Monitoring VPN gateway for VPC metrics

IBM Cloud® Monitoring collects basic VPN metrics on IBM Cloud for VPC, such as VPN gateway status, VPN gateway packets input/output, and VPN connection bytes input/output. These metrics are stored in IBM Cloud Monitoring. You can access metrics through the prebuilt dashboard.

Platform metrics overview

You can view platform metrics when you enable IBM Cloud Monitoring on your IBM Cloud platform. An IBM Cloud Monitoring instance must be configured in a region to monitor these metrics. For more information, see Enabling platform metrics.

Before you enable IBM Cloud Monitoring on your platform, keep the following information in mind:

You can configure only one instance of the IBM Cloud Monitoring service per region to collect platform metrics.
Metrics are collected automatically and are available for monitoring through the IBM Cloud Monitoring-enabled instance.
Use the Metrics Router to allow customers to configure which IBM Cloud Monitoring instance their platform metrics flows to. To learn more about Metrics Router, see IBM Cloud Metrics Routing.

Metrics available by service plan

Metrics available by plan names are as follows:

VPN gateway total bytes input
VPN gateway total bytes output
VPN gateway total packets input
VPN gateway total packets output
VPN gateway status
VPN connection bytes input
VPN connection bytes output
VPN connection packets input
VPN connection packets output
VPN connection status

These metrics help track the traffic and status for your VPN gateways and can provide insight about peak traffic per minute and overall usage status.

Each metric is composed of the following metadata types:

Metric name - Name of the collected metric.
Metric type - Determines whether the metric value is a counter metric or a gauge metric. Each of these metrics is gauge type, which represents a single numerical value that can arbitrarily fluctuate over time.
Value type - A unit of measurement for a specific metric. Examples include bytes or counts. A value type of none means that the metric value represents individual occurrences of that metric type.
Segment - How you want IBM Cloud Monitoring to divide and display the monitoring metrics.

VPN metric definitions

The following tables define the basic VPN metrics on IBM Cloud for VPC.

VPN gateway total bytes input

Bytes per minute received for a VPN gateway

Table 1: VPN gateway total bytes input
Metadata	Description
`Metric name`	`ibm_is_vpn_gateway_bytes_in`
`Metric type`	`gauge`
`Value type`	`byte`
`Segment by`	`Service instance, Service instance name, VPN name, IBM IS`

VPN gateway total bytes output

Bytes sent per minute for a VPN gateway

Table 2: VPN gateway total bytes output
Metadata	Description
`Metric name`	`ibm_is_vpn_gateway_bytes_out`
`Metric type`	`gauge`
`Value type`	`byte`
`Segment by`	`Service instance, Service instance name, VPN name, IBM IS`

VPN gateway total packets input

Packets received per minute for a VPN gateway

Table 3: VPN gateway total packets input
Metadata	Description
`Metric name`	`ibm_is_vpn_gateway_packets_in`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, Service instance name, VPN name, IBM IS`

VPN gateway total packets output

Packets sent per minute for a VPN gateway

Table 4: VPN gateway total packets output
Metadata	Description
`Metric name`	`ibm_is_vpn_gateway_packets_out`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, Service instance name, VPN name, IBM IS`

VPN gateway status

Status for a VPN gateway (for example, 1=available, 0=unavailable)

Table 5: VPN gateway status
Metadata	Description
`Metric name`	`ibm_is_vpn_gateway_status`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, Service instance name, VPN name, IBM IS`

VPN connection bytes input

Bytes received per minute for a VPN gateway's connection

Table 6: VPN connection bytes input
Metadata	Description
`Metric name`	`ibm_is_vpn_connection_bytes_in`
`Metric type`	`gauge`
`Value type`	`byte`
`Segment by`	`Service instance, VPN name, Connection name, Connection ID, IBM IS`

VPN connection bytes output

Bytes sent per minute for a VPN gateway connection

Table 7: VPN connection bytes output
Metadata	Description
`Metric name`	`ibm_is_vpn_connection_bytes_out`
`Metric type`	`gauge`
`Value type`	`byte`
`Segment by`	`Service instance, VPN name, Connection name, Connection ID, IBM IS`

VPN connection packets input

Packets received per minute for a VPN gateway connection

Table 8: VPN connection packets input
Metadata	Description
`Metric name`	`ibm_is_vpn_connection_packets_in`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, VPN Name, Connection Name, Connection ID, IBM IS`

VPN connection packets output

Packets sent per minute for a VPN gateway connection

Table 9: VPN connection packets output
Metadata	Description
`Metric name`	`ibm_is_vpn_connection_packets_out`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, VPN name, Connection name, Connection ID, IBM IS`

VPN connection status

Status of a VPN gateway connection (for example, 1=up, 0=down)

Table 10: VPN connection status
Metadata	Description
`Metric name`	`ibm_is_vpn_connection_status`
`Metric type`	`gauge`
`Value type`	`none`
`Segment by`	`Service instance, VPN name, Connection name, Connection ID, IBM IS`

Metric segmentation

You can split the metrics that IBM Cloud Monitoring presents into various visualizations in the IBM Cloud Monitoring dashboard, allowing views of different metrics based on your preference. For example, if you have multiple VPN gateways or accounts with different VPN gateways in each account, you might want to focus on a particular gateway by name.

As an example, you can segment the VPN Gateway Total Bytes Input by IBM VPN for VPC gateway name to show how many bytes per minute are received for a VPN gateway. The dashboard shows different lines in different colors where each line represents received bytes per minute for a VPN gateway.

Global attributes

The following attributes are available for segmenting all of the VPN metrics:

Table 11: VPN metric attributes
Attribute	Attribute name	Attribute description
`Cloud type`	`ibm_ctype`	A value of public, dedicated, or local
`Location`	`ibm_location`	The location of the monitored resource - a region, data center, or global
`Resource`	`ibm_resource`	The resource that is measured by the service - typically an identifying name or GUID
`Resource type`	`ibm_resource_type`	The type of resource that is measured by the service
`Resource group`	`ibm_resource_group_name`	The resource group where the service instance was created
`Scope`	`ibm_scope`	The scope of the account, organization, or space GUID that is associated with this metric
`Service name`	`ibm_service_name`	Name of the service that generated this metric

Additional attributes

The following attributes are available for segmenting one or more attributes as described in the previous reference. See the individual metrics for segmentation options.

Table 12: VPN segmentation metric attributes
Attribute	Attribute name	Attribute description
`Connection ID`	`ibm_is_vpn_connection_id`	IBM VPN for VPC gateway connection ID
`Connection name`	`ibm_is_vpn_connection_name`	IBM VPN for VPC gateway connection name
`IBM IS`	`ibm_is_generation`	IBM IS; for example, 2
`Service instance`	`ibm_service_instance`	Identifies the instance that the metric is associated with
`Service instance name`	`ibm_service_instance_name`	Provides the user-provided name of the service instance. This name isn't necessarily a unique value that depends on the name that is provided.
`VPN gateway name`	`ibm_is_vpn_gateway_name`	IBM VPN for VPC gateway name

The displayed metrics contain a timestamp in UNIX epoch time and the metric value for the time intervals that end at that timestamp. You can specify different scopes, and the time interval over which to report the metrics.

You can also specify the time interval over which to report your metrics. The following time intervals that are supported in the IBM Cloud Monitoring dashboard:

10 seconds
1 minute
10 minutes
1 hour
6 hours
2 weeks
Custom

Enabling metrics monitoring

To receive monitoring metrics, you must set up your IBM Cloud Monitoring instance.

To receive monitoring metrics, use the following steps:

Navigate to the metrics monitoring portal and click Options > Create.
Select a region for your IBM Cloud Monitoring instance.

If you do not have an existing VPN gateway, see Creating a VPN gateway to provision one.

The region needs to match the location of your existing VPN gateway.
Choose your pricing plan.

Pricing plan details are explained in the selection window. Select the plan that best meets your requirements.
Provide a unique service name for your instance. The name can be any name that you want. The name has no impact on functionality.

Do not give multiple IBM Cloud Monitoring instances the same name.
Optionally, select a resource group. A resource group organizes account resources in customizable groupings. Any account resource that is managed by using IBM Cloud Identity and Access Management (IAM) access control belongs to a resource group within your account.

If you do not have any pre-configured resource groups, or have no reason to share this resource selectively, use the default selection.

If your account has multiple resource groups, you can choose which group has access to this IBM Cloud Monitoring instance. By using this selective access, metrics can be available to some resource groups and not to others.
Select the Enable checkbox. You must select this option to receive metrics from your VPN gateway.
Click Create. You are taken back to the monitoring metrics home page.

Within a few minutes, your new IBM Cloud Monitoring instance displays with several configurations. You might have to refresh your browser to see it.

Working with the IBM Cloud Monitoring dashboard

To view and work with your IBM Cloud Monitoring metrics, follow these steps:

Navigate to the metrics monitoring portal.
Click Open dashboard next to the service name of the IBM Cloud Monitoring instance that you want to work with.

The first time that you access your IBM Cloud Monitoring instance, several windows display as part of the internal setup. Keep the default entries, and click through the pages until you reach the main IBM Cloud Monitoring page.
Open the IBM VPN for VPC Monitoring Metrics dashboard by selecting Dashboards.
Click Dashboard Library > IBM > VPC VPN. The default dashboard is not editable.
Ten main metrics in the dashboard are shown. These metrics include Gateway/Connection status, Gateway/Connection bytes input/output, and Gateway/Connection packets input/output. If you want to modify parameters and segment your metrics by VPN gateway name and VPN connection name, you must create a custom dashboard.

You can choose what time window that you'd like to see your metrics by using the time selection bar.

Creating a custom metrics dashboard

You can create your own dashboard to customize your monitoring metrics, such as viewing information about particular VPN gateways, or seeing traffic that comes through only a VPN connection.

To customize your dashboard, use the following steps:

Navigate to the metrics monitoring portal.
Click Open dashboard next to the service name of the IBM Cloud Monitoring instance you want to work with. You now see the dashboard.
Select Dashboards and click the + in the panel.
Select Blank dashboard and select the type of visual representation that you want.

IBM Cloud Monitoring offers eight different visualizations for your dashboard. Read the description for each visualization and choose the one that best meets your requirements.

The line View trends over time is the most frequently selected option. The following examples show a line-based visualization.
Configure your custom dashboard.
- In the Metrics field, enter ibm_is to display the ten IBM Cloud VPN for VPC metrics: ibm_is_vpn_gateway_status, ibm_is_vpn_connection_status, ibm_is_vpn_gateway_bytes_in, ibm_is_vpn_gateway_bytes_out, ibm_is_vpn_gateway_packets_in, ibm_is_vpn_gateway_packets_out, ibm_is_vpn_connection_bytes_in, ibm_is_vpn_connection_bytes_out, ibm_is_vpn_connection_packets_in, and ibm_is_vpn_connection_packets_out.
- You can choose a scope to display in your dashboard by clicking Override Dashboard Scope. For example, you can display the metrics for a particular VPN gateway.
- You can also set a segment to compare metrics across the scope that you define. For example, you can look at the connection status for a particular VPN gateway that is segmented by gateway name and connection name.
Click Save.

By default, the dashboard is named "blank dashboard". You can change the name by selecting Dashboards from the sidebar and clicking the Pencil icon next to the name.

To return to the default IBM Cloud Monitoring dashboard at any time, select Dashboards > Default Dashboards > IBM > VPC VPN.

Working with IBM Cloud Monitoring by using APIs

You can also work with the IBM Cloud Monitoring instance by using metric query APIs. You might want to use APIs if you need raw data points or want to consume your metrics from a command-line interface rather than using the IBM Cloud Monitoring dashboard.

After you create your IBM Cloud Monitoring instance, you must collect the following two pieces of information.

The Monitor API token
The endpoint of your IBM Cloud Monitoring instance

To collect this information and work with your IBM Cloud Monitoring instance by using metric query API, follow these steps:

Access the Monitoring home page.
Click Open Dashboard next to the instance that you want to work with.
After the IBM Cloud Monitoring dashboard is displayed, select your Account Profile icon on the sidebar and select Settings. You now see your account settings.
Your Monitor API token is an alphanumeric string that is located in the Sysdig Monitor API Token field. Click the Copy button to copy the token to your clipboard.

Do not share this API token. Anyone who has this API token has full access to your metrics.
The endpoint of your IBM Cloud Monitoring instance is per region. For example, if your IBM Cloud Monitoring instance exists in us-south, then its endpoint is:
```
https://us-south.monitoring.cloud.ibm.com/api/data/batch
```
After you have both the API token and the endpoint, you can format your POST request. The following POST request is an example, with all the parameters that you can modify. The following are parameters:
- The Monitor API token.
- The endpoint of your IBM Cloud Monitoring instance.
- The value for ibm_is_vpn_gateway_name (the VPN gateway name that you want to see metrics for).
If you want to see this metric for all of your VPN gateways, do not enter a value for the scope attribute. For example, use "scope" : "".
- The metric type that you want to see the results for. This example uses ibm_is_vpn_gateway_status.
- The from and to attributes define the timeframe to focus the scan, set in epoch time, and in microseconds.
- The sampling and value attributes set the granularity of the data that is returned in the POST request.
Because a large volume of data is stored in IBM Cloud Monitoring, choosing the specific level of granularity is important. IBM Cloud Monitoring can return only 600 data points at a time per request. As a result, the sampling and value attributes are important. Leaving these two lines out of your request returns an aggregate sum over that time period instead.

If the time range that is specified by from and to is large (for example, 4 days), but you define a sampling and value of 10 seconds, it means that you receive 4 days worth of data that is split into 10-second chunks. This sample is not useful because of the large amount of data that is returned. Specifying a larger chunk is recommended (for example, 1 hour instead of 10 seconds).
```
   curl \
   -H 'Authorization: Bearer <API_TOKEN>’ \
   -H 'Content-Type: application/json' \
   https://us-south.monitoring.cloud.ibm.com/api/data/batch  \
   -d '{
     "requests": [
         {
             "format": {
                 "type": "data"
             },
             "scope": "ibm_is_vpn_gateway_name = \"test-001\"",
             "metrics": {
                 "k0": "timestamp",
                 "v1": "ibm_is_vpn_gateway_status"
             },
             "time": {
                 "from": 1589877054000000,
                 "to": 1589877114000000,
                 "sampling": 60000000
             },
             "group": {
                 "by": [
                     {
                        "metric": "k0",
                         "value" : 60000000
                     }
                 ],
                 "aggregations": {
                     "v1": "avg"
                 },
                 "groupAggregations": {
                     "v1": "avg"
                 }
             }
         }
     ]
 }'
```

Working with IBM Cloud Monitoring by using VPN for VPC UI

You can view individual VPN gateway metrics and launch the IBM Cloud Monitoring dashboard from the VPN UI.

Navigate to the VPN UI.
Click a VPN gateway name whose IBM Cloud Monitoring metrics that you want to view and go to its Overview page.

The Monitoring preview panel displays the sum of every metric over the last hour.

You can click Launch monitoring to launch the VPN gateway's default IBM Cloud Monitoring dashboard.
Open the VPN gateway's Monitoring page. The page displays a VPN gateway's throughput and packets in a time range.

Similarly, you can also launch the VPN gateway's default IBM Cloud Monitoring dashboard by clicking Launch monitoring.