- An AWS account
- Amazon VPC with interface endpoints configured
- AWS Identity and Access Management (IAM) role with the correct permissions
- Terraform setup as you will deploy the solution into your AWS account by launching a Terraform template.
- AWS Command Line Interface v2.1.x
- Github client v2.x
- An SNS topic to receive alarm notifications. For instructions, see Creating an SNS topic.
| Parameter | Variable | Default | Description |
| AWS Region | aws_region | sa-east-1 | The AWS Region to be used for deployment. |
| Amazon VPC Id | vpc_id | The ID of the VPC to be monitored. | |
| Alarm Critical Threshold (Bytes) | alarm_critical_threshholdbytes | 76504104960 | The monitoring threshold, in bytes, for critical alarms. |
| Alarm Threshhold (Bytes) | alarm_threshholdbytes | 56371445760 | The monitoring threshold, in bytes, for initial alarms. |
| CloudWatch Log Group | cloudwatch_loggroup | vpcendpointloggroup | The name of the CloudWatch log group name that will capture flow log data. |
| CloudWatch Metric NameSpace | name_space | vpcendpoint | The CloudWatch metric namespace that will collect metrics for all endpoint interfaces. |
| SNS Topic ARN for Alarm notification | sns_topic_arn | The ARN of the SNS topic configured for the CloudWatch alarm. | |
| Log Processing Interval (Min) | timerange_min | 1 | The duration, in minutes, the Lambda function will use to capture log data from the CloudWatch log group. |
$ git clone https://github.com/aws-samples/aws-privatelink-interface-endpoint-monitoring
$ terraform init
#Modify variables.tf input parameters as per environment needs by referring above table
$ terraform plan
$ terraform apply- An IAM role, vpcflowlogcwrole, allows VPC Flow Logs to be written to CloudWatch Logs.
- A VPC flow log where records are stored in this format:
${interface-id} ${bytes} ${subnet-id} ${vpc-id} ${account-id}
| interface-id | The ID of the network interface for which the traffic is recorded. |
| bytes | The number of bytes transferred during the flow. |
| subnet-id | The ID of the subnet that contains the network interface for which the traffic is recorded. |
| vpc-id | The ID of the VPC that contains the network interface for which the traffic is recorded. |
| account-id | The AWS account ID of the owner of the source network interface for which traffic is recorded. |
- A CloudWatch log group, which captures flow log data in an individual log stream for each interface VPC endpoint.
- An EventBridge rule that triggers the Lambda function at scheduled intervals.
- A Lambda function written in Python with environment variables as per user-defined parameters.
- CloudWatch metrics are created as part of the Lambda function run.
- Two CloudWatch alarm definitions with each endpoint interface name. Additionally Critical alarms are suffixed with
Critical.
Now that your data is available in CloudWatch Metrics, you can create an interactive Amazon CloudWatch dashboard using the instructions mentioned here Creating a CloudWatch dashboard.
Figure 2: CloudWatch dashboard
For every interface endpoint, two alarm definitions are created and configured per user-defined threshold limits.
Figure 3: Alarms page in the CloudWatch console
To avoid any additional charges after you test the solution, run the following command to delete the resources:$ terraform destroy
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.