Monitor VPC interface endpoints with CloudWatch metrics and alarms

Many VPC designs make use of private subnets. To communicate with AWS APIs, you either need a NAT gateway or VPC endpoints. S3 and DynamoDB are special because they support gateway endpoints. All other AWS services support interface endpoints.

A VPC interface endpoint is a finite resource that can be exhausted. That’s why you need to add monitoring to be alerted if the interface endpoint gets a bottleneck.

CloudWatch metrics

Each interface endpoint sends metrics to CloudWatch that we can monitor with CloudWatch alarms. We recommend creating alarms for the following metrics:

• PacketsDropped: The number of packets dropped by the interface endpoint (Increasing values could indicate that the endpoint or endpoint service is unhealthy).
• RstPacketsReceived: The number of RST packets received by the interface endpoint (Increasing values could indicate that the endpoint service is unhealthy).

Monitoring throughput utilization

Unfortunately, interface endpoints do not report a single metric on the throughput utilization of bandwidth. The maximum bandwidth is 100 Gbit/second. Luckily, we can calculate throughput by using CloudWatch metric math.

To calculate the bandwidth utilization, we use the following metrics:

And the following expressions:

Set up instructions

Monitoring Assistant
CloudWatch metric math sounds complicated? We have you covered! Monitor VPC interface endpoints and receive alerts in Slack or Microsoft Teams!

1. Add marbot to Slack or Microsoft Teams.
2. Invite marbot to a channel.
3. Follow the setup wizard.

It couldn't be easier!

Take your AWS monitoring to a new level! Chatbot for AWS Monitoring: Configure monitoring, escalate alerts, solve incidents.

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building marbot.io. Author of Amazon Web Services in Action, Rapid Docker on AWS, and cloudonaut.io.

You can contact me via Email, Twitter, and LinkedIn.

Published on 29 Aug 2022