Running a canary on a VPC - Amazon CloudWatch

Running a canary on a VPC

You can run canaries on endpoints on a VPC and public internal endpoints. To run a canary on a VPC, you must have both the DNS Resolution and DNS hostnames options enabled on the VPC. For more information, see Using DNS with Your VPC.

When you run a canary on a VPC endpoint, you must provide a way for it to send its metrics to CloudWatch and its artifacts to Amazon S3. If the VPC is already enabled for internet access, there's nothing more for you to do. The canary executes in your VPC, but can access the internet to upload its metrics and artifacts.

If the VPC is not already enabled for internet access, you have two options:

Giving internet access to your canary on a VPC

Follow these steps to give internet access to your VPC canary, or to assign your canary a static IP address

To give internet access to a canary on a VPC
  1. Create a NAT gateway in a public subnet on the VPC. For instructions, see Create a NAT gateway.

  2. Add a new route to the route table in the private subnet where the canary is launched. Specify the following:

    • For Destination, enter

    • For Target, choose NAT Gateway, and then choose the ID of the NAT gateway that you created.

    • Choose Save routes.

    For more information about adding the route to the route table, see Add and remove routes from a route table.


Be sure that the routes to your NAT gateway are in an active status. If the NAT gateway is deleted and you haven't updated the routes, they're in a blackhole status. For more information, see Work with NAT gateways.