Skip to main content

Amazon CloudWatch

Amazon CloudWatch is a monitoring and observability service and a repository that aggregates data from more than 70 AWS data sources. CloudWatch also allows users to publish custom metrics from their services. Creating SLOs using this data is a powerful tool to monitor large portfolios of products.

Nobl9 integration with CloudWatch supports CloudWatch Metrics Insights. Leveraging Metrics Insights, Nobl9 users can retrieve metrics even faster and gain added flexibility in querying raw service level indicator (SLI) data to use for their SLOs.

Using CloudWatch as a Source in Nobl9, users can configure their SLOs by leveraging data in CloudWatch-specific groupings – i.e., by region, namespaces, and dimensions.

Scope of Support

The following CloudWatch metric features are not supported:

Authentication

Applications that are integrated with AWS must sign their API requests with AWS Access Keys that are used to sign programmatic requests that users make to AWS. Access keys consist of:

  • AWS Access Key ID

  • AWS Secret Access Key

Both AWS Access Key ID and AWS Secret Access Key are created as a pair. Your Access Key ID and Secret Access Key are encrypted before being stored on the Nobl9 server. You will also need Cloudwatch GetMetricData API permissions to make programmatic requests to AWS API.

You can create your AWS Access Key ID and AWS Secret Access Key by using the AWS Management Console. For more details, go to Getting Started with the AWS SDK for Go.

caution

If you're using AWS Free Tier, you won't be able to use the GetMetricData API to collect CloudWatch metrics.

Adding Amazon CloudWatch as a Data Source in the UI

To add CloudWatch as a data source in Nobl9 using the Agent or Direct connection method, follow these steps:

  1. Navigate to Integrations > Sources.

  2. Click the plus button button.

  3. Click the Amazon CloudWatch icon.

  4. Choose Direct or Agent, then configure the source as described below.

CloudWatch Direct

Direct Configuration in the UI

Direct connection to CloudWatch requires users to enter their credentials which Nobl9 stores safely. To set up this type of connection:

  1. Add Access Key ID and Secret Access Key.
    For details, see the Authentication section above.

  2. Select a Project (mandatory).
    Specifying a Project is helpful when multiple users are spread across multiple teams or projects. When the Project field is left blank, a default value appears.

  3. Enter a Display name (optional).
    You can enter a friendly name with spaces in this field.

  4. Enter a Name (mandatory).
    The name is mandatory and can only contain lowercase, alphanumeric characters and dashes (for example, my-project-name). This field is populated automatically when you enter a display name, but you can edit the result.

  5. Enter a Description (optional).
    Here you can add details such as who is responsible for the integration (team/owner) and the purpose of creating it.

  6. Click the Add Data Source button.

CloudWatch Agent

Agent Configuration in the UI

Follow the instructions below to create your CloudWatch agent connection. Refer to the section above for the description of the fields.

  1. Enter a Project (mandatory).

  2. Enter a Display name (optional).

  3. Enter a Name (mandatory).

  4. Enter a Description (optional).

  5. Click the Add Data Source button.

Deploying CloudWatch Agent

When you add the data source, Nobl9 automatically generates a Kubernetes configuration and a Docker command line for you to use to deploy the Agent. Both of these are available in the web UI, under the Agent Configuration section. Be sure to swap in your credentials (e.g., if you are using AWS Access Key ID and Secret Access Key, replace AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY in the following deployment descriptions).

caution

Ensure AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables are set appropriately if you are using Access/Secret Keys. If these variables are not set, a Default Credential Provider Chain will be used.

If you use Kubernetes, you can apply the supplied YAML config file to a Kubernetes cluster to deploy the Agent. It will look something like this:

# DISCLAIMER: This deployment description contains only the fields necessary for the purpose of this demo.
# It is not a ready-to-apply k8s deployment description, and the client_id and client_secret are only exemplary values.

apiVersion: v1
kind: Secret
metadata:
name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
namespace: default
type: Opaque
stringData:
aws_access_key_id: <AWS_ACCESS_KEY_ID>
aws_secret__access_key: <AWS_SECRET_ACCESS_KEY>
client_id: "unique_user_id"
client_secret: "unique_client_secret"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
namespace: default
spec:
replicas: 1
selector:
matchLabels:
nobl9-agent-name: cloudwatch
nobl9-agent-project: cloudwatch
nobl9-agent-organization: nobl9-dev
template:
metadata:
labels:
nobl9-agent-name: cloudwatch
nobl9-agent-project: cloudwatch
nobl9-agent-organization: nobl9-dev
spec:
containers:
- name: agent-container
image: nobl9/agent:0.31.0
resources:
requests:
memory: "350Mi"
cpu: "0.1"
env:
- name: N9_CLIENT_ID
valueFrom:
secretKeyRef:
key: client_id
name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
- name: N9_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client_secret
name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: aws_access_key_id
name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: aws_secret_access_key
name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch

Creating SLOs with CloudWatch

Using Amazon CloudWatch, users can create their SLOs by:

  • Entering standard Threshold and Ratio metrics.

  • Entering an SQL query.

  • Entering multiple queries through JSON.

All three methods are available both in the UI and through applying YAML (see the Creating CloudWatch SLOs - YAML section).

Creating SLOs in the UI

Follow the instructions below to create your SLOs with CloudWatch in the UI:

  1. Navigate to Service Level Objectives.

  2. Click the plus button button.

  3. In step 1 of the SLO wizard, select the Service the SLO will be associated with.

  4. In step 2, select Amazon CloudWatch as the Data Source for your SLO, then specify the Metric. You can choose either a Threshold Metric, where a single time series is evaluated against a threshold, or a Ratio Metric, which allows you to enter two time series to compare (for example, a count of good requests and total requests).

    1. A Threshold Metric is a single time series evaluated against a threshold.

    2. A Ratio Metric allows you to enter two-time series to compare (for example, a count of good requests and total requests).

  5. In step 3, define a Time Window for the SLO.

  6. In step 4, specify the Error Budget Calculation Method and your Objective(s).

  7. In step 5, add a Name, Description, and other details about your SLO. You can also select Alert Policies and Labels on this screen.

  8. When you’re done, click Create SLO.

Entering CloudWatch Query

Both, Ratio and Threshold metrics for a standard CloudWatch metric use the same parameters. In the case of the Ratio metric, define these parameters separately for Good Metric and Total metric:

  1. Add a Region.
  2. It is a region code in AWS. Use one of the regional codes that are listed here.

  3. Add a Namespace (mandatory, max. number of characters 255).
  4. A namespace can contain alphanumeric characters, period, a hyphen, underscore, forward slash, hash, or colon. A Namespace is a container for CloudWatch metrics. For further details, see CloudWatch Concepts | Amazon CloudWatch Documentation.

  5. Add a Metric Name (mandatory, max. number of characters 255).
  6. Add Statistic function.
  7. Statistic functions are aggregations of metric data over specified periods. For example, you can use Maximum, Minimum, Sum, Average. To see all statistics are supported by CloudWatch for metrics, go to Statistics Definition | Amazon CloudWatch Documentation.

  8. Add Dimensions (optional, list).
  9. A dimension is a name/value pair that is part of the identity of a metric. Users can assign a max. of 10 dimensions to a metric.

    • Add a Name (mandatory, max. number of characters 255, don't trim whitespaces). The name of the dimension. Dimension names must contain only ASCII characters and must include at least one non-whitespace character.
    • Add a Value required (max. number of characters 255). It is the value of the dimension. Dimension values must contain only ASCII characters and must include at least one non-whitespace character.

  10. In step 3, define a Time Window for the SLO.
  11. In step 4, specify the Error Budget Calculation Method and your Objective(s) .
  12. In step 5, add a Name, Description, and other details about your SLO. You can also select Alert Policies and Labels on this screen.
  13. When you’ve finished, click Create SLO.

SLO using CloudWatch - YAML samples

SLO using CloudWatch - Standard Configuration

Here’s an example of CloudWatch using a rawMetric (Threshold Metric):

apiVersion: n9/v1alpha
kind: SLO
metadata:
name: cloudwatch-occurrences-threshold
project: cloudwatch
spec:
budgetingMethod: Occurrences
description: ""
indicator:
metricSource:
name: cloudwatch
service: cloudwatch-service
objectives:
- target: 0.8
op: lte
rawMetric:
query:
cloudwatch:
region: eu-central-1
namespace: AWS/RDS
metricName: ReadLatency
stat: Average
dimensions:
- name: DBInstanceIdentifier
value: <identifier_of_your_db_instance> # replace with value that corresponds to your DBInstanceIdentifier
value: 0.0004
timeWindows:
- calendar:
startTime: "2020-11-14 12:30:00"
timeZone: Etc/UTC
count: 1
isRolling: false
unit: Day
---
apiVersion: n9/v1alpha
kind: SLO
metadata:
name: cloudwatch-timeslices-threshold
project: cloudwatch
spec:
budgetingMethod: Timeslices
description: ""
indicator:
metricSource:
name: cloudwatch
service: cloudwatch-service
objectives:
- target: 0.8
op: lte
rawMetric:
query:
cloudwatch:
region: eu-central-1
namespace: AWS/RDS
metricName: ReadLatency
stat: Average
dimensions:
- name: DBInstanceIdentifier
value: <identifier_of_your_db_instance> # replace with value that corresponds to your DBInstanceIdentifier
value: 0.0004
timeSliceTarget: 0.5
timeWindows:
- calendar:
startTime: "2020-11-14 12:30:00"
timeZone: Etc/UTC
count: 1
isRolling: false
unit: Day

Important Notes:

Both, Ratio and Threshold metrics for CloudWatch use the same parameters (in the case of the Ratio metric, define these parameters separately for the Good Metric and Total metric).

  • region is required. It is a region code in AWS. Use one of the regional codes listed here.

  • namespace is required (string, max. number of characters 255). It can contain alphanumeric characters, period ., hyphen -, underscore _, forward slash /, hash #, or colon :. A namespace is a container for CloudWatch metrics. For further details, see CloudWatch Concepts | Amazon CloudWatch Documentation. Example: AWS/ApplicationELB.

  • metricName is required (string, max. number of characters 255).

  • stat is required. stats are aggregations of metric data over specified periods of time. To see what statistics are supported by CloudWatch for metrics, go to Statistics Definitions | Amazon CloudWatch Documentation. Examples: SampleCount, Average, p95, TC(0.005:0.030).

  • dimensions field is optional (list). A dimension is a name/value pair that is part of the identity of a metric. Users can assign a max. of 10 dimensions to a metric.

    • name is required (string, max. number of characters 255). Dimension names must contain only ASCII characters and must include at least one non-whitespace character.

    • value is required (string, max. number of characters 255). Dimension values must contain only ASCII characters and must include at least one non-whitespace character.

SLO using CloudWatch SQL query

Here’s an example of CloudWatch SQL query using rawMetric (Threshold metric**):

apiVersion: n9/v1alpha
kind: SLO
metadata:
name: cloudwatch-occurrences-threshold-via-sql
project: cloudwatch
spec:
budgetingMethod: Occurrences
description: ""
indicator:
metricSource:
name: cloudwatch
service: cloudwatch-service
objectives:
- target: 0.8
op: lte
rawMetric:
query:
cloudwatch:
region: us-east-1
sql: 'SELECT AVG(CPUUtilization)FROM "AWS/EC2"'
value: 0.0004
timeWindows:
- calendar:
startTime: "2021-10-01 12:30:00"
timeZone: Etc/UTC
count: 1
isRolling: false
unit: Day

Important notes: When using SQL Query only these fields are required:

  • region is mandatory. It is a regional code in AWS. Use one of the regional codes listed here. Note: CloudWatch SQL query is available in all AWS Regions, except China.

  • sql is mandatory. It is an SQL query that enables you to compare, aggregate, and group your metrics by labels to gain real-time operational insights.

CloudWatch SLOs using multiple metrics (JSON)

CloudWatch integration enables you to query multiple CloudWatch Metrics Insights and use math expressions to create new time series based on these metrics. You can do this by entering Multiple JSON Queries.

Here’s an example of CloudWatch JSON query using rawMetric (**Threshold metric)):

apiVersion: n9/v1alpha
kind: SLO
metadata:
name: cloudwatch-rawmetric-via-json
project: cloudwatch
spec:
budgetingMethod: Occurrences
description: ""
indicator:
metricSource:
kind: Agent
name: cloudwatch
project: cloudwatch
objectives:
- displayName: ""
op: lte
rawMetric:
query:
cloudWatch:
json: |-
[
{
"Id": "e1",
"Expression": "m1 / m2",
"Period": 60
},
{
"Id": "m1",
"MetricStat": {
"Metric": {
"Namespace": "AWS/ApplicationELB",
"MetricName": "HTTPCode_Target_2XX_Count",
"Dimensions": [
{
"Name": "LoadBalancer",
"Value": "app/main-default-appingress-350b/904311bedb964754"
}
]
},
"Period": 60,
"Stat": "SampleCount"
},
"ReturnData": false
},
{
"Id": "m2",
"MetricStat": {
"Metric": {
"Namespace": "AWS/ApplicationELB",
"MetricName": "RequestCount",
"Dimensions": [
{
"Name": "LoadBalancer",
"Value": "app/main-default-appingress-350b/904311bedb964754"
}
]
},
"Period": 60,
"Stat": "SampleCount"
},
"ReturnData": false
}
]
region: eu-central-1
target: 0.8
value: 0.9
service: cloudwatch-service
timeWindows:
- count: 1
isRolling: true
period:
begin: "2021-11-10T14:49:37Z"
end: "2021-11-10T15:49:37Z"
unit: Hour

Important Notes:

When using Multiple Queries (JSON) it is important to remember about:

  • region field is mandatory. It is a regional code in AWS. Use one of the regional codes listed here.

  • json field is mandatory. It is a JSON query that enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics.

The following JSON validation applies:

  • The JSON query must be valid.

  • The JSON query should be an array of metrics.

  • Only one ReturnData field can be set to true (when it is not set, by default it is true), and the rest of the ReturnData fields in other metrics has to be set explicitly to false.

  • The Period field in MetricStat is required and it has to be equal to 60, if MetricStat' does not exist, the Period field should be set in the base object to 60.

For further details on CloudWatch metric math functions, go to Using Metric Math | Amazon ClodWatch Documentation.

Querying the CloudWatch Server

Once the SLO is set up, Nobl9 queries the CloudWatch server every 60 seconds.

CloudWatch API Rate Limits

For GetMetricData API, CloudWatch has limit of 50TPS per Region set by default. This is the maximum number of operation requests you can make per second. For more information, refer to the CloudWatch service quotas | CloudWatch Documentation.

CloudWatch has minimum query and store period - 1 second. By default, CloudWatch stores data with a 1-minute period.

CloudWatch retains metric data differently for various store period. For more information, refer to the GetMetricData | CloudWatch Documentation.

Known Limitations

CloudWatch SQL query is available in all AWS Regions, except China.

Put Metric Data | Amazon ClodWatch Documentation

Get Metric Data | Amazon ClodWatch Documentation

Amazon CloudWatch Concepts | Amazon ClodWatch Documentation

CloudWatch Statistics Definitions | Amazon ClodWatch Documentation

AWS Regional Endpoints | Amazon ClodWatch Documentation

CloudWatch Metrics Insights | Amazon ClodWatch Documentation

CloudWatch service quotas | CloudWatch Documentation