Monitoring VPN servers

IBM Cloud® Monitoring collects basic VPN server metrics on IBM Cloud for VPC, such as VPN server health status, VPN server active client count, VPN server authentication failure count, VPN server CRL days until expiration, and VPN server bytes input/output. These metrics are stored in IBM Cloud Monitoring. You can access metrics through the prebuilt dashboard.

Platform metrics overview

You can view platform metrics when you enable IBM Cloud Monitoring on your IBM Cloud platform. An IBM Cloud Monitoring instance must be configured in a region to monitor these metrics. For more information, see Enabling platform metrics.

Before you enable IBM Cloud Monitoring on your platform, keep the following information in mind:

You can configure only one instance of the IBM Cloud Monitoring service per region to collect platform metrics.
Metrics are collected automatically and are available for monitoring through the IBM Cloud Monitoring-enabled instance.
Use the Metrics Router to allow customers to configure which IBM Cloud Monitoring instance their platform metrics flows to. To learn more about Metrics Router, see IBM Cloud Metrics Routing.

Metrics available by service plan

Metrics available by plan names are as follows:

VPN server data bytes input
VPN server data bytes output
VPN server CRL days until expiration
VPN server authentication failure count
VPN server active client count
VPN server health status

These metrics help track the traffic and status for your VPN servers and can provide insight about peak traffic per minute and overall usage status.

Each metric is composed of the following metadata types:

Metric name - Name of the collected metric.
Metric type - Determines whether the metric value is a counter metric or a gauge metric. Each of these metrics is of the gauge type, which represents a single numerical value that can arbitrarily fluctuate over time.
Value type - A unit of measurement for a specific metric. Examples include bytes or counts. A value type of none means that the metric value represents individual occurrences of that metric type.
Segment - How you want IBM Cloud Monitoring to divide and display the monitoring metrics.

VPN server metric definitions

The following tables define the basic VPN server metrics on IBM Cloud for VPC.

VPN server data bytes input

Bytes received per minute for a VPN server

Table 1: VPN server data bytes input
Metadata	Description
`Metric name`	`ibm_is_vpn_server_data_received_bytes`
`Metric type`	`gauge`
`Value type`	`byte`
`Segment by`	`Service instance, Service instance name, VPN server name`

VPN server data bytes output

Bytes sent per minute for a VPN server

Table 2: VPN server data bytes output
Metadata	Description
`Metric name`	`ibm_is_vpn_server_data_sent_bytes`
`Metric type`	`gauge`
`Value type`	`byte`
`Segment by`	`Service instance, Service instance name, VPN server name`

VPN server CRL days until expiration

Days until the expiration of the Certificate Revocation List (CRL) for a VPN server

Table 3: VPN server CRL days until expiration
Metadata	Description
`Metric name`	`ibm_is_vpn_server_crl_days_expiry`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, Service instance name, VPN server name`

VPN server authentication failure count

Number of authentication failures for a VPN server

Table 4: VPN server authentication failure count
Metadata	Description
`Metric name`	`ibm_is_vpn_server_authentication_failure_count`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, Service instance name, VPN server name`

VPN server active client count

Number of active clients for a VPN server

Table 5: VPN server active client count
Metadata	Description
`Metric name`	`ibm_is_vpn_server_active_client_count`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, Service instance name, VPN server name`

VPN server health status

Health status for a VPN server (for example, 2=ok, 1=degraded, 0=faulted/inapplicable)

Table 6: VPN server health status
Metadata	Description
`Metric name`	`ibm_is_vpn_server_health_status`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, Service instance name, VPN server name`

Metric segmentation

You can split the metrics that IBM Cloud Monitoring presents into various visualizations in the IBM Cloud Monitoring dashboard, allowing views of different metrics based on your preference. For example, if you have multiple VPN servers or accounts with different VPN servers in each account, you might want to focus on a particular VPN server by name.

As an example, you can segment the VPN Server Data Bytes Input by IBM VPN for VPC server name to show how many bytes per minute are received for a VPN server. The dashboard shows different lines in different colors where each line represents received bytes per minute for a VPN server.

Global attributes

The following attributes are available for segmenting all of the VPN server metrics:

Table 7: VPN server metric attributes
Attribute	Attribute name	Attribute description
`Cloud type`	`ibm_ctype`	A value of public, dedicated, or local.
`Location`	`ibm_location`	The location of the monitored resource - a region, data center, or global.
`Resource`	`ibm_resource`	The resource that is measured by the service - typically an identifying name or GUID.
`Resource type`	`ibm_resource_type`	The type of resource that is measured by the service.
`Resource group`	`ibm_resource_group_name`	The resource group where the service instance was created.
`Scope`	`ibm_scope`	The scope of the account, organization, or space GUID that is associated with this metric.
`Service name`	`ibm_service_name`	The name of the service that generated this metric.

Additional attributes

The following attributes are available for segmenting one or more attributes as described in the previous reference. See the individual metrics for segmentation options.

Table 8: VPN server segmentation metric attributes
Attribute	Attribute name	Attribute description
`Service instance`	`ibm_service_instance`	Identifies the instance that the metric is associated with.
`Service instance name`	`ibm_service_instance_name`	Provides the user provided name of the service instance. This name isn't necessarily a unique value that depends on the name that is provided.
`VPN server name`	`ibm_is_vpn_server_name`	The IBM VPN for VPC server name.

The displayed metrics contain a timestamp in UNIX epoch time and the metric value for the time intervals that end at that timestamp. You can specify different scopes, and the time interval over which to report the metrics.

The following time intervals are supported in the IBM Cloud Monitoring dashboard:

10 seconds
1 minute
10 minutes
1 hour
6 hours
2 weeks
Custom

Enabling metrics monitoring

To receive monitoring metrics, you must set up your IBM Cloud Monitoring instance.

To receive monitoring metrics, use the following steps:

Navigate to the metrics monitoring portal and click Create a monitoring instance.
Select a region for your IBM Cloud Monitoring instance.

If you do not have an existing VPN server, see Creating a VPN server to provision one.

The region needs to match the location of your existing VPN server.
Choose your pricing plan. Pricing plan details are explained in the selection window. Select the plan that best meets your requirements.
Provide a unique service name for your instance. The name can be any name that you want and has no impact on functionality.

Do not give multiple IBM Cloud Monitoring instances the same name.
Optionally, select a resource group. A resource group organizes account resources in customizable groupings. Any account resource that is managed by using IBM Cloud Identity and Access Management (IAM) access control belongs to a resource group within your account.

If you do not have any pre-configured resource groups, or have no reason to share this resource selectively, use the default selection.

If your account has multiple resource groups, you can choose which group has access to this IBM Cloud Monitoring instance. By using this selective access, metrics can be available to some resource groups and not to others.
Check the Enable Platform Metrics checkbox. You must select this option to receive metrics from your VPN server.
Click Create. You are taken back to the monitoring metrics home page.

Within a few minutes, your new IBM Cloud Monitoring instance displays with several configurations. You might have to refresh your browser to see it.

Working with the IBM Cloud Monitoring dashboard

To view and work with your IBM Cloud Monitoring metrics, follow these steps:

Navigate to the metrics monitoring portal.
Click Open Dashboard next to the service name of the IBM Cloud Monitoring instance that you want to work with.

The first time that you access your IBM Cloud Monitoring instance, several windows display as part of the internal setup. Keep the default entries, and click through the pages until you reach the main IBM Cloud Monitoring page.
Open the IBM VPN for VPC Monitoring Metrics dashboard by selecting Dashboards.
Click Dashboard Library > IBM > VPC VPN Server. The default dashboard is not editable.
The dashboard shows six main metrics. These metrics include VPN server health status, VPN server active client count, VPN server authentication failure count, VPN server CRL days until expiration, and VPN server bytes input/output. If you want to modify the parameters and segment your metrics by VPN server name, you must create a custom dashboard.

You can choose what time window that you'd like to see your metrics by using the time selection bar.

Creating a custom metrics dashboard

You can create your own dashboard to customize your monitoring metrics, such as viewing information and traffic about particular VPN servers.

To customize your dashboard, use the following steps:

Navigate to the metrics monitoring portal.
Click Open Dashboard next to the service name of the IBM Cloud Monitoring instance you want to work with. You now see the dashboard.
Select Dashboards and click the + in the panel.
Select Blank dashboard and select the type of visual representation that you want.

IBM Cloud Monitoring offers eight different visualizations for your dashboard. Read the description for each visualization and choose the one that best meets your requirements.

The line View trends over time is the most frequently selected option. The following examples show a line-based visualization.
Configure your custom dashboard.
- In the Metrics field, enter ibm_is_vpn_server to display the IBM Cloud Monitoring VPN for VPC server metrics: ibm_is_vpn_server_health_status, ibm_is_vpn_server_active_client_count, ibm_is_vpn_server_authentication_failure_count, ibm_is_vpn_server_crl_days_expiry, ibm_is_vpn_server_data_received_bytes, and ibm_is_vpn_server_data_sent_bytes.
- You can choose a scope to display in your dashboard by clicking Edit dashboard scope. For example, you can display the metrics for a particular VPN server.
- You can also set a segment to compare metrics across the scope that you define. For example, you can look at the VPN server health status for a particular VPN server that is segmented by server name.
Click Save.

By default, the dashboard is named "blank dashboard". You can change the name by selecting Dashboards from the sidebar and clicking the pencil icon next to the name.

To return to the default IBM Cloud Monitoring dashboard at any time, select Dashboards > Default Dashboards > IBM > VPC VPN SERVER.

Working with IBM Cloud Monitoring by using APIs

You can also work with the IBM Cloud Monitoring instance by using metric query APIs. You might want to use APIs if you need raw data points or want to consume your metrics from a command-line interface rather than using the IBM Cloud Monitoring dashboard.

After you create your IBM Cloud Monitoring instance, you must collect the following two pieces of information.

The Monitor API token
The endpoint of your IBM Cloud Monitoring instance

To collect this information and work with your IBM Cloud Monitoring instance by using metric query API, follow these steps:

Access the Monitoring home page.
Click Open Dashboard next to the instance that you want to work with.
After you see the IBM Cloud Monitoring dashboard, select your Account Profile icon on the sidebar and select Settings. You now see your account settings.
Your Monitor API token is an alphanumeric string that is located in the Sysdig Monitor API Token field. Click the Copy button to copy the token to your clipboard.

Do not share this API token. Anyone who has this API token has full access to your metrics.
The endpoint of your IBM Cloud Monitoring instance is per region. For example, if your IBM Cloud Monitoring instance exists in us-south, then its endpoint is:
```
https://us-south.monitoring.cloud.ibm.com/api/data/batch
```
The first part of the URL (in this example, us-south.monitoring.cloud.ibm.com) is your endpoint. Make note of this URL.
After you have both the API token and the endpoint, you can format your POST request. The following POST request is an example, with all the parameters that you can modify. The following are parameters:
- The Monitor API token.
- The endpoint of your IBM Cloud Monitoring instance.
- The value for ibm_is_vpn_server_name (the VPN server name that you want to see metrics for).
If you want to see this metric for all of your VPN servers, do not enter a value for the scope attribute. For example, use "scope" : "".
- The metric type that you want to see the results for. This example uses ibm_is_vpn_server_health_status.
- The from and to attributes define the timeframe to focus the scan, set in epoch time, and in microseconds.
- The sampling and value attributes set the granularity of the data that is returned in the POST request.

Because a large volume of data is stored in IBM Cloud Monitoring, choosing the specific level of granularity is important. IBM Cloud Monitoring can return only 600 data points at a time per request. As a result, the sampling and value attributes are important. Leaving these two lines out of your request returns an aggregate sum over that time period instead.

If the time range that is specified by from and to is large (for example, 4 days), but you define a sampling and value of 10 seconds, it means that you receive 4 days worth of data that is split into 10-second chunks. This sample is not useful because of the large amount of data that is returned. Specifying a larger chunk is recommended (for example, 1 hour instead of 10 seconds).

   curl \
   -H 'Authorization: Bearer <API_TOKEN>’ \
   -H 'Content-Type: application/json' \
   https://us-south.monitoring.cloud.ibm.com/api/data/batch  \
   -d '{
     "requests": [
         {
             "format": {
                 "type": "data"
             },
             "scope": "ibm_is_vpn_server_name = \"test-001\"",
             "metrics": {
                 "k0": "timestamp",
                 "v1": "ibm_is_vpn_server_health_status"
             },
             "time": {
                 "from": 1624849800000000,
                 "to": 1624850400000000,
                 "sampling": 60000000
             },
             "group": {
                 "by": [
                     {
                        "metric": "k0",
                         "value" : 60000000
                     }
                 ],
                 "aggregations": {
                     "v1": "avg"
                 },
                 "groupAggregations": {
                     "v1": "avg"
                 }
             }
         }
     ]
 }'

Accessing and viewing metrics

To access metrics for a specific VPN server, follow these steps:

Navigate to the VPNs for VPC page and click the Client-to-site servers tab.
Click the name of the VPN server to display its details.
Click the Monitoring tab to view the VPN server metrics.
Configure the history, dates, and time zone to generate the output you are looking for.

You can download the metrics or launch monitoring from your VPN dashboard by selecting Launch monitoring.