You can integrate Dynatrace with Amazon Web Services (AWS) for intelligent monitoring of services running in the Amazon Cloud. AWS integration helps you stay on top of the dynamics of your data center in the cloud.
Dynatrace can be deployed with or without Environment ActiveGate. While using the role-based access method, make sure that you meet one of the following deployment requirements:
Follow these basic steps to integrate Dynatrace Managed with Amazon Web Services (AWS):
All cloud services consume Davis data units (DDUs). The amount of DDU consumption per service instance depends on the number of monitored metrics and their dimensions (each metric dimension results in the ingestion of 1 data point; 1 data point consumes 0.001 DDUs).
Dynatrace makes Amazon API requests every five minutes. In addition to CloudWatch API calls, Dynatrace makes API calls to the monitored AWS services to learn about their instances, tags, etc. The list of called services and actions is available below in the Create the monitoring policy section.
Here's a rough estimate of AWS monitoring costs:
Amazon will charge about $0.01 per 1,000 metrics requested from the CloudWatch API and include the cost in the bill for the AWS account you use with Dynatrace.
The AWS monitoring policy defines the minimal scope of permissions you need to give to Dynatrace to monitor the services running in your AWS account. Create it once and use it any time when enabling Dynatrace access to your AWS account. If you don't want to add permissions to all services, and just select permissions for certain services, consult the table below. The table contains a set of permissions that are required for All AWS cloud services and, for each cloud service, a list of optional permissions specific to that service.
"cloudwatch:GetMetricData"
"cloudwatch:GetMetricStatistics"
"cloudwatch:ListMetrics"
"sts:GetCallerIdentity"
"tag:GetResources"
"tag:GetTagKeys"
"ec2:DescribeAvailabilityZones"
cloudwatch:GetMetricData
,cloudwatch:GetMetricStatistics
,cloudwatch:ListMetrics
,sts:GetCallerIdentity
,tag:GetResources
,tag:GetTagKeys
,ec2:DescribeAvailabilityZones
acm-pca:ListCertificateAuthorities
apigateway:GET
apprunner:ListServices
appstream:DescribeFleets
appsync:ListGraphqlApis
athena:ListWorkGroups
rds:DescribeDBClusters
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeAutoScalingGroups
cloudfront:ListDistributions
cloudhsm:DescribeClusters
cloudsearch:DescribeDomains
codebuild:ListProjects
eks:ListClusters
datasync:ListTasks
dax:DescribeClusters
dms:DescribeReplicationInstances
rds:DescribeDBClusters
directconnect:DescribeConnections
dynamodb:ListTables
dynamodb:ListTables
,dynamodb:ListTagsOfResource
ec2:DescribeVolumes
ec2:DescribeVolumes
ec2:DescribeInstances
ec2:DescribeSpotFleetRequests
ecs:ListClusters
ecs:ListClusters
elasticache:DescribeCacheClusters
elasticbeanstalk:DescribeEnvironments
elasticfilesystem:DescribeFileSystems
elasticmapreduce:ListClusters
es:ListDomainNames
elastictranscoder:ListPipelines
elasticloadbalancing:DescribeInstanceHealth
,elasticloadbalancing:DescribeListeners
,elasticloadbalancing:DescribeLoadBalancers
,elasticloadbalancing:DescribeRules
,elasticloadbalancing:DescribeTags
,elasticloadbalancing:DescribeTargetHealth
events:ListEventBuses
fsx:DescribeFileSystems
gamelift:ListFleets
glue:GetJobs
inspector:ListAssessmentTemplates
kafka:ListClusters
kinesisanalytics:ListApplications
firehose:ListDeliveryStreams
kinesis:ListStreams
kinesisvideo:ListStreams
lambda:ListFunctions
lambda:ListFunctions
,lambda:ListTags
lex:GetBots
elasticloadbalancing:DescribeInstanceHealth
,elasticloadbalancing:DescribeListeners
,elasticloadbalancing:DescribeLoadBalancers
,elasticloadbalancing:DescribeRules
,elasticloadbalancing:DescribeTags
,elasticloadbalancing:DescribeTargetHealth
logs:DescribeLogGroups
mediaconnect:ListFlows
mediaconvert:DescribeEndpoints
mediapackage:ListChannels
mediapackage-vod:ListPackagingConfigurations
mediatailor:ListPlaybackConfigurations
ec2:DescribeNatGateways
rds:DescribeDBClusters
opsworks:DescribeStacks
qldb:ListLedgers
rds:DescribeDBInstances
rds:DescribeDBInstances
,rds:DescribeEvents
,rds:ListTagsForResource
redshift:DescribeClusters
robomaker:ListSimulationJobs
route53:ListHostedZones
route53resolver:ListResolverEndpoints
s3:ListAllMyBuckets
s3:ListAllMyBuckets
sagemaker:ListEndpoints
sagemaker:ListEndpoints
sns:ListTopics
sqs:ListQueues
storagegateway:ListGateways
swf:ListDomains
transfer:ListServers
ec2:DescribeTransitGateways
ec2:DescribeVpnConnections
workmail:ListOrganizations
workspaces:DescribeWorkspaces
To get the information required for comprehensive AWS cloud-computing monitoring, Dynatrace needs to identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize Dynatrace to access your Amazon metrics.
Make sure that your Environment ActiveGate or Managed Cluster has a working connection to AWS. Configure your proxy for Managed or ActiveGate, or allow access to *.amazonaws.com
in your firewall settings.
The instructions below apply whether or not the account hosting your ActiveGate is the same as your monitored account.
In a typical setup, you need to create two CloudFormation stacks using CloudFormation templates:
Dynatrace Managed Server installed on an Amazon EC2 host. It must be able to assume a role within your AWS account that allows it to read the Dynatrace monitoring data.
The ID of the AWS account that hosts the ActiveGate (for example, the account that hosts your Dynatrace components, which in this case is the one hosting Environment ActiveGate or Dynatrace Managed Server).
The Amazon Web Services monitored account ID (the account you want to monitor).
The name of the role with which your Environment ActiveGate or Dynatrace Managed Server was started.
The External ID.
To enable access to your Amazon account using role-based access, follow the steps below.
Create a role for ActiveGate on the account that hosts ActiveGate
Create a monitoring role for Dynatrace on your monitored account
Modify ActiveGate configuration
role_based_access_AG_account_template.yml
.For each account you want to monitor, in the Resource section of the template above, add a new item to the !Sub
array in the following format: 'arn:aws:iam::<new_monitored_account_id>:role/<new_monitoring_role_name>'
.
Be sure to replace the placeholders (<new_monitored_account_id>
and <new_monitoring_role_name>
) with your own values.
Run the command below, making sure to replace the parameter values with your actual values.
You need to remove the angle brackets (<
and >
).
aws cloudformation create-stack \--capabilities CAPABILITY_NAMED_IAM \--stack-name <stack_name> \--template-body <file:///home/user/template_file.yaml> \--parameters ParameterKey=ActiveGateRoleName,ParameterValue=<role_name> ParameterKey=AssumePolicyName,ParameterValue=<policy_name> ParameterKey=MonitoringRoleName,ParameterValue=<monitoring_role_name> ParameterKey=MonitoredAccountID,ParameterValue=<monitored_account_id>
Go to the Amazon EC2 console, right-click an instance hosting your Environment ActiveGate, and select Security > Modify IAM role.
Select the role you created at step 1 (for example, Dynatrace_ActiveGate_role), and select Apply.
After the Dynatrace_ActiveGate_role
is created on the account hosting the ActiveGate, create a role for the account to be monitored.
Create a YAML file and paste the content from the github role_based_access_monitored_account_template.yml
.
Create the stack in your Amazon Console or using the CLI.
In your Amazon Console, go to CloudFormation.
Go to Stacks and create a new stack with new resources.
Select Template is ready, upload the template you created above, and select Next.
In Parameters, enter:
Optionally, adapt other parameters as needed.
Run the command below, making sure to replace the parameter values with your actual values.
You need to remove the angle brackets (<
and >
).
aws cloudformation create-stack \--capabilities CAPABILITY_NAMED_IAM \--stack-name <stack_name> \--template-body <file:///home/user/template_file.yaml> \--parameters ParameterKey=ExternalID,ParameterValue=<external_id> ParameterKey=ActiveGateRoleName,ParameterValue=<activegate_role_name> ParameterKey=ActiveGateAccountID,ParameterValue=<activegate_account_id>ParameterKey=RoleName,ParameterValue=<role_name> ParameterKey=PolicyName,ParameterValue=<policy_name>
Starting with ActiveGate version 1.217, AWS monitoring is enabled by default. For configuration details, see Customize ActiveGate properties. The following configuration settings refer to earlier ActiveGate versions.
Edit the custom.properties
configuration file of the ActiveGate that you want to use for AWS monitoring.
Set the following properties as below:
[aws_monitoring]use_aws_proxy_role = falseaws_monitoring_enabled = true
ActiveGate version 1.183 or earlier
[vertical.topology]use_aws_proxy_role = false
[aws_monitoring]aws_monitoring_enabled = true
It's enough to use only one ActiveGate dedicated for AWS monitoring. However, some deployment scenarios (for example, for redundancy purposes) might require multiple ActiveGates in your deployment.
Make sure that only properly configured ActiveGates have aws_monitoring_enabled
set to true
.
Keep in mind that Dynatrace cluster nodes contain embedded ActiveGates. Make sure to set the aws_monitoring_enabled
property to false
on these ActiveGates if they're not configured fully for AWS monitoring.
If the ActiveGate is dedicated to AWS monitoring, you must also set the MSGrouter
property to false
:
[collector]MSGrouter = false
Remove aws_proxy_account
and aws_proxy_role
properties.
Save the file and restart the ActiveGate main service.
Key-based authentication is only allowed for AWS GovCloud and China partitions.
In this scenario, you have to create an AWS monitoring policy and generate a key pair with that policy.
AWS IAM permissions boundaries may prohibit AWS actions required by Dynatrace. If you use an IAM permissions boundary on your AWS account, make sure that the actions from that policy are allowed in all AWS regions within that permissions boundary.
To create the AWS monitoring policy
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["acm-pca:ListCertificateAuthorities","apigateway:GET","apprunner:ListServices","appstream:DescribeFleets","appsync:ListGraphqlApis","athena:ListWorkGroups","autoscaling:DescribeAutoScalingGroups","cloudformation:ListStackResources","cloudfront:ListDistributions","cloudhsm:DescribeClusters","cloudsearch:DescribeDomains","cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","codebuild:ListProjects","datasync:ListTasks","dax:DescribeClusters","directconnect:DescribeConnections","dms:DescribeReplicationInstances","dynamodb:ListTables","dynamodb:ListTagsOfResource","ec2:DescribeAvailabilityZones","ec2:DescribeInstances","ec2:DescribeNatGateways","ec2:DescribeSpotFleetRequests","ec2:DescribeTransitGateways","ec2:DescribeVolumes","ec2:DescribeVpnConnections","ecs:ListClusters","eks:ListClusters","elasticache:DescribeCacheClusters","elasticbeanstalk:DescribeEnvironmentResources","elasticbeanstalk:DescribeEnvironments","elasticfilesystem:DescribeFileSystems","elasticloadbalancing:DescribeInstanceHealth","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeRules","elasticloadbalancing:DescribeTags","elasticloadbalancing:DescribeTargetHealth","elasticmapreduce:ListClusters","elastictranscoder:ListPipelines","es:ListDomainNames","events:ListEventBuses","firehose:ListDeliveryStreams","fsx:DescribeFileSystems","gamelift:ListFleets","glue:GetJobs","inspector:ListAssessmentTemplates","kafka:ListClusters","kinesis:ListStreams","kinesisanalytics:ListApplications","kinesisvideo:ListStreams","lambda:ListFunctions","lambda:ListTags","lex:GetBots","logs:DescribeLogGroups","mediaconnect:ListFlows","mediaconvert:DescribeEndpoints","mediapackage-vod:ListPackagingConfigurations","mediapackage:ListChannels","mediatailor:ListPlaybackConfigurations","opsworks:DescribeStacks","qldb:ListLedgers","rds:DescribeDBClusters","rds:DescribeDBInstances","rds:DescribeEvents","rds:ListTagsForResource","redshift:DescribeClusters","robomaker:ListSimulationJobs","route53:ListHostedZones","route53resolver:ListResolverEndpoints","s3:ListAllMyBuckets","sagemaker:ListEndpoints","sns:ListTopics","sqs:ListQueues","storagegateway:ListGateways","sts:GetCallerIdentity","swf:ListDomains","tag:GetResources","tag:GetTagKeys","transfer:ListServers","workmail:ListOrganizations","workspaces:DescribeWorkspaces"],"Resource": "*"}]}
Dynatrace can use access keys to make secure REST or Query protocol requests to the AWS service API. You'll need to generate an Access key ID and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.
Once you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.
In Dynatrace, go to Settings > Cloud and virtualization > AWS and select Connect new instance.
Select the Role-based authentication method.
Dynatrace_monitoring_role
).Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page.
You should soon begin to see AWS cloud monitoring data.
If your AWS account is on a different partition than the default aws
partition, you can select it and Dynatrace will connect to it instead.
To change your AWS partition
You can alter the scope and content of your monitoring depending on your preferences by using tags and listing services needed.
We recommend that you limit the scope of your AWS monitoring and reduce the number API calls to Amazon. You can use tagging to limit the AWS resources (AWS service instances) that are monitored by Dynatrace.
To configure metric events for alerting, follow this guide.
Once your credentials are saved, you can decide which services will be monitored. To select your preferred services