6.3.5. CloudWatch Network Monitoring Services
š” First Principle: Reactive network troubleshooting ā discovering a problem when users complain ā has too high an MTTR. Proactive monitoring catches network degradation before users notice, giving operations teams time to respond or switch traffic before an outage. CloudWatch provides dedicated network monitoring tools that continuously measure network health from multiple vantage points.
Amazon CloudWatch Internet Monitor:
Monitors the internet between your AWS infrastructure and your end users. It uses AWS's visibility into global internet traffic patterns to:
- Measure performance (latency, availability) from users in different locations to your application
- Detect when internet issues (ISP outages, routing anomalies) are affecting your users
- Provide city-level visibility into which user populations are affected
Internet Monitor is configured at the VPC or CloudFront distribution level. It doesn't probe your servers ā it passively analyzes traffic patterns.
Amazon CloudWatch Network Monitor:
Creates network probes (ICMP or TCP) from your VPC to external destinations. Use it to:
- Continuously measure latency and packet loss on your network paths
- Detect degradation before users report it
- Monitor VPN and Direct Connect connection health from the AWS side
Network Monitor Components:
| Component | Description |
|---|---|
| Monitor | A monitoring configuration for a set of network paths |
| Probe | An individual measurement point (source subnet ā destination) |
| Destination | The IP or FQDN being monitored |
| Protocol | ICMP (ping) or TCP |
Probes generate CloudWatch metrics (PacketLoss, RTT) that you can alarm on. When latency to your on-premises DNS server starts rising, an alarm can fire before the VPN connection fully degrades.
VPC Network Access Analyzer: Distinct from Reachability Analyzer, Network Access Analyzer finds unintended network access paths ā identifies paths that exist but shouldn't (e.g., an instance in a "private" subnet that is actually reachable from the internet due to a misconfigured route table). Use it for security audits of network topology.
ā ļø Exam Trap: Internet Monitor and Network Monitor are different services with different purposes. Internet Monitor measures the experience of your users reaching your application across the internet (requires active traffic). Network Monitor measures connectivity on specific paths you define using synthetic probes. A question about "proactively monitoring VPN connection health" ā Network Monitor. A question about "detecting which city-level ISPs are affecting user experience" ā Internet Monitor.
Reflection Question: A company's Site-to-Site VPN to their on-premises data center has experienced several brief outages (5ā10 minutes) that their monitoring didn't catch until users reported issues. What CloudWatch service and configuration would detect VPN degradation proactively, and what metric would you alarm on?
