# AWS Cloud WAN events and metrics Events and metrics AWS provides the following monitoring tools to watch the resources in your global network, report when something is wrong, and take automatic actions when appropriate. + *Amazon CloudWatch* monitors your AWS resources and the applications that you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/). + *Amazon EventBridge* delivers a near-real-time stream of system events that describe changes in AWS resources. EventBridge enables automated event-driven computing, as you can write rules that watch for certain events and then trigger automated actions in other AWS services when these events happen. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/). You must first onboard CloudWatch Logs Insights before you can view Events on the AWS Cloud WAN dashboards. See [Onboard CloudWatch Logs Insights for AWS Cloud WAN](cloudwan-onboard-events.md) for the onboarding steps. **Topics** + [CloudWatch metrics](cloudwan-metrics.md) + [Onboard CloudWatch Logs Insights](cloudwan-onboard-events.md) + [ # Monitor with Amazon CloudWatch Events ](cloudwan-cloudwatch-events.md) + [Monitor Cloud WAN with CloudWatch metrics](cloudwan-cloudwatch-metrics.md) # CloudWatch metrics in AWS Cloud WAN CloudWatch metrics You can use the following features to monitor your Cloud WAN network, analyze traffic patterns, and troubleshoot issues with your Cloud WAN global network. ## Cloud WAN metrics and dimensions Cloud WAN metrics You can use metrics to verify that your system is performing as expected. For example, you can create a CloudWatch alarm to monitor a specified metric and initiate an action (such as sending a notification to an email address) if the metric goes outside what you consider an acceptable range. Amazon VPC measures and sends its metrics to CloudWatch in 60-second intervals. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/). The `AWS/NetworkManager` namespace includes the following metrics. All metrics are always reported. | Metric | Description | | --- | --- | | BytesDropCountBlackhole | The number of bytes dropped because they matched a `blackhole` route. **Statistics**: The only meaningful statistic is `Sum`. | | BytesDropCountNoRoute | The number of bytes dropped because they did not match a route. **Statistics**: The only meaningful statistic is `Sum`. | | BytesIn | The number of bytes received by the core network. **Statistics**: The only meaningful statistic is `Sum`. | | BytesOut | The number of bytes sent from the core network. **Statistics**: The only meaningful statistic is `Sum`. | | PacketsIn | The number of packets received by the core network. **Statistics**: The only meaningful statistic is `Sum`. | | PacketsOut | The number of packets sent by the core network. **Statistics**: The only meaningful statistic is `Sum`. | | PacketDropCountBlackhole | The number of packets dropped because they matched a `blackhole` route. **Statistics**: The only meaningful statistic is `Sum`. | | PacketDropCountNoRoute | The number of packets dropped because they did not match a route. **Statistics**: The only meaningful statistic is `Sum`. | | PacketDropTTLExpired | The number of packets dropped because the TTL expired. **Statistics**: The only meaningful statistic is `Sum`. | ### Cloud WAN metric dimensions Cloud WAN metric dimensions Filter metric data by a combination of the following Cloud WAN core network metric dimensions. | Dimension | Description | | --- | --- | | CoreNetwork, EdgeLocation | Filters the metric data by core network. | | Attachment, CoreNetwork | Filters the metric data by core network attachment. | | AvailabilityZone, CoreNetwork, EdgeLocation | Filters the metric data by availability zone. This is only applicable for Direct Connect. | | Attachment, AvailabilityZone, CoreNetwork | Filters the metric data by both core network attachment and availability zone. | ## AWS Cloud WAN usage metrics Cloud WAN usage metrics Cloud WAN usage metrics correspond to AWS service quotas for Cloud WAN. You can configure alarms that alert you when your usage approaches a service quota. For more information about CloudWatch integration with service quotas, see [CloudWatch usage metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Usage-Metrics.html) in the *Amazon CloudWatch User Guide*. The `AWS/Usage` namespace reports the following metric for Cloud WAN: | Metric | Description | | --- | --- | | ResourceCount | The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric.**Statistics**: The only meaningful statistic is `MAXIMUM`. | ### AWS Cloud WAN metric dimensions Cloud WAN metric dimensions The following dimensions are used to refine the usage metrics that are published by Cloud WAN. | Dimension | Description | | --- | --- | | Service | The name of the AWS service containing the resource. For Cloud WAN usage metrics, the value for this dimension is NetworkManager. | | Type | The type of entity that is being reported. Currently, the only valid value for Cloud WAN usage metrics is Resource. | | Resource | The type of resource that is running. Currently, valid values for Cloud WAN usage metrics include RoutesPropagated/Inbound and RoutesPropagated/Outbound, which return the number of routes advertised and learnt over Direct Connect attachments. | | ResourceID | The unique identifier for the resource, such as a core network attachmentId, and might include a region code prefix for region-specific resources. | | Class | This dimension is reserved for future use. | # Onboard CloudWatch Logs Insights for AWS Cloud WAN Onboard CloudWatch Logs Insights Before viewing events on the Events dashboard, you must complete a one-time setup that registers your events with CloudWatch Logs Insights. Until you register your events, you'll be unable to view any of your events on the dashboard. **To onboard CloudWatch Logs Insights** Before you begin, verify that an AWS Identity and Access Management (IAM) principal (user) in your account has the appropriate permissions to onboard to CloudWatch Logs Insights. Ensure that the IAM policy contains the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "events:PutTargets", "events:DescribeRule", "logs:PutResourcePolicy", "logs:DescribeLogGroups", "logs:DescribeResourcePolicies", "events:PutRule", "logs:CreateLogGroup" ], "Resource": "*" } ] } ``` ------ 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity**, choose **Global networks**. 1. On the **Global networks** page, choose the global network ID. 1. In the navigation pane, choose **Core network**. 1. The **Overview** page opens by default. 1. Choose the **Events** tab. 1. Choose **Onboard to CloudWatch Logs Insights**. 1. When you onboard to CloudWatch Logs Insights, the following occurs: + An EventBridge rule with the name `DON_NOT_DELETE_networkmanager_rule` is created in the US West (Oregon) Region. + A CloudWatch Logs group with the name `/aws/events/networkmanagerloggroup` is created in the US West (Oregon) Region. + An EventBridge rule is configured with the CloudWatch Logs group as a target. + A resource policy named `DO_NOT_DELETE_networkmanager_TrustEventsToStoreLogEvents` is created in the US West (Oregon) Region. To view this policy, run the following AWS CLI command: `aws logs describe-resource-policies --region us-west-2` # Monitor with Amazon CloudWatch Events You can monitor your core network using Amazon EventBridge, which delivers a near-real-time stream of system events that describe changes in your resources. You set up simple rules, which then can match events and route them to one or more target functions or streams. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/). The following events can be sent to EventBridge: + [Topology changes](#cloudwan-events-topology) + [Route changes](#cloudwan-events-routes) + [Status updates](#cloudwan-events-status) + [Policy updates](#cloudwan-events-policy) + [Segment update events](#cloudwan-events-segments) + [Network function group update events](#cloudwan-events-nfg) ## Topology changes Topology change events occur when there are changes to your core network resources. These changes include the following: + An Edge location has been added to the Core Network. + An edge location has been deleted from the Core Network. + A Site-to-Site VPN attachment has been created for a Core Network. + A Site-to-Site VPN attachment has been deleted for a Core Network. + A VPC attachment has been created for a Core Network. + A VPC attachment has been deleted for a Core Network. + A Site-to-Site VPN attachment has been created for a Core Network. + A Site-to-Site VPN attachment has been deleted for a Core Network. + A Connect attachment has been created for a Core Network. + A Connect attachment has been deleted for a Core Network. + A Connect peer attachment has been created for a Core Network. + A Connect peer attachment has been deleted for a Core Network. + A Direct Connect Gateway attachment has been created for a Core Network. + A Direct Connect Gateway attachment has been deleted for a Core Network. + A Direct Connect Gateway attachment has been updated for a Core Network. The following example shows a topology update event where a core network VPC attachment has been deleted. ``` { "version": "0", "id": "13143a7e-806e-a904-300b-ef874c56eaac", "detail-type": "Network Manager Topology Change", "source": "aws.networkmanager", "account": "111122223333", "time": "2021-09-02T12:00:38Z", "region": "us-west-2", "resources": [ "arn:aws:networkmanager::111122223333:global-network/global-network-021345abcdef6789", "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" ], "detail": { "changeType": "VPC-ATTACHMENT-DELETED", "changeDescription": "A VPC attachment has been deleted from a Core Network.", "edgeLocation": "us-east-2", "attachmentArn": "arn:aws:networkmanager::111122223333:attachment/attachment-1234567890abcdef0", "vpcArn": "arn:aws:ec2:us-east-2:212869205455:vpc/vpc-049a3a24f48fcc47d", "coreNetworkArn": "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" } } ``` ## Route changes Routing events occur when there are changes to your core network routes. These changes include the following: + Routes in one or more segments have been installed. + Routes in one or more segments have been uninstalled. The following example shows a routing update event where a route was installed in one or more segments. ``` { "version": "0", "id": "13143a7e-806e-a904-300b-ef874c56eaac", "detail-type": "Network Manager Routing Update", "source": "aws.networkmanager", "account": "111122223333", "time": "2021-09-02T12:00:38Z", "region": "us-west-2", "resources": [ "arn:aws:networkmanager::111122223333:global-network/global-network-021345abcdef6789", "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" ], "detail": { "changeType": "SEGMENT-ROUTES-INSTALLED", "changeDescription": "Routes in one or more Segments have been installed.", "region": "us-east-2", "segments": [ "development" ], "sequenceNumber": 1630585228195, "routes": [ { "destinationCidrBlock": "169.254.137.220/30", "attachments": [ { "attachmentId": "attachment1234567890abcdef0", "attachmentType": "vpn", "vpnOutsideIpAddress": "3.138.83.40" } ], "routeType": "route_propagated", "routeState": "active", "propagatedRouteFamily": "bgp", "bgpAttributes": { "med": "0", "asPath": [ "AS_SEQ: [65001]" ] } } ], "coreNetworkArn": "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" } } } ``` ## Status updates Routing events occur when there are changes to your core network status. These changes include the following: + IPsec for a VPN connection has gone down. + IPsec for a VPN connection has come back up. + BGP for a VPN connection has gone down. + BGP for a VPN connection has come back up. + BGP for a Connect peer connection has gone down. + BGP for a Connect peer connection has come back up. The following example shows a status update event where IPsec for a VPN connection has come up. ``` { "version": "0", "id": "13143a7e-806e-a904-300b-ef874c56eaac", "detail-type": "Network Manager Status Update", "source": "aws.networkmanager", "account": "111122223333", "time": "2021-09-02T12:00:38Z", "region": "us-west-2", "resources": [ "arn:aws:networkmanager::111122223333:global-network/global-network-021345abcdef6789", "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" ], "detail": { "changeType": "VPN-CONNECTION-IPSEC-UP", "changeDescription": "IPsec for a VPN connection has come up.", "region": "us-west-2", "attachmentArn": "arn:aws:networkmanager::111122223333:attachment/attachment-1234567890abcdef0", "outsideIpAddress": "35.161.41.136", "coreNetworkArn": "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" } } ``` ## Policy updates Routing events occur when there are changes to your core network policies. These changes include the following: + A change set is ready to run for a core network policy. + A change set was run successfully for a core network policy. The following example shows a policy update event where a change set was run successfully. ``` { "version": "0", "id": "13143a7e-806e-a904-300b-ef874c56eaac", "detail-type": "Network Manager Policy Update", "source": "aws.networkmanager", "account": "111122223333", "time": "2021-09-02T12:00:38Z", "region": "us-west-2", "resources": [ "arn:aws:networkmanager::111122223333:global-network/global-network-1234567890abcdef0", "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" ], "detail": { "changeType": "CHANGE-SET-EXECUTED", "changeDescription": "A change-set has been sucessfully executed for a Core Network policy.", "policyVersionId":"1", "coreNetworkArn": "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" } } ``` ## Segment update events Routing events occur when there are changes to your core network segments. These changes include the following: + An attachment was associated with a segment. + An attachment was mapped to a different segment. + An attachment was disassociated from a segment. The following example shows a segment update event where an attachment was mapped to a different segment. ``` { "version": "0", "id": "13143a7e-806e-a904-300b-ef874c56eaac", "detail-type": "Network Manager Segment Update", "source": "aws.networkmanager", "account": "111122223333", "time": "2021-09-02T12:00:38Z", "region": "us-west-2", "resources": [ "arn:aws:networkmanager::111122223333:global-network/global-network-021345abcdef6789", "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" ], "detail": { "changeType": "ATTACHMENT-ASSOCIATION-MODIFIED", "changeDescription": "An attachment has been mapped to a different Segment.", "attachmentArn": "arn:aws:networkmanager::111122223333:attachment/attachment-1234567890abcdef0", "previousSegmentName": "development", "segmentName": "production", "edgeLocation": "us-west-2", "coreNetworkArn": "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" } } ``` ## Network function group update events A network function group event occurs when any of the following changes occur: + An attachment was associated with a different network function group. + An attachment was mapped to a different network function group + An attachment was disassociated from a network function group. The following example shows a network function group update event where an attachment is associated with a different network function group. ``` { "version": "0", "id": "13143a7e-806e-a904-300b-ef874c56eaac", "detail-type": "Network Manager Network Function Group Update", "source": "aws.networkmanager", "account": "111122223333", "time": "2024-06-12T12:00:00Z", "region": "us-west-2", "resources": [ "arn:aws:networkmanager::111122223333:global-network/global-network-021345abcdef6789", "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890", "arn:aws:networkmanager::111122223333:attachment/attachment-1234567890abcdef0" ], "detail": { "changeType": "ATTACHMENT_MODIFIED", "changeDescription": "An attachment is disassociated from network function group and associated with a new function group.", "attachmentArn": "arn:aws:networkmanager::111122223333:attachment/attachment-1234567890abcdef0", "previousNetworkFunctionGroupName": "development", "newNetworkFunctionGroupName": "production", "edgeLocation": "us-west-2", "coreNetworkArn": "arn:aws:networkmanager::111122223333:core-network/core-network-abcdef01234567890" } } ``` # Monitor AWS Cloud WAN with Amazon CloudWatch Events metrics Monitor Cloud WAN with CloudWatch metrics You can monitor your core network and core network attachments using Amazon CloudWatch under the ` AWS/NetworkManager` namespace, which collects raw data and processes it into readable, near-real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective on how your network is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/). **Note** CloudWatch metrics in the `AWS/NetworkManager` namespace are available only in the following Regions: US West (Oregon) for all Regions except AWS GovCloud (US) AWS GovCloud (US-West) for AWS GovCloud (US-West) and AWS GovCloud (US-East) You can view usage metrics for any of your core network edge locations. ## View usage metrics for an edge location View usage metrics for a specific core network edge. **To access usage metrics for a core network edge location** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity**, choose **Global Networks**. 1. On the **Global networks** page, choose the global network ID. 1. In the navigation pane, choose **Core networks**, and then choose the **Monitoring** tab. 1. On the **Core network** page, choose the **Show metrics** dropdown list, and then choose **Usage**. 1. From the **Core network edge** dropdown list, choose the edge location that you want to see metrics for. 1. (Optional) Metrics and events use the default time set up in the CloudWatch Events event. To set a custom time frame, choose **Custom** and then choose a **Relative** or **Absolute** time, and then choose if you want to see that date range in **UTC** or the edge location's **Local time zone**. Choose **Add to dashboard** to add this metric to your CloudWatch dashboard. For more information about using CloudWatch dashboards, see [Using Amazon CloudWatch Dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html) in the *Amazon CloudWatch User Guide*. **Note** The **Add to dashboard** option only works if your registered transit gateway is in the US West (Oregon) Region. 1. The Metrics page displays the usage metrics for the specified edge location during the chosen time frame. For more information about these metrics, see [Cloud WAN metrics and dimensions](cloudwan-metrics.md#cloudwan-metrics-tbl).