How can I monitor packet loss and latency from AWS to an on-premises network over an internet gateway or NAT gateway?

3 minute read

I want to monitor packet loss and latency from AWS to an on-premises network over an internet gateway or NAT gateway.


Amazon CloudWatch Internet Monitor

Amazon CloudWatch Internet Monitor provides observability of internet measurements such as availability and performance. Use Internet Monitor to get insights into average internet performance metrics over time, and about events by location and internet service provider (ISP). Internet Monitor also identifies which events are impacting end user experience for your applications.

For more information, see Using Amazon CloudWatch Internet Monitor.

AWS Systems Manager automation document

The AWSSupport-SetupIPMonitoringFromVPC automation document continuously runs ping, MTR, traceroute, and tracetcp tests to any IPv4 or IPv6 target IP address. An Amazon Elastic Compute Cloud (Amazon EC2) instance created in a VPC subnet that you specify runs the tests automatically. For more information, see Debugging tool for network connectivity from Amazon VPC.

The results of the tests are stored in Amazon CloudWatch Logs. Metric filters are added to a CloudWatch dashboard, so you can review latency and packet loss metrics.

To configure the AWSSupport-SetupIPMonitoringFromVPC automation document:

  1. Open the AWS Systems Manager console.
  2. Choose the AWS Region that you want to monitor your on-premises targets from.
  3. Choose Documents from the left navigation pane.
  4. Search for AWSSupport-SetupIPMonitoringFromVPC.
  5. Choose the document title to view details.
  6. Choose Execute Automation, and then choose Simple execution.
  7. In the Input parameters view, enter the following:
    SubnetId: Enter a VPC subnet ID to run the tests from. This is a required field. Make sure that the subnet that you're specifying has a route to the internet gateway.
    TargetIPs: Enter a comma-separated list (no spaces) of IPv4 or IPv6 addresses that you want to monitor. This is a required field. The maximum size is 255 characters. If the IP address isn't valid, then the automation fails and rolls back the test setup.
  8. Choose Execute. It can take up to 15 minutes for the test to complete.

Wait until the Execution status changes from In Progress to Success. Then, expand Outputs and open the CloudWatch dashboard link in a new browser tab. Refer to CloudWatch Logs to see the test results.

To view the output of individual steps, under Executed Steps, choose the Step ID. You can also view the CloudWatch dashboard to check the packet loss and the latency metrics.

Note: You can also use this automation document to verify the performance metrics for your targets that are connected over the AWS VPN or AWS Direct Connect.

The SubnetId specified in the Input parameters must have a route towards the target pointing to virtual private gateway. Network access control list (network ACL) rules must allow the traffic to or from the target.

To modify the automation, terminate the current automation using AWSSupport-TerminateIPMonitoringFromVPC. Then, launch a new automation using the AWSSupport-SetupIPMonitoringFromVPC document.

Related information

Systems Manager Automation runbook reference

Debugging tool for network connectivity from Amazon VPC

Monitor network infrastructure performance