AWS Site-to-Site VPN monitoring
Dynatrace ingests metrics for multiple preselected namespaces, including AWS Site-to-Site VPN. You can view graphs per service instance, with a set of dimensions, and create custom graphs that you can pin to your dashboards.
Prerequisites
To enable monitoring for this service, you need
- ActiveGate version 1.197+
-
For Dynatrace SaaS deployments, you need an Environment ActiveGate or a Multi-environment ActiveGate.
For role-based access in SaaS deployment, you need an Environment ActiveGate installed on an Amazon EC2 host.
-
Dynatrace version 1.199+
-
An updated AWS monitoring policy to include the additional AWS services.
To update the AWS IAM policy, use the JSON below, containing the monitoring policy (permissions) for all supporting services.
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["acm-pca:ListCertificateAuthorities","apigateway:GET","apprunner:ListServices","appstream:DescribeFleets","appsync:ListGraphqlApis","athena:ListWorkGroups","autoscaling:DescribeAutoScalingGroups","cloudformation:ListStackResources","cloudfront:ListDistributions","cloudhsm:DescribeClusters","cloudsearch:DescribeDomains","cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","codebuild:ListProjects","datasync:ListTasks","dax:DescribeClusters","directconnect:DescribeConnections","dms:DescribeReplicationInstances","dynamodb:ListTables","dynamodb:ListTagsOfResource","ec2:DescribeAvailabilityZones","ec2:DescribeInstances","ec2:DescribeNatGateways","ec2:DescribeSpotFleetRequests","ec2:DescribeTransitGateways","ec2:DescribeVolumes","ec2:DescribeVpnConnections","ecs:ListClusters","eks:ListClusters","elasticache:DescribeCacheClusters","elasticbeanstalk:DescribeEnvironmentResources","elasticbeanstalk:DescribeEnvironments","elasticfilesystem:DescribeFileSystems","elasticloadbalancing:DescribeInstanceHealth","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeRules","elasticloadbalancing:DescribeTags","elasticloadbalancing:DescribeTargetHealth","elasticmapreduce:ListClusters","elastictranscoder:ListPipelines","es:ListDomainNames","events:ListEventBuses","firehose:ListDeliveryStreams","fsx:DescribeFileSystems","gamelift:ListFleets","glue:GetJobs","inspector:ListAssessmentTemplates","kafka:ListClusters","kinesis:ListStreams","kinesisanalytics:ListApplications","kinesisvideo:ListStreams","lambda:ListFunctions","lambda:ListTags","lex:GetBots","logs:DescribeLogGroups","mediaconnect:ListFlows","mediaconvert:DescribeEndpoints","mediapackage-vod:ListPackagingConfigurations","mediapackage:ListChannels","mediatailor:ListPlaybackConfigurations","opsworks:DescribeStacks","qldb:ListLedgers","rds:DescribeDBClusters","rds:DescribeDBInstances","rds:DescribeEvents","rds:ListTagsForResource","redshift:DescribeClusters","robomaker:ListSimulationJobs","route53:ListHostedZones","route53resolver:ListResolverEndpoints","s3:ListAllMyBuckets","sagemaker:ListEndpoints","sns:ListTopics","sqs:ListQueues","storagegateway:ListGateways","sts:GetCallerIdentity","swf:ListDomains","tag:GetResources","tag:GetTagKeys","transfer:ListServers","workmail:ListOrganizations","workspaces:DescribeWorkspaces"],"Resource": "*"}]}
If you don't want to add permissions to all services, and just select permissions for certain services, consult the table below. The table contains a set of permissions that are required for All AWS cloud services and, for each supporting service, a list of optional permissions specific to that service.
Permissions required for AWS monitoring integration:
"cloudwatch:GetMetricData""cloudwatch:GetMetricStatistics""cloudwatch:ListMetrics""sts:GetCallerIdentity""tag:GetResources""tag:GetTagKeys""ec2:DescribeAvailabilityZones"
Name
Permissions
All monitored Amazon services required
cloudwatch:GetMetricData,cloudwatch:GetMetricStatistics,cloudwatch:ListMetrics,sts:GetCallerIdentity,tag:GetResources,tag:GetTagKeys,ec2:DescribeAvailabilityZonesAWS Certificate Manager Private Certificate Authority
acm-pca:ListCertificateAuthoritiesAmazon MQ
Amazon API Gateway
apigateway:GETAWS App Runner
apprunner:ListServicesAmazon AppStream
appstream:DescribeFleetsAWS AppSync
appsync:ListGraphqlApisAmazon Athena
athena:ListWorkGroupsAmazon Aurora
rds:DescribeDBClustersAmazon EC2 Auto Scaling
autoscaling:DescribeAutoScalingGroupsAmazon EC2 Auto Scaling (built-in)
autoscaling:DescribeAutoScalingGroupsAWS Billing
Amazon Keyspaces
AWS Chatbot
Amazon CloudFront
cloudfront:ListDistributionsAWS CloudHSM
cloudhsm:DescribeClustersAmazon CloudSearch
cloudsearch:DescribeDomainsAWS CodeBuild
codebuild:ListProjectsAmazon Cognito
Amazon Connect
Amazon Elastic Kubernetes Service (EKS)
eks:ListClustersAWS DataSync
datasync:ListTasksAmazon DynamoDB Accelerator (DAX)
dax:DescribeClustersAWS Database Migration Service (AWS DMS)
dms:DescribeReplicationInstancesAmazon DocumentDB
rds:DescribeDBClustersAWS Direct Connect
directconnect:DescribeConnectionsAmazon DynamoDB
dynamodb:ListTablesAmazon DynamoDB (built-in)
dynamodb:ListTables,dynamodb:ListTagsOfResourceAmazon EBS
ec2:DescribeVolumesAmazon EBS (built-in)
ec2:DescribeVolumesAmazon EC2 API
Amazon EC2 (built-in)
ec2:DescribeInstancesAmazon EC2 Spot Fleet
ec2:DescribeSpotFleetRequestsAmazon Elastic Container Service (ECS)
ecs:ListClustersAmazon ECS Container Insights
ecs:ListClustersAmazon ElastiCache (EC)
elasticache:DescribeCacheClustersAWS Elastic Beanstalk
elasticbeanstalk:DescribeEnvironmentsAmazon Elastic File System (EFS)
elasticfilesystem:DescribeFileSystemsAmazon Elastic Inference
Amazon Elastic Map Reduce (EMR)
elasticmapreduce:ListClustersAmazon Elasticsearch Service (ES)
es:ListDomainNamesAmazon Elastic Transcoder
elastictranscoder:ListPipelinesAmazon Elastic Load Balancer (ELB) (built-in)
elasticloadbalancing:DescribeInstanceHealth,elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeLoadBalancers,elasticloadbalancing:DescribeRules,elasticloadbalancing:DescribeTags,elasticloadbalancing:DescribeTargetHealthAmazon EventBridge
events:ListEventBusesAmazon FSx
fsx:DescribeFileSystemsAmazon GameLift
gamelift:ListFleetsAWS Glue
glue:GetJobsAmazon Inspector
inspector:ListAssessmentTemplatesAWS Internet of Things (IoT)
AWS IoT Analytics
Amazon Managed Streaming for Kafka
kafka:ListClustersAmazon Kinesis Data Analytics
kinesisanalytics:ListApplicationsAmazon Data Firehose
firehose:ListDeliveryStreamsAmazon Kinesis Data Streams
kinesis:ListStreamsAmazon Kinesis Video Streams
kinesisvideo:ListStreamsAWS Lambda
lambda:ListFunctionsAWS Lambda (built-in)
lambda:ListFunctions,lambda:ListTagsAmazon Lex
lex:GetBotsAmazon Application and Network Load Balancer (built-in)
elasticloadbalancing:DescribeInstanceHealth,elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeLoadBalancers,elasticloadbalancing:DescribeRules,elasticloadbalancing:DescribeTags,elasticloadbalancing:DescribeTargetHealthAmazon CloudWatch Logs
logs:DescribeLogGroupsAWS Elemental MediaConnect
mediaconnect:ListFlowsAWS Elemental MediaConvert
mediaconvert:DescribeEndpointsAWS Elemental MediaPackage Live
mediapackage:ListChannelsAWS Elemental MediaPackage Video on Demand
mediapackage-vod:ListPackagingConfigurationsAWS Elemental MediaTailor
mediatailor:ListPlaybackConfigurationsAmazon VPC NAT Gateways
ec2:DescribeNatGatewaysAmazon Neptune
rds:DescribeDBClustersAWS OpsWorks
opsworks:DescribeStacksAmazon Polly
Amazon QLDB
qldb:ListLedgersAmazon RDS
rds:DescribeDBInstancesAmazon RDS (built-in)
rds:DescribeDBInstances,rds:DescribeEvents,rds:ListTagsForResourceAmazon Redshift
redshift:DescribeClustersAmazon Rekognition
AWS RoboMaker
robomaker:ListSimulationJobsAmazon Route 53
route53:ListHostedZonesAmazon Route 53 Resolver
route53resolver:ListResolverEndpointsAmazon S3
s3:ListAllMyBucketsAmazon S3 (built-in)
s3:ListAllMyBucketsAmazon SageMaker Batch Transform Jobs
Amazon SageMaker Endpoint Instances
sagemaker:ListEndpointsAmazon SageMaker Endpoints
sagemaker:ListEndpointsAmazon SageMaker Ground Truth
Amazon SageMaker Processing Jobs
Amazon SageMaker Training Jobs
AWS Service Catalog
Amazon Simple Email Service (SES)
Amazon Simple Notification Service (SNS)
sns:ListTopicsAmazon Simple Queue Service (SQS)
sqs:ListQueuesAWS Systems Manager - Run Command
AWS Step Functions
AWS Storage Gateway
storagegateway:ListGatewaysAmazon SWF
swf:ListDomainsAmazon Textract
AWS IoT Things Graph
AWS Transfer Family
transfer:ListServersAWS Transit Gateway
ec2:DescribeTransitGatewaysAmazon Translate
AWS Trusted Advisor
AWS API Usage
AWS Site-to-Site VPN
ec2:DescribeVpnConnectionsAWS WAF Classic
AWS WAF
Amazon WorkMail
workmail:ListOrganizationsAmazon WorkSpaces
workspaces:DescribeWorkspacesExample of JSON policy for one single service.
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["apigateway:GET","cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","sts:GetCallerIdentity","tag:GetResources","tag:GetTagKeys","ec2:DescribeAvailabilityZones"],"Resource": "*"}]}
In this example, from the complete list of permissions you need to select
"apigateway:GET"for Amazon API Gateway"cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","sts:GetCallerIdentity","tag:GetResources","tag:GetTagKeys", and"ec2:DescribeAvailabilityZones"for All AWS cloud services.
Endpoint
Service
autoscaling.<REGION>.amazonaws.comAmazon EC2 Auto Scaling (built-in), Amazon EC2 Auto Scaling
lambda.<REGION>.amazonaws.comAWS Lambda (built-in), AWS Lambda
elasticloadbalancing.<REGION>.amazonaws.comAmazon Application and Network Load Balancer (built-in), Amazon Elastic Load Balancer (ELB) (built-in)
dynamodb.<REGION>.amazonaws.comAmazon DynamoDB (built-in), Amazon DynamoDB
ec2.<REGION>.amazonaws.comAmazon EBS (built-in), Amazon EC2 (built-in), Amazon EBS, Amazon EC2 Spot Fleet, Amazon VPC NAT Gateways, AWS Transit Gateway, AWS Site-to-Site VPN
rds.<REGION>.amazonaws.comAmazon RDS (built-in), Amazon Aurora, Amazon DocumentDB, Amazon Neptune, Amazon RDS
s3.<REGION>.amazonaws.comAmazon S3 (built-in)
acm-pca.<REGION>.amazonaws.comAWS Certificate Manager Private Certificate Authority
apigateway.<REGION>.amazonaws.comAmazon API Gateway
apprunner.<REGION>.amazonaws.comAWS App Runner
appstream2.<REGION>.amazonaws.comAmazon AppStream
appsync.<REGION>.amazonaws.comAWS AppSync
athena.<REGION>.amazonaws.comAmazon Athena
cloudfront.amazonaws.comAmazon CloudFront
cloudhsmv2.<REGION>.amazonaws.comAWS CloudHSM
cloudsearch.<REGION>.amazonaws.comAmazon CloudSearch
codebuild.<REGION>.amazonaws.comAWS CodeBuild
datasync.<REGION>.amazonaws.comAWS DataSync
dax.<REGION>.amazonaws.comAmazon DynamoDB Accelerator (DAX)
dms.<REGION>.amazonaws.comAWS Database Migration Service (AWS DMS)
directconnect.<REGION>.amazonaws.comAWS Direct Connect
ecs.<REGION>.amazonaws.comAmazon Elastic Container Service (ECS), Amazon ECS Container Insights
elasticfilesystem.<REGION>.amazonaws.comAmazon Elastic File System (EFS)
eks.<REGION>.amazonaws.comAmazon Elastic Kubernetes Service (EKS)
elasticache.<REGION>.amazonaws.comAmazon ElastiCache (EC)
elasticbeanstalk.<REGION>.amazonaws.comAWS Elastic Beanstalk
elastictranscoder.<REGION>.amazonaws.comAmazon Elastic Transcoder
es.<REGION>.amazonaws.comAmazon Elasticsearch Service (ES)
events.<REGION>.amazonaws.comAmazon EventBridge
fsx.<REGION>.amazonaws.comAmazon FSx
gamelift.<REGION>.amazonaws.comAmazon GameLift
glue.<REGION>.amazonaws.comAWS Glue
inspector.<REGION>.amazonaws.comAmazon Inspector
kafka.<REGION>.amazonaws.comAmazon Managed Streaming for Kafka
models.lex.<REGION>.amazonaws.comAmazon Lex
logs.<REGION>.amazonaws.comAmazon CloudWatch Logs
api.mediatailor.<REGION>.amazonaws.comAWS Elemental MediaTailor
mediaconnect.<REGION>.amazonaws.comAWS Elemental MediaConnect
mediapackage.<REGION>.amazonaws.comAWS Elemental MediaPackage Live
mediapackage-vod.<REGION>.amazonaws.comAWS Elemental MediaPackage Video on Demand
opsworks.<REGION>.amazonaws.comAWS OpsWorks
qldb.<REGION>.amazonaws.comAmazon QLDB
redshift.<REGION>.amazonaws.comAmazon Redshift
robomaker.<REGION>.amazonaws.comAWS RoboMaker
route53.amazonaws.comAmazon Route 53
route53resolver.<REGION>.amazonaws.comAmazon Route 53 Resolver
api.sagemaker.<REGION>.amazonaws.comAmazon SageMaker Endpoints, Amazon SageMaker Endpoint Instances
sns.<REGION>.amazonaws.comAmazon Simple Notification Service (SNS)
sqs.<REGION>.amazonaws.comAmazon Simple Queue Service (SQS)
storagegateway.<REGION>.amazonaws.comAWS Storage Gateway
swf.<REGION>.amazonaws.comAmazon SWF
transfer.<REGION>.amazonaws.comAWS Transfer Family
workmail.<REGION>.amazonaws.comAmazon WorkMail
workspaces.<REGION>.amazonaws.comAmazon WorkSpaces
Enable monitoring
To learn how to enable service monitoring, see Enable service monitoring.
View service metrics
You can view the service metrics in your Dynatrace environment either on the custom device overview page or on your Dashboards page.
View metrics on the custom device overview page
To access the custom device overview page
- Go to Technologies & Processes or Technologies & Processes Classic (latest Dynatrace).
- Filter by service name and select the relevant custom device group.
- Once you select the custom device group, you're on the custom device group overview page.
- The custom device group overview page lists all instances (custom devices) belonging to the group. Select an instance to view the custom device overview page.
View metrics on your dashboard
After you add the service to monitoring, a preset dashboard containing all recommended metrics is automatically listed on your Dashboards page. To look for specific dashboards, filter by Preset and then by Name.
For existing monitored services, you might need to resave your credentials for the preset dashboard to appear on the Dashboards page. To resave your credentials, go to Settings > Cloud and virtualization > AWS, select the desired AWS instance, and then select Save.
You can't make changes on a preset dashboard directly, but you can clone and edit it. To clone a dashboard, open the browse menu (…) and select Clone.
To remove a dashboard from the dashboards page, you can hide it. To hide a dashboard, open the browse menu (…) and select Hide.
Hiding a dashboard doesn't affect other users.
To check the availability of preset dashboards for each AWS service, see the list below.
AWS service
Preset dashboard
Amazon EC2 Auto Scaling (built-in)
AWS Lambda (built-in)
Amazon Application and Network Load Balancer (built-in)
Amazon DynamoDB (built-in)
Amazon EBS (built-in)
Amazon EC2 (built-in)
Amazon Elastic Load Balancer (ELB) (built-in)
Amazon RDS (built-in)
Amazon S3 (built-in)
AWS Certificate Manager Private Certificate Authority
All monitored Amazon services
Amazon API Gateway
AWS App Runner
Amazon AppStream
AWS AppSync
Amazon Athena
Amazon Aurora
Amazon EC2 Auto Scaling
AWS Billing
Amazon Keyspaces
AWS Chatbot
Amazon CloudFront
AWS CloudHSM
Amazon CloudSearch
AWS CodeBuild
Amazon Cognito
Amazon Connect
AWS DataSync
Amazon DynamoDB Accelerator (DAX)
AWS Database Migration Service (AWS DMS)
Amazon DocumentDB
AWS Direct Connect
Amazon DynamoDB
Amazon EBS
Amazon EC2 Spot Fleet
Amazon EC2 API
Amazon Elastic Container Service (ECS)
Amazon ECS Container Insights
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon ElastiCache (EC)
AWS Elastic Beanstalk
Amazon Elastic Inference
Amazon Elastic Transcoder
Amazon Elastic Map Reduce (EMR)
Amazon Elasticsearch Service (ES)
Amazon EventBridge
Amazon FSx
Amazon GameLift
AWS Glue
Amazon Inspector
AWS Internet of Things (IoT)
AWS IoT Things Graph
AWS IoT Analytics
Amazon Managed Streaming for Kafka
Amazon Kinesis Data Analytics
Amazon Data Firehose
Amazon Kinesis Data Streams
Amazon Kinesis Video Streams
AWS Lambda
Amazon Lex
Amazon CloudWatch Logs
AWS Elemental MediaTailor
AWS Elemental MediaConnect
AWS Elemental MediaConvert
AWS Elemental MediaPackage Live
AWS Elemental MediaPackage Video on Demand
Amazon MQ
Amazon VPC NAT Gateways
Amazon Neptune
AWS OpsWorks
Amazon Polly
Amazon QLDB
Amazon RDS
Amazon Redshift
Amazon Rekognition
AWS RoboMaker
Amazon Route 53
Amazon Route 53 Resolver
Amazon S3
Amazon SageMaker Batch Transform Jobs
Amazon SageMaker Endpoints
Amazon SageMaker Endpoint Instances
Amazon SageMaker Ground Truth
Amazon SageMaker Processing Jobs
Amazon SageMaker Training Jobs
AWS Service Catalog
Amazon Simple Email Service (SES)
Amazon Simple Notification Service (SNS)
Amazon Simple Queue Service (SQS)
AWS Systems Manager - Run Command
AWS Step Functions
AWS Storage Gateway
Amazon SWF
Amazon Textract
AWS Transfer Family
AWS Transit Gateway
Amazon Translate
AWS Trusted Advisor
AWS API Usage
AWS Site-to-Site VPN
AWS WAF Classic
AWS WAF
Amazon WorkMail
Amazon WorkSpaces
Available metrics
Name
Description
Unit
Statistics
Dimensions
Recommended
TunnelDataIn
The bytes received through the VPN tunnel
Bytes
Sum
VpnId
TunnelDataIn
Bytes
Sum
Region
TunnelDataIn
Bytes
Sum
Region, TunnelIpAddress
TunnelDataOut
The bytes sent through the VPN tunnel
Bytes
Sum
VpnId
TunnelDataOut
Bytes
Sum
Region
TunnelDataOut
Bytes
Sum
Region, TunnelIpAddress
TunnelState
The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states
Count
Multi
Region
TunnelState
Count
Multi
Region, TunnelIpAddress
TunnelState
Count
Multi
VpnId