CloudWatch metrics for AWS PrivateLink - Amazon Virtual Private Cloud
Endpoint metrics and dimensionsEndpoint service metrics and dimensionsView the CloudWatch metricsUse built-in Contributor Insights rules

CloudWatch metrics for AWS PrivateLink

AWS PrivateLink publishes data points to Amazon CloudWatch for your interface endpoints, Gateway Load Balancer endpoints, and endpoint services. CloudWatch enables you to retrieve statistics about those data points as an ordered set of time series data, known as metrics. Think of a metric as a variable to monitor, and the data points as the values of that variable over time. Each data point has an associated timestamp and an optional unit of measurement.

You can use metrics to verify that your system is performing as expected. For example, you can create a CloudWatch alarm to monitor a specified metric and initiate an action (such as sending a notification to an email address) if the metric goes outside what you consider an acceptable range.

Metrics are published for all interface endpoints, Gateway Load Balancer endpoints, and endpoint services. They are not published for gateway endpoints. By default, AWS PrivateLink sends metrics to CloudWatch in one-minute intervals, at no additional cost.

For more information, see the Amazon CloudWatch User Guide.

Endpoint metrics and dimensions

The AWS/PrivateLinkEndpoints namespace includes the following metrics for interface endpoints and Gateway Load Balancer endpoints.

Metric Description
ActiveConnections

The number of concurrent active connections. This includes connections in the SYN_SENT and ESTABLISHED states.

Reporting criteria: The endpoint received traffic during the one-minute period.

Statistics: The most useful statistics are Average, Maximum, and Minimum.

Dimensions

  • Endpoint Type, Service Name, VPC Endpoint Id, VPC Id

  • Endpoint Type, Service Name, Subnet Id, VPC Endpoint Id, VPC Id
BytesProcessed

The number of bytes exchanged between endpoints and endpoint services, aggregated in both directions. This is the number of bytes billed to the owner of the endpoint. The bill displays this value in GB.

Reporting criteria: The endpoint received traffic during the one-minute period.

Statistics: The most useful statistics are Average, Sum, Maximum, and Minimum.

Dimensions

  • Endpoint Type, Service Name, VPC Endpoint Id, VPC Id

  • Endpoint Type, Service Name, Subnet Id, VPC Endpoint Id, VPC Id
NewConnections

The number of new connections established through the endpoint.

Reporting criteria: The endpoint received traffic during the one-minute period.

Statistics: The most useful statistics are Average, Sum, Maximum, and Minimum.

Dimensions

  • Endpoint Type, Service Name, VPC Endpoint Id, VPC Id

  • Endpoint Type, Service Name, Subnet Id, VPC Endpoint Id, VPC Id
PacketsDropped

The number of packets dropped by the endpoint. This metric might not capture all packet drops. Increasing values could indicate that the endpoint or endpoint service is unhealthy.

Reporting criteria: The endpoint received traffic during the one-minute period.

Statistics: The most useful statistics are Average, Sum, and Maximum.

Dimensions

  • Endpoint Type, Service Name, VPC Endpoint Id, VPC Id

  • Endpoint Type, Service Name, Subnet Id, VPC Endpoint Id, VPC Id
RstPacketsReceived

The number of RST packets received by the endpoint. Increasing values could indicate that the endpoint service is unhealthy.

Reporting criteria: The endpoint received traffic during the one-minute period.

Statistics: The most useful statistics are Average, Sum, and Maximum.

Dimensions

  • Endpoint Type, Service Name, VPC Endpoint Id, VPC Id

  • Endpoint Type, Service Name, Subnet Id, VPC Endpoint Id, VPC Id

To filter these metrics, use the following dimensions.

Dimension Description
Endpoint Type Filters the metric data by endpoint type (Interface | GatewayLoadBalancer).
Service Name Filters the metric data by service name.
Subnet Id Filters the metric data by subnet.
VPC Endpoint Id Filters the metric data by VPC endpoint.
VPC Id Filters the metric data by VPC.

Endpoint service metrics and dimensions

The AWS/PrivateLinkServices namespace includes the following metrics for endpoint services.

Metric Description
ActiveConnections

The maximum number of active connections from clients to targets through the endpoints. Increasing values could indicate the need to add targets to the load balancer.

Reporting criteria: An endpoint connected to the endpoint service sent traffic during the one-minute period.

Statistics: The most useful statistics are Average and Maximum.

Dimensions

  • Service Id

  • Az, Service Id

  • Load Balancer Arn, Service Id

  • Az, Load Balancer Arn, Service Id

  • Service Id, VPC Endpoint Id
BytesProcessed

The number of bytes exchanged between endpoint services and endpoints, in both directions.

Reporting criteria: An endpoint connected to the endpoint service sent traffic during the one-minute period.

Statistics: The most useful statistics are Average, Sum, and Maximum.

Dimensions

  • Service Id

  • Az, Service Id

  • Load Balancer Arn, Service Id

  • Az, Load Balancer Arn, Service Id

  • Service Id, VPC Endpoint Id
EndpointsCount

The number of endpoints connected to the endpoint service.

Reporting criteria: There is a nonzero value during the five-minute period.

Statistics: The most useful statistics are Average and Maximum.

Dimensions

  • Service Id
NewConnections

The number of new connections established from clients to targets through the endpoints. Increasing values could indicate the need to add targets to the load balancer.

Reporting criteria: An endpoint connected to the endpoint service sent traffic during the one-minute period.

Statistics: The most useful statistics are Average, Sum, and Maximum.

Dimensions

  • Service Id

  • Az, Service Id

  • Load Balancer Arn, Service Id

  • Az, Load Balancer Arn, Service Id

  • Service Id, VPC Endpoint Id
RstPacketsSent

The number of RST packets sent to endpoints by the endpoint service. Increasing values could indicate that there are unhealthy targets.

Reporting criteria: An endpoint connected to the endpoint service sent traffic during the one-minute period.

Statistics: The most useful statistics are Average, Sum, and Maximum.

Dimensions

  • Service Id

  • Az, Service Id

  • Load Balancer Arn, Service Id

  • Az, Load Balancer Arn, Service Id

  • Service Id, VPC Endpoint Id

To filter these metrics, use the following dimensions.

Dimension Description
Az Filters the metric data by Availability Zone.
Load Balancer Arn Filters the metric data by load balancer.
Service Id Filters the metric data by endpoint service.
VPC Endpoint Id Filters the metric data by VPC endpoint.

You can view these CloudWatch metrics using the Amazon VPC console, the CloudWatch console, or the AWS CLI as follows.

To view metrics using the Amazon VPC console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints. Select your endpoint and then choose the Monitoring tab.

  3. In the navigation pane, choose Endpoint services. Select your endpoint service and then choose the Monitoring tab.

To view metrics using the CloudWatch console

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Metrics.

  3. Select the AWS/PrivateLinkEndpoints namespace.

  4. Select the AWS/PrivateLinkServices namespace.

To view metrics using the AWS CLI

Use the following list-metrics command to list the available metrics for interface endpoints and Gateway Load Balancer endpoints:

aws cloudwatch list-metrics --namespace AWS/PrivateLinkEndpoints

Use the following list-metrics command to list the available metrics for endpoint services:

aws cloudwatch list-metrics --namespace AWS/PrivateLinkServices

AWS PrivateLink provides built-in Contributor Insights rules for your endpoint services to help you find which endpoints are the largest contributors to each supported metric. For more information, see Contributor Insights in the Amazon CloudWatch User Guide.

AWS PrivateLink provides the following rules:

  • VpcEndpointService-ActiveConnectionsByEndpointId-v1 – Ranks endpoints by the number of active connections.

  • VpcEndpointService-BytesByEndpointId-v1 – Ranks endpoints by the number of bytes processed.

  • VpcEndpointService-NewConnectionsByEndpointId-v1 – Ranks endpoints by the number of new connections.

  • VpcEndpointService-RstPacketsByEndpointId-v1 – Ranks endpoints by the number of RST packets sent to endpoints.

Before you can use a built-in rule, you must enable it. After you enable a rule, it starts collecting contributor data. For information about the charges for Contributor Insights, see Amazon CloudWatch Pricing.

You must have the following permissions to use Contributor Insights:

  • cloudwatch:DeleteInsightRules – To delete Contributor Insights rules.

  • cloudwatch:DisableInsightRules – To disable Contributor Insights rules.

  • cloudwatch:GetInsightRuleReport – To get the data.

  • cloudwatch:ListManagedInsightRules – To list the available Contributor Insights rules.

  • cloudwatch:PutManagedInsightRules – To enable Contributor Insights rules.

Enable Contributor Insights rules

Use the following procedures to enable the built-in rules for AWS PrivateLink using either the AWS Management Console or the AWS CLI.

To enable the Contributor Insights rules for AWS PrivateLink using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select your endpoint service.

  4. On the Contributor Insights tab, choose Enable.

  5. (Optional) By default, all rules are enabled. To enable only specific rules, select the rules that should not be enabled and then choose Actions, Disable rule. When prompted for confirmation, choose Disable.

To enable the Contributor Insights rules for AWS PrivateLink using the AWS CLI

  1. Use the list-managed-insight-rules command as follows to enumerate the available rules. For the --resource-arn option, specify the ARN of your endpoint service.

    aws cloudwatch list-managed-insight-rules --resource-arn arn:aws:ec2:region:account-id:vpc-endpoint-service/vpc-svc-0123456789EXAMPLE

  2. In the output of the list-managed-insight-rules command, copy the name of the template from the TemplateName field. The following is an example of this field.

    "TemplateName": "VpcEndpointService-NewConnectionsByEndpointId-v1"

  3. Use the put-managed-insight-rules command as follows to enable the rule. You must specify the template name and the ARN of your endpoint service.

    aws cloudwatch put-managed-insight-rules --managed-rules TemplateName=VpcEndpointService-NewConnectionsByEndpointId-v1, ResourceARN=arn:aws:ec2:region:account-id:vpc-endpoint-service/vpc-svc-0123456789EXAMPLE

Disable Contributor Insights rules

You can disable the built-in rules for AWS PrivateLink at any time. After you disable a rule, it stops collecting contributor data, but existing contributor data is kept until it is 15 days old. After you disable a rule, you can enable it again to resume collecting contributor data.

To disable the Contributor Insights rules for AWS PrivateLink using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select your endpoint service.

  4. On the Contributor Insights tab, choose Disable all to disable all rules. Alternatively, expand the Rules panel, select the rules to disable, and then choose Actions, Disable rule

  5. When prompted for confirmation, choose Disable.

To disable the Contributor Insights rules for AWS PrivateLink using the AWS CLI

Use the disable-insight-rules command to disable a rule.

Delete Contributor Insights rules

Use the following procedures to delete the built-in rules for AWS PrivateLink using either the AWS Management Console or the AWS CLI. After you delete a rule, it stops collecting contributor data and we delete the existing contributor data.

To delete Contributor Insights rules for AWS PrivateLink using the console

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Insights, Contributor Insights.

  3. Expand the Rules panel and select the rules.

  4. Choose Actions, Delete rule.

  5. When prompted for confirmation, choose Delete.

To delete Contributor Insights rules for AWS PrivateLink using the AWS CLI

Use the delete-insight-rules command to delete a rule.