Running a canary on a VPC - Amazon CloudWatch

Running a canary on a VPC

You can run canaries on endpoints on a VPC and public internal endpoints. To run a canary on a VPC, you must have both the DNS Resolution and DNS hostnames options enabled on the VPC. For more information, see Using DNS with Your VPC.

When you run a canary on a VPC endpoint, you must provide a way for it to send its metrics to CloudWatch and its artifacts to Amazon S3. If the VPC is already enabled for internet access, there's nothing more for you to do. The canary executes in your VPC, but can access the internet to upload its metrics and artifacts.

If the VPC is not already enabled for internet access, you have two options:

Troubleshooting a canary on a VPC

If you have issues after creating or updating a canary, one of the following sections might help you troubleshoot the problem.

New canary in error state or canary can't be updated

If you create a canary to run on a VPC and it immediately goes into an error state, or you can't update a canary to run on a VPC, the canary's role might not have the right permissions. To run on a VPC, a canary must have the permissions ec2:CreateNetworkInterface, ec2:DescribeNetworkInterface, and ec2:DeleteNetworkInterface. These permissions are all contained in the AWSLambdaVPCAccessExecutionRole managed policy. For more information, see Execution Role and User Permissions.

If this issue happened when you created a canary, you must delete the canary, and create a new one. If you use the CloudWatch console to create the new canary, under Access Permissions, select Create a new role. A new role that includes all permissions required to run the canary is created.

If this issue happens when you update a canary, you can update the canary again and provide a new role that has the required permissions.

"No test result returned" Error

If a canary displays a "no test result returned" error, one of the following issues might be the cause:

  • If your VPC does not have internet access, you must use VPC endpoints to give the canary access to CloudWatch and Amazon S3. You must enable the DNS resolution and DNS hostname options in the VPC for these endpoint addresses to resolve correctly. For more information, see Using DNS with Your VPC.

  • Canaries must run in private subnets within a VPC. To check this, open the Subnets page in the VPC console. Check the subnets that you selected when configuring the canary. If they have a path to an internet gateway (igw-), they are not private subnets.

To help you troubleshoot these issues, see the logs for the canary.

To see the log events from a canary

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Log groups.

  3. Choose the name of the canary's log group. The log group name starts with /aws/lambda/cwsyn-canary-name.