_RC_COUNT)
. -
Additional count metrics in Amazon CloudWatch with
RC_COUNT
in their names. These are generated by the release candidate rules.
Amazon tests a release candidate for about a week, then removes it and resets the default version to the current recommended static version.
Amazon performs the following steps for a release candidate deployment:
-
Create the release candidate – Amazon adds a release candidate based on the current recommended static version, which is the version that the default is pointing to.
The name of the release candidate is the static version name appended with
_PLUS_RC_COUNT
. For example, if the current recommended static version isVersion_2.1
, then the release candidate would be namedVersion_2.1
._PLUS_RC_COUNT
The release candidate contains the following rules:
-
Rules copied exactly from the current recommended static version, with no changes to rule configurations.
-
Candidate new rules with rule action set to Count and with names that end with
_RC_COUNT
.Most candidate rules provide proposed improvements to rules that exist already in the rule group. The name for each of these rules is the existing rule's name appended with
_RC_COUNT
.
-
-
Set the default version to the release candidate and test – Amazon sets the default version to point to the new release candidate, to perform testing against your production traffic. Testing usually takes about a week.
You'll see the default version's name change from the one that indicates only the static version, such as
Default (using Version_1.4)
, to one that indicates the static version plus the release candidate rules, such asDefault (using Version_1.4_PLUS_RC_COUNT)
. This naming scheme lets you identify which static version you're using to manage your web traffic.The following diagram shows the state of the example rule group versions at this point.
The release candidate rules are always configured with Count action, so they don't alter how the rule group manages web traffic.
The release candidate rules generate Amazon CloudWatch count metrics that Amazon uses to verify behavior and to identify false positives. Amazon makes adjustments as needed, to tune the behavior of the release candidate count rules.
The release candidate version isn't a static version, and it's not available for you to choose from the list of static rule group versions. You can only see the name of the release candidate version in the default version specification.
-
Return the default version to the recommended static version – After testing the release candidate rules, Amazon sets the default version back to the current recommended static version. The default version name setting drops the
_PLUS_RC_COUNT
ending, and the rule group stops generating CloudWatch count metrics for the release candidate rules. This is a silent change, and is not the same as a deployment of a default version rollback.The following diagram shows the state of the example rule group versions after the testing of the release candidate is complete.
Timing and notifications
Amazon deploys release candidate versions on an as-needed basis, to test improvements to a rule group.
-
SNS – Amazon sends an SNS notification at the start of the deployment. The notification indicates the estimated time that the release candidate will be tested. When testing is complete, Amazon silently returns the default to the static version setting, without a second notification.
-
Change log – Amazon doesn't update the change log or other parts of this guide for this type of deployment.