How do I monitor my transit gateway and Site-to-Site VPN on a transit gateway using Network Manager?

Last updated: 2022-08-12

I want to monitor my transit gateway and my Site-to-Site VPN on transit gateway. How do I do this using AWS Network Manager?

Resolution

Before you can monitor your transit gateway and your Site-to-Site VPN on a transit gateway using AWS Network Manager, you must have already done the following:

When the transit gateway is registered to the global network, you see metrics in the Monitoring tab. The Monitoring tab is where you can view transit gateway metrics. For additional information on visualizing and monitoring your transit gateways, see Visualize transit gateways.

To monitor your Site-to-Site VPN on transit gateway using Network Manager

First, be sure that you have created a Site-to-Site VPN connection on your transit gateway, then do the following:

  1. Create a site to represent the physical location of your network.
  2. Create a link to represent an internet connection from a device for your new site.
  3. Create a device to represent a physical or virtual appliance for your new site.
  4. In the newly created device, choose Overview, and then choose Associate Site to associate the newly created site.
  5. Associate the customer gateway with your new device.

Monitoring options

To view the transit gateways VPN status, do the following:

  1. Open the Network Manager console.
  2. In the navigation pane, choose Global networks.
  3. Select your global network ID.
  4. Choose Transit gateways.

There are three VPN statuses:

  • Down – The percentage of your total transit gateway VPNs that are down.
  • Impaired VPN – The percentage of your total VPNs that are impaired.
  • Up VPN – The percentage of your total VPNs that are up.

To see the status of your tunnels, choose Devices, and then choose the VPNs tab. You can also see Amazon CloudWatch metrics for Bytes in and Bytes out for your VPN and tunnel down count in the Monitoring tab.

To view events for your IPsec VPN tunnels in the global network, first choose the Transit gateways tab. Then, select the transit gateway where you created the VPN. For more information, see Status update events.

You can check the event details in the Amazon CloudWatch console under Logs Insights.

To check the event details, choose /aws/events/networkmanagerloggroup in the US West (Oregon) AWS Region and then run the following command:
Note: Replace global network ARN with the ARN for your global network and transit gateway ARN with the ARN that you have the Site-to-Site VPN. Replace event name with one of the following events for Site-to-Site VPN:

  • IPsec for a VPN connection has come up.
  • IPsec for a VPN connection has gone down
  • BGP for a VPN connection has been established.
  • BGP for a VPN connection has gone down.
  • Routes in one or more Transit Gateway route tables have been installed.
  • Routes in one or more Transit Gateway route tables have been uninstalled.
fields detail.region as Region, detail.changeDescription as Message, resources.1 as Resource,  @timestamp as Timestamp
    | filter resources.0 = "global network ARN” and resources.1 not like 'core-network-'
    and detail.transitGatewayArn= “transit gateway ARN” and detail.changeDescription= “event name”
    | sort @timestamp desc
    | limit 200

Note: This command works only if you already onboarded to CloudWatch Logs Insights. For more information, see Monitoring your global network with CloudWatch Events.


Did this article help?


Do you need billing or technical support?