How to configure CloudWatch Agent to use EC2 service VPC Endpoint for EC2 Metric Dimensions

1

We are setting up CW Agent on EC2 to send EC2 metrics to Cloudwatch. A VPCE has been set up for the Cloudwatch services endpoint and an endpoint_override has been added to the metrics section of the agent configuration file.

Similar to this override or similar to using the aws ec2 command line using --endpoint-url https://vpce-xxxxxxxxxx.ec2.us-gov-west-1.vpce.amazonaws.com, is there a way to set the VPCE url for the EC2 services endpoint to override the public endpoint when using the append_dimensions and aggregate_dimensions in the agent configuration file?

When these 2 fields are added to the configuration file, we receive a timeout for the public EC2 service endpoint because we don't set a proxy to the endpoint.

asked a year ago1404 views
1 Answer
0

When you invoke an AWS Service, under the covers it's via an AWS Query API call to the service's domain name. This is a public domain name that normally resolves to a public IP address, but a Private Hosted Zone (PHZ) for the Endpoint is used to override the domain name so it resolves to the private IP address of the Endpoint instead. Assuming you're accessing the VPCE from the same VPC as it's in, you need to set PrivateDnsEnabled=true for the VPC Endpoint when you create it, which sets up an AWS-managed PHZ associated with the VPC. If on the other hand you're going cross-VPC then set PrivateDnsEnabled=false and create a self-managed PHZ that can be shared across VPCs & Accounts, and ensure network connectivity is in place. See https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/ for more info.

EXPERT
answered a year ago
  • Both VPCEs (the Cloudwatch monitoring and the EC2 services) are set to PrivateDnsEnabled=true. The issue comes in when the CW agent configuration has the optional append_dimensions and aggregation_dimensions settings in the metrics section of the JSON file. Those 2 use ec2tagger / ec2 metadata "Unable to describe ec2 tags for initial retrieval: RequestError: send request failed caused by: Post "https://ec2.us-gov-west-1.amazonaws.com/": dial tcp xx.xx.xxx.xx:443: i/o timeout (It uses the public service endpoint, not the VPC endpoint that I set up for EC2 services) I was wondering if there was an additional setting that can be used in the CW agent config that points this query to the VPCE. But maybe something is missing in the set up of the EC2 metadata ( (IMDSv1) .

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions