Monitor VPC interface endpoints with CloudWatch metrics and alarms
Michael Wittig – 29 Aug 2022
Many VPC designs make use of private subnets. To communicate with AWS APIs, you either need a NAT gateway or VPC endpoints. S3 and DynamoDB are special because they support gateway endpoints. All other AWS services support interface endpoints.
A VPC interface endpoint is a finite resource that can be exhausted. That’s why you need to add monitoring to be alerted if the interface endpoint gets a bottleneck.
Each interface endpoint sends metrics to CloudWatch that we can monitor with CloudWatch alarms. We recommend creating alarms for the following metrics:
PacketsDropped: The number of packets dropped by the interface endpoint (Increasing values could indicate that the endpoint or endpoint service is unhealthy).
RstPacketsReceived: The number of RST packets received by the interface endpoint (Increasing values could indicate that the endpoint service is unhealthy).
Unfortunately, interface endpoints do not report a single metric on the throughput utilization of bandwidth. The maximum bandwidth is 100 Gbit/second. Luckily, we can calculate throughput by using CloudWatch metric math.
To calculate the bandwidth utilization, we use the following metrics:
And the following expressions:
|bandwidth||bytesProcessed/60*8/1000/1000/1000||Bytes/min to Gbit/s|
|utilization||bandwidth/45*100||to %; 45 Gbit/s is the hard limit|
CloudWatch metric math sounds complicated? We have you covered! Monitor VPC interface endpoints and receive alerts in Slack or Microsoft Teams!
Take your AWS monitoring to a new level! Chatbot for AWS Monitoring: Configure monitoring, escalate alerts, solve incidents.