Monitoring Route 53 Resolver DNS Firewall rule groups with Amazon CloudWatch
You can use Amazon CloudWatch to monitor the number of DNS queries that are filtered by Route 53 Resolver DNS Firewall rule groups. Amazon CloudWatch collects and processes raw data into readable, near real-time metrics. These statistics are recorded for a period of two weeks, so that you can access historical information and gain a better perspective on how your resources are performing. By default, metric data for DNS Firewall rule groups is automatically sent to CloudWatch at five-minute intervals.
For more information about DNS Firewall, see Using DNS Firewall to filter outbound DNS traffic. For more information about CloudWatch, see What is Amazon CloudWatch? in the Amazon CloudWatch User Guide.
Metrics and dimensions for Route 53 Resolver DNS Firewall
When you associate a Route 53 Resolver DNS Firewall rule group with a VPC to filter DNS queries, DNS Firewall starts to send metrics and dimensions once every 5 minutes to CloudWatch about the queries that it filters. For information about the metrics and dimensions for DNS Firewall, see CloudWatch metrics for Route 53 Resolver DNS Firewall.
You can use the following procedures to view the metrics in the CloudWatch console or view them by using the AWS Command Line Interface (AWS CLI).
To view DNS Firewall metrics using the CloudWatch console
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. On the navigation bar, choose the Region that you want to view.
In the navigation pane, choose Metrics.
On the All metrics tab, choose Route 53 Resolver.
-
Choose a metric that you're interested in.
To view metrics using the AWS CLI
-
At a command prompt, use the following command:
aws cloudwatch list-metrics --namespace "
AWS/Route53Resolver
"
CloudWatch metrics for Route 53 Resolver DNS Firewall
The AWS/Route53Resolver
namespace includes metrics for Route 53 Resolver DNS Firewall rule groups.
Topics
Metrics for Route 53 Resolver DNS Firewall rule groups
- FirewallRuleGroupQueryVolume
-
The number of DNS Firewall queries that match a firewall rule group (specified by
FirewallRuleGroupId
).Dimensions:
FirewallRuleGroupId
Valid statistics: Sum
Units: Count
Metrics for VPCs
- VpcFirewallQueryVolume
-
The number of DNS Firewall queries from a VPC (specified by
VpcId
).Dimensions:
VpcId
Valid statistics: Sum
Units: Count
Metrics for firewall rule group and VPC association
- FirewallRuleGroupVpcQueryVolume
-
The number of DNS Firewall queries from a VPC (specified by
VpcId
) that match a firewall rule group (specified byFirewallRuleGroupId
).Dimensions:
FirewallRuleGroupId, VpcId
Valid statistics: Sum
Units: Count
Metrics for a domain list in a firewall rule group
- FirewallRuleQueryVolume
-
The number of DNS firewall queries that match a firewall domain list (specified by
FirewallDomainListId
) within a firewall rule group (specified byFirewallRuleGroupId
).Dimensions:
FirewallRuleGroupId, FirewallDomainListId
Valid statistics: Sum
Units: Count