Evaluation of rules and alerts with self-deployed collection
Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a configuration for rule and alert evaluation
in a Managed Service for Prometheus deployment that usesself-deployed collection.
The following diagram illustrates a deployment that uses multiple clusters
in two Google Cloud projects and uses both rule and alert evaluation:
To set up and use a deployment like the one in the diagram, note the
following:
Rules are installed within each Managed Service for Prometheus collection
server, just as they are when using standard Prometheus. Rule evaluation
executes against the data stored locally on each server. Servers are
configured to retain data long enough to cover the lookback period of all
rules, which is typically no more than 1 hour. Rule results are written
to Monarch after evaluation.
A Prometheus AlertManager instance is manually deployed in every single
cluster. Prometheus servers are configured byediting thealertmanager_configfield of the configuration fileto send
fired alerting rules to their local AlertManager instance. Silences,
acknowledgements, and incident management workflows are typically
handled in a third-party tool such as PagerDuty.
You can centralize alert management across multiple clusters into a
single AlertManager by using a KubernetesEndpoints resource.
One single cluster running inside Google Cloud is designated as the
global rule evaluation cluster for a metrics scope. Thestandalone
rule evaluatoris deployed in that cluster and rules are
installed using the standard Prometheus rule-file format.
The standalone rule evaluator is configured to use scoping_project_A,
which contains Projects 1 and 2. Rules executed against scoping_project_A
automatically fan out to Projects 1 and 2. The underlying service account
must be given theMonitoring Viewerpermissions
for scoping_project_A.
Using a self-deployed global rule evaluator may have unexpected
effects, depending on whether you preserve or aggregate theproject_id,location,cluster, andnamespacelabels in your rules:
If your rules preserve theproject_idlabel (by using
aby(project_id)clause), then rule results are written back to
Monarch using the originalproject_idvalue of the underlying
time series.
In this scenario, you need to ensure the underlying service account
has theMonitoring Metric Writerpermissions for each
monitored project in scoping_project_A. If you add a new
monitored project to scoping_project_A, then you must also manually
add a new permission to the service account.
If your rules do not preserve theproject_idlabel (by not using
aby(project_id)clause), then rule results are written back to
Monarch using theproject_idvalue of the cluster where the
global rule evaluator is running.
In this scenario, you do not need to further modify the underlying
service account.
If your rules preserve thelocationlabel (by using aby(location)clause), then rule results are written back to Monarch
using each original Google Cloud region from which the underlying
time series originated.
If your rules do not preserve thelocationlabel, then data is written
back to the location of the cluster where the global rule evaluator
is running.
We strongly recommend preserving theclusterandnamespacelabels
in rule evaluation results whenever possible. Otherwise, query performance
might decline and you might encounter cardinality limits. Removing both
labels is strongly discouraged.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Evaluation of rules and alerts with self-deployed collection\n\nThis document describes a configuration for rule and alert evaluation\nin a Managed Service for Prometheus deployment that uses\n[self-deployed collection](/stackdriver/docs/managed-prometheus/setup-unmanaged).\n\nThe following diagram illustrates a deployment that uses multiple clusters\nin two Google Cloud projects and uses both rule and alert evaluation:\n\nTo set up and use a deployment like the one in the diagram, note the\nfollowing:\n\n- Rules are installed within each Managed Service for Prometheus collection\n server, just as they are when using standard Prometheus. Rule evaluation\n executes against the data stored locally on each server. Servers are\n configured to retain data long enough to cover the lookback period of all\n rules, which is typically no more than 1 hour. Rule results are written\n to Monarch after evaluation.\n\n- A Prometheus AlertManager instance is manually deployed in every single\n cluster. Prometheus servers are configured by [editing the\n `alertmanager_config` field of the configuration file](/stackdriver/docs/managed-prometheus/rules-unmanaged#eval-rules-unmanaged) to send\n fired alerting rules to their local AlertManager instance. Silences,\n acknowledgements, and incident management workflows are typically\n handled in a third-party tool such as PagerDuty.\n\n You can centralize alert management across multiple clusters into a\n single AlertManager by using a Kubernetes [Endpoints resource](/stackdriver/docs/managed-prometheus/rules-unmanaged#eval-rules-unmanaged).\n- One single cluster running inside Google Cloud is designated as the\n global rule evaluation cluster for a metrics scope. The [standalone\n rule evaluator](/stackdriver/docs/managed-prometheus/rules-unmanaged#eval-rules-unmanaged) is deployed in that cluster and rules are\n installed using the standard Prometheus rule-file format.\n\n The standalone rule evaluator is configured to use scoping_project_A,\n which contains Projects 1 and 2. Rules executed against scoping_project_A\n automatically fan out to Projects 1 and 2. The underlying service account\n must be given the [Monitoring Viewer](/monitoring/access-control#mon_roles_desc) permissions\n for scoping_project_A.\n\n The rule evaluator is configured to send alerts to the local Prometheus\n Alertmanager by using the [`alertmanager_config` field of the configuration\n file](/stackdriver/docs/managed-prometheus/rules-unmanaged#eval-rules-unmanaged).\n\nUsing a self-deployed global rule evaluator may have unexpected\neffects, depending on whether you preserve or aggregate the `project_id`,\n`location`, `cluster`, and `namespace` labels in your rules:\n\n- If your rules preserve the `project_id` label (by using\n a `by(project_id)` clause), then rule results are written back to\n Monarch using the original `project_id` value of the underlying\n time series.\n\n In this scenario, you need to ensure the underlying service account\n has the [Monitoring Metric Writer](/monitoring/access-control#mon_roles_desc) permissions for each\n monitored project in scoping_project_A. If you add a new\n monitored project to scoping_project_A, then you must also manually\n add a new permission to the service account.\n- If your rules do not preserve the `project_id` label (by not using\n a `by(project_id)` clause), then rule results are written back to\n Monarch using the `project_id` value of the cluster where the\n global rule evaluator is running.\n\n In this scenario, you do not need to further modify the underlying\n service account.\n- If your rules preserve the `location` label (by using a `by(location)`\n clause), then rule results are written back to Monarch\n using each original Google Cloud region from which the underlying\n time series originated.\n\n If your rules do not preserve the `location` label, then data is written\n back to the location of the cluster where the global rule evaluator\n is running.\n\nWe strongly recommend preserving the `cluster` and `namespace` labels\nin rule evaluation results whenever possible. Otherwise, query performance\nmight decline and you might encounter cardinality limits. Removing both\nlabels is strongly discouraged."]]
