Monitoring and logging can help you ensure the availability, performance, and healthiness of your services. You can enable monitoring to collect metrics. Alibaba Cloud provides a wide variety of monitoring and auditing services, such as Network Intelligence Service (NIS), CloudMonitor, and Cloud Config. These services can monitor resource usage and service performance in real time, generate alerts, and notify you of anomalies.
NIS
NIS is an intelligent, self-service platform that helps you design, deploy, and maintain websites. It improves your work efficiency. NIS provides statistics that can help you design your network and troubleshoot network issues.
VPN Gateway is integrated with NIS, which can diagnose VPN gateways and analyze traffic transmission paths to help you maintain service availability.
Instance diagnostics
The instance diagnostic feature can diagnose VPN gateways, including configurations and health status, and provide troubleshooting solutions. For more information, see Diagnose a VPN gateway.
Reachability analyzer
If you use VPN gateways to connect networks, you can use the reachability analyzer to test the connectivity between network resources. This feature helps you improve service availability. For more information, see Work with the reachability analyzer.
Troubleshooting
The troubleshooting feature can be used to analyze VPN gateways in invalid states and request errors. This feature allows you to keep track of the status of your VPN gateways and informs you of anomalies at the earliest opportunity.
Alibaba Cloud resource healthiness updates
We recommend that you keep track of the health status of your Alibaba Cloud resources so that you can handle exceptions at the earliest opportunity. For more information, visit Alibaba Cloud Resource Healthiness Updates.
On the Alibaba Cloud Resource Healthiness Updates page, you can check the health status of every service in each region, and find the methods to subscribe to Really Simple Syndication (RSS) feeds about service exceptions.
Basic monitoring
VPN Gateway is integrated with CloudMonitor that is free of charge. CloudMonitor can monitor system events of VPN gateways and collect VPN Gateway metrics in real time. You can determine whether workloads are running as expected based on the system events and metrics that are collected by CloudMonitor. In addition, you can create alert rules for system events and monitoring metrics so that you can be notified of anomalies at the earliest opportunity.
System event monitoring
CloudMonitor supports system event monitoring, which can automatically record service errors and O&M events. It also supports queries and auditing of service-related system events that indicate the service status. After you classify resources into different application groups, service-related system events are automatically associated with the resources in application groups. This helps you check various monitoring information in one place and efficiently analyze and troubleshoot issues if business exceptions occur.
CloudMonitor also supports event alerting. You can create alert rules with different event priorities, enable CloudMonitor to send you notifications through emails and DingTalk messages, or configure callback URLs. These automatic O&M measures ensure that you are notified of high-severity events.
For more information about the VPN gateway system events supported by CloudMonitor and how to create alert rules for VPN gateway system events, see Monitor system events of a VPN gateway.
Metric monitoring
CloudMonitor can automatically collect the metrics of cloud resources within your Alibaba Cloud account. You can view the monitoring charts of each cloud service. You can also create alert rules to monitor resources. If an alert is triggered based on the alert rules, CloudMonitor sends an alert notification to you. This way, you are notified of the status of your resources at the earliest opportunity.
VPN Gateway provides metrics of different resources. For more information about the VPN Gateway metrics and how to create alert rules, see the following topics:
References
Dashboards
You can customize monitoring dashboards to collect specified metrics. For more information, see Manage the monitoring charts of a custom dashboard.
Alert blacklists
Alert blacklists allow you to block notifications of specified metrics. For more information, see Manage blacklist policies.
By default, Alibaba Cloud accounts have full permissions on resources, and Resource Access Management (RAM) users do not have permissions on resources. If a RAM user needs to view monitoring data, the Alibaba Cloud account must grant the required permissions to the RAM user. For more information about CloudMonitor permissions, see Grant permissions to a RAM user.
Cloud resource configuration auditing
Cloud Config is an auditing service that can trace and audit resource configurations. It monitors the compliance status of cloud resources to make sure that your infrastructure complies with laws and regulations.
VPN Gateway is integrated with Cloud Config, which is free of charge. Cloud Config supports only some Alibaba Cloud services. Some of your resources may not be on the resource list. For more information about the VPN Gateway resources supported by Cloud Config, see Supported Cloud Services.
Cloud Config can audit the operations performed by your Alibaba Cloud account and all RAM users created by your Alibaba Cloud account. By default, configuration changes are recorded every 10 minutes.
You can view operations performed on VPN gateways in the Cloud Config console. For more information, see View the resource list.
Cloud Config can deliver resource configuration changes and compliance violation events to specified Logstores of Log Service in which you can query and analyze log data. You can deliver VPN gateway configuration changes and compliance violation events to Log Service for data query and analysis. This ensures that VPN Gateway complies with laws and regulations. For more information, see Deliver resource data to a Logstore in Simple Log Service.
VPN gateway logging
VPN Gateway supports logging for IPsec-VPN connections and SSL-VPN connections. The log data records the establishment processes of IPsec-VPN connections and SSL-VPN connections. You can troubleshoot errors based on the log data.
IPsec-VPN logging
The logs of IPsec-VPN connections record details about IPsec negotiations, dead peer detection (DPD) negotiations, and NAT traversal negotiations. You can gain insights into the establishment of IPsec-VPN connections based on the log data.
After you establish an IPsec-VPN connection, logging of the connection automatically starts. You can view log data of IPsec-VPN connections from the last 180 days. The maximum time range that you can query is 10 minutes. For more information, see View the logs of an IPsec-VPN connection.
After you deploy an IPsec server, logging for IPsec connections automatically starts. You can view log data of the IPsec server from the last month. The maximum time range that you can query is 10 minutes. For more information, see Query IPsec-VPN server logs.
For more information about how to troubleshoot errors based on IPsec-VPN logs, see Troubleshoot IPsec-VPN connection issues.
SSL-VPN logging
The logs of SSL-VPN connections record details about SSL negotiations and client connections. You can gain insights into the establishment of SSL-VPN connections based on the log data.
After you deploy an SSL server, logging of SSL-VPN connections automatically starts. You can view log data of the SSL server from the last 180 days. The maximum time range that you can query is 10 minutes. For more information, see Query the logs of an SSL server.
For more information about how to troubleshoot errors based on SSL-VPN logs, see Troubleshoot SSL-VPN connection issues.