Monitoring VPN servers
IBM Cloud® Monitoring collects basic VPN server metrics on IBM Cloud for VPC, such as VPN server health status, VPN server active client count, VPN server authentication failure count, VPN server CRL days until expiration, and VPN server bytes input/output. These metrics are stored in IBM Cloud Monitoring. You can access metrics through the prebuilt dashboard.
Platform metrics overview
You can view platform metrics when you enable IBM Cloud Monitoring on your IBM Cloud platform. An IBM Cloud Monitoring instance must be configured in a region to monitor these metrics. For more information, see Enabling platform metrics.
Before you enable IBM Cloud Monitoring on your platform, keep the following information in mind:
- You can configure only one instance of the IBM Cloud Monitoring service per region to collect platform metrics.
- Metrics are collected automatically and are available for monitoring through the IBM Cloud Monitoring-enabled instance.
- Use the Metrics Router to allow customers to configure which IBM Cloud Monitoring instance their platform metrics flows to. To learn more about Metrics Router, see IBM Cloud Metrics Routing.
Metrics available by service plan
Metrics available by plan names are as follows:
- VPN server data bytes input
- VPN server data bytes output
- VPN server CRL days until expiration
- VPN server authentication failure count
- VPN server active client count
- VPN server health status
These metrics help track the traffic and status for your VPN servers and can provide insight about peak traffic per minute and overall usage status.
Each metric is composed of the following metadata types:
- Metric name - Name of the collected metric.
- Metric type - Determines whether the metric value is a counter metric or a gauge metric. Each of these metrics is of the
gauge
type, which represents a single numerical value that can arbitrarily fluctuate over time. - Value type - A unit of measurement for a specific metric. Examples include bytes or counts. A value type of
none
means that the metric value represents individual occurrences of that metric type. - Segment - How you want IBM Cloud Monitoring to divide and display the monitoring metrics.
VPN server metric definitions
The following tables define the basic VPN server metrics on IBM Cloud for VPC.
VPN server data bytes input
Bytes received per minute for a VPN server
Metadata | Description |
---|---|
Metric name |
ibm_is_vpn_server_data_received_bytes |
Metric type |
gauge |
Value type |
byte |
Segment by |
Service instance, Service instance name, VPN server name |
VPN server data bytes output
Bytes sent per minute for a VPN server
Metadata | Description |
---|---|
Metric name |
ibm_is_vpn_server_data_sent_bytes |
Metric type |
gauge |
Value type |
byte |
Segment by |
Service instance, Service instance name, VPN server name |
VPN server CRL days until expiration
Days until the expiration of the Certificate Revocation List (CRL) for a VPN server
Metadata | Description |
---|---|
Metric name |
ibm_is_vpn_server_crl_days_expiry |
Metric type |
gauge |
Value type |
none |
Segment by |
Service instance, Service instance name, VPN server name |
VPN server authentication failure count
Number of authentication failures for a VPN server
Metadata | Description |
---|---|
Metric name |
ibm_is_vpn_server_authentication_failure_count |
Metric type |
gauge |
Value type |
none |
Segment by |
Service instance, Service instance name, VPN server name |
VPN server active client count
Number of active clients for a VPN server
Metadata | Description |
---|---|
Metric name |
ibm_is_vpn_server_active_client_count |
Metric type |
gauge |
Value type |
none |
Segment by |
Service instance, Service instance name, VPN server name |
VPN server health status
Health status for a VPN server (for example, 2
=ok, 1
=degraded, 0
=faulted/inapplicable)
Metadata | Description |
---|---|
Metric name |
ibm_is_vpn_server_health_status |
Metric type |
gauge |
Value type |
none |
Segment by |
Service instance, Service instance name, VPN server name |
Metric segmentation
You can split the metrics that IBM Cloud Monitoring presents into various visualizations in the IBM Cloud Monitoring dashboard, allowing views of different metrics based on your preference. For example, if you have multiple VPN servers or accounts with different VPN servers in each account, you might want to focus on a particular VPN server by name.
As an example, you can segment the VPN Server Data Bytes Input
by IBM VPN for VPC server name
to show how many bytes per minute are received for a VPN server. The dashboard shows different lines in different colors
where each line represents received bytes per minute for a VPN server.
Global attributes
The following attributes are available for segmenting all of the VPN server metrics:
Attribute | Attribute name | Attribute description |
---|---|---|
Cloud type |
ibm_ctype |
A value of public, dedicated, or local. |
Location |
ibm_location |
The location of the monitored resource - a region, data center, or global. |
Resource |
ibm_resource |
The resource that is measured by the service - typically an identifying name or GUID. |
Resource type |
ibm_resource_type |
The type of resource that is measured by the service. |
Resource group |
ibm_resource_group_name |
The resource group where the service instance was created. |
Scope |
ibm_scope |
The scope of the account, organization, or space GUID that is associated with this metric. |
Service name |
ibm_service_name |
The name of the service that generated this metric. |
Additional attributes
The following attributes are available for segmenting one or more attributes as described in the previous reference. See the individual metrics for segmentation options.
Attribute | Attribute name | Attribute description |
---|---|---|
Service instance |
ibm_service_instance |
Identifies the instance that the metric is associated with. |
Service instance name |
ibm_service_instance_name |
Provides the user provided name of the service instance. This name isn't necessarily a unique value that depends on the name that is provided. |
VPN server name |
ibm_is_vpn_server_name |
The IBM VPN for VPC server name. |
The displayed metrics contain a timestamp in UNIX epoch time and the metric value for the time intervals that end at that timestamp. You can specify different scopes, and the time interval over which to report the metrics.
The following time intervals are supported in the IBM Cloud Monitoring dashboard:
- 10 seconds
- 1 minute
- 10 minutes
- 1 hour
- 6 hours
- 2 weeks
- Custom
Enabling metrics monitoring
To receive monitoring metrics, you must set up your IBM Cloud Monitoring instance.
To receive monitoring metrics, use the following steps:
-
Navigate to the metrics monitoring portal and click Create a monitoring instance.
-
Select a region for your IBM Cloud Monitoring instance.
If you do not have an existing VPN server, see Creating a VPN server to provision one.
The region needs to match the location of your existing VPN server.
-
Choose your pricing plan. Pricing plan details are explained in the selection window. Select the plan that best meets your requirements.
-
Provide a unique service name for your instance. The name can be any name that you want and has no impact on functionality.
Do not give multiple IBM Cloud Monitoring instances the same name.
-
Optionally, select a resource group. A resource group organizes account resources in customizable groupings. Any account resource that is managed by using IBM Cloud Identity and Access Management (IAM) access control belongs to a resource group within your account.
If you do not have any pre-configured resource groups, or have no reason to share this resource selectively, use the default selection.
If your account has multiple resource groups, you can choose which group has access to this IBM Cloud Monitoring instance. By using this selective access, metrics can be available to some resource groups and not to others.
-
Check the Enable Platform Metrics checkbox. You must select this option to receive metrics from your VPN server.
-
Click Create. You are taken back to the monitoring metrics home page.
Within a few minutes, your new IBM Cloud Monitoring instance displays with several configurations. You might have to refresh your browser to see it.
Working with the IBM Cloud Monitoring dashboard
To view and work with your IBM Cloud Monitoring metrics, follow these steps:
-
Navigate to the metrics monitoring portal.
-
Click Open Dashboard next to the service name of the IBM Cloud Monitoring instance that you want to work with.
The first time that you access your IBM Cloud Monitoring instance, several windows display as part of the internal setup. Keep the default entries, and click through the pages until you reach the main IBM Cloud Monitoring page.
-
Open the IBM VPN for VPC Monitoring Metrics dashboard by selecting Dashboards.
-
Click Dashboard Library > IBM > VPC VPN Server. The default dashboard is not editable.
-
The dashboard shows six main metrics. These metrics include VPN server health status, VPN server active client count, VPN server authentication failure count, VPN server CRL days until expiration, and VPN server bytes input/output. If you want to modify the parameters and segment your metrics by VPN server name, you must create a custom dashboard.
You can choose what time window that you'd like to see your metrics by using the time selection bar.
Creating a custom metrics dashboard
You can create your own dashboard to customize your monitoring metrics, such as viewing information and traffic about particular VPN servers.
To customize your dashboard, use the following steps:
-
Navigate to the metrics monitoring portal.
-
Click Open Dashboard next to the service name of the IBM Cloud Monitoring instance you want to work with. You now see the dashboard.
-
Select Dashboards and click the + in the panel.
-
Select Blank dashboard and select the type of visual representation that you want.
IBM Cloud Monitoring offers eight different visualizations for your dashboard. Read the description for each visualization and choose the one that best meets your requirements.
The line View trends over time is the most frequently selected option. The following examples show a line-based visualization.
-
Configure your custom dashboard.
-
In the Metrics field, enter
ibm_is_vpn_server
to display the IBM Cloud Monitoring VPN for VPC server metrics:ibm_is_vpn_server_health_status
,ibm_is_vpn_server_active_client_count
,ibm_is_vpn_server_authentication_failure_count
,ibm_is_vpn_server_crl_days_expiry
,ibm_is_vpn_server_data_received_bytes
, andibm_is_vpn_server_data_sent_bytes
. -
You can choose a scope to display in your dashboard by clicking Edit dashboard scope. For example, you can display the metrics for a particular VPN server.
-
You can also set a segment to compare metrics across the scope that you define. For example, you can look at the VPN server health status for a particular VPN server that is segmented by server name.
-
-
Click Save.
By default, the dashboard is named "blank dashboard". You can change the name by selecting Dashboards from the sidebar and clicking the Edit icon next to the name.
To return to the default IBM Cloud Monitoring dashboard at any time, select Dashboards > Default Dashboards > IBM > VPC VPN SERVER.
Working with IBM Cloud Monitoring by using APIs
You can also work with the IBM Cloud Monitoring instance by using metric query APIs. You might want to use APIs if you need raw data points or want to consume your metrics from a command-line interface rather than using the IBM Cloud Monitoring dashboard.
After you create your IBM Cloud Monitoring instance, you must collect the following two pieces of information.
- The Monitor API token
- The endpoint of your IBM Cloud Monitoring instance
To collect this information and work with your IBM Cloud Monitoring instance by using metric query API, follow these steps:
-
Access the Monitoring home page.
-
Click Open Dashboard next to the instance that you want to work with.
-
After you see the IBM Cloud Monitoring dashboard, select your Account Profile icon on the sidebar and select Settings. You now see your account settings.
-
Your Monitor API token is an alphanumeric string that is located in the Sysdig Monitor API Token field. Click the Copy button to copy the token to your clipboard.
Do not share this API token. Anyone who has this API token has full access to your metrics.
-
The endpoint of your IBM Cloud Monitoring instance is per region. For example, if your IBM Cloud Monitoring instance exists in
us-south
, then its endpoint is:https://us-south.monitoring.cloud.ibm.com/api/data/batch
The first part of the URL (in this example,
us-south.monitoring.cloud.ibm.com
) is your endpoint. Make note of this URL. -
After you have both the API token and the endpoint, you can format your POST request. The following POST request is an example, with all the parameters that you can modify. The following are parameters:
- The Monitor API token.
- The endpoint of your IBM Cloud Monitoring instance.
- The value for
ibm_is_vpn_server_name
(the VPN server name that you want to see metrics for).
If you want to see this metric for all of your VPN servers, do not enter a value for the
scope
attribute. For example, use"scope" : ""
.- The metric type that you want to see the results for. This example uses
ibm_is_vpn_server_health_status
. - The
from
andto
attributes define the timeframe to focus the scan, set in epoch time, and in microseconds. - The
sampling
andvalue
attributes set the granularity of the data that is returned in the POST request.
Because a large volume of data is stored in IBM Cloud Monitoring, choosing the specific level of granularity is important. IBM Cloud Monitoring can return only 600 data points at a time per request. As a result, the sampling
and
value
attributes are important. Leaving these two lines out of your request returns an aggregate sum over that time period instead.
If the time range that is specified by from
and to
is large (for example, 4 days), but you define a sampling
and value
of 10 seconds, it means that you receive 4 days worth of data that is
split into 10-second chunks. This sample is not useful because of the large amount of data that is returned. Specifying a larger chunk is recommended (for example, 1 hour instead of 10 seconds).
curl \
-H 'Authorization: Bearer <API_TOKEN>’ \
-H 'Content-Type: application/json' \
https://us-south.monitoring.cloud.ibm.com/api/data/batch \
-d '{
"requests": [
{
"format": {
"type": "data"
},
"scope": "ibm_is_vpn_server_name = \"test-001\"",
"metrics": {
"k0": "timestamp",
"v1": "ibm_is_vpn_server_health_status"
},
"time": {
"from": 1624849800000000,
"to": 1624850400000000,
"sampling": 60000000
},
"group": {
"by": [
{
"metric": "k0",
"value" : 60000000
}
],
"aggregations": {
"v1": "avg"
},
"groupAggregations": {
"v1": "avg"
}
}
}
]
}'
Accessing and viewing metrics
To access metrics for a specific VPN server, follow these steps:
- Navigate to the VPNs for VPC page and click the Client-to-site servers tab.
- Click the name of the VPN server to display its details.
- Click the Monitoring tab to view the VPN server metrics.
- Configure the history, dates, and time zone to generate the output you are looking for.
You can download the metrics or launch monitoring from your VPN dashboard by selecting Launch monitoring.