About custom rules in Workload Manager

Workload Manager supports using customized rules that help you validate your workloads against best practices recommended by your organization.

For example, you can create a custom rule to ensure that VMs in your deployment don't use the Compute Engine default service account. Once you create the rule, create and run an evaluation in Workload Manager to validate your workloads against the rule. You can then review the evaluation results and take remediation steps for any violation of these rules. This helps improve the quality, reliability, and performance of your deployments.

How it works

To evaluate workloads using custom rules, do the following:

Identify the best practices relevant to your deployments from Google Cloud Architecture Framework.
Create custom rules using Rego.
Create and schedule evaluations for your workloads.
Optional: Export evaluation results to BigQuery and set up notifications.

The following figure summarizes the process of using custom rules in Workload Manager:

How custom rules work in Workload Manager

Limitations

In Preview, we recommend that you limit the number of rules to 100 rules per evaluation in Workload Manager.
Workload Manager does not support exporting evaluation results to multi-regional BigQuery datasets. You can export evaluation results to regional BigQuery datasets.

Supported data sources

Workload Manager uses data from the following services to scan the resources that you specified for evaluation:

Cloud Asset Inventory: For a complete list of supported resource types in Cloud Asset Inventory, see Supported asset types
Cloud Monitoring metrics. See Supported metrics for Compute Engine.

Supported metrics for Compute Engine

The following table lists the metrics supported for Compute Engine. For more information about these metrics, see Cloud Monitoring metrics.

The "Metric type" strings in this table must be prefixed with compute.googleapis.com. That prefix has been omitted from the entries in the table.

Display name `(Metric type)`	Description Labels	ASSET_TYPE (rule metadata)
CPU utilization `instance/cpu/utilization`	Fractional utilization of allocated CPU on a VM instance. `instance_name`: The name of the VM instance.	`Instance_CPUUtil_Last1H` `Instance_CPUUtil_Last6H` `Instance_CPUUtil_Last12H` `Instance_CPUUtil_Last1D`
Disk average latency `instance/disk/average_io_latency`	Disk's average io latency in the last 60s. `device_name`: The name of the disk device. `storage_type`: Storage type, one of [pd-standard, pd-balanced, pd-ssd, pd-extreme, hyperdisk-extreme, hyperdisk-throughput].	`Instance_DiskIO_Last1H` `Instance_DiskIO_Last6H` `Instance_DiskIO_Last12H` `Instance_DiskIO_Last1D`
VM Memory Used `instance/memory/balloon/ram_used`	Memory currently used in the VM. `instance_name`: The name of the VM instance.	`Instance_MemoryUtil_Last1H` `Instance_MemoryUtil_Last6H` `Instance_MemoryUtil_Last12H` `Instance_MemoryUtil_Last1D`

Pricing

The custom rules in Workload Manager is offered at no charge in the Preview stage.