Amazon CloudWatch

Reading time: 0 minute(s) (0 words)

Amazon CloudWatch is a monitoring and observability service and a repository that aggregates data from more than 70 AWS data sources. CloudWatch also allows users to publish custom metrics from their services. Creating SLOs using this data is a powerful tool to monitor large portfolios of products.

Nobl9 integration with CloudWatch supports CloudWatch Metrics Insights. Leveraging Metrics Insights, Nobl9 users can retrieve metrics even faster and gain added flexibility in querying raw service level indicator (SLI) data to use for their SLOs.

Using CloudWatch as a Source in Nobl9, users can configure their SLOs by leveraging data in CloudWatch-specific groupings – i.e., by region, namespaces, and dimensions.

Scope of Support

The following CloudWatch metric features are not supported:

• High-resolution metrics (for details, see Put Metric Data | Amazon CloudWatch Documentation)

• Metrics that use more than one Unit.

Authentication

new authentication method for direct connections

On September 14, 2023, we launched the Cross-Account authentication for the AWS integrations. The authentication method utilizing the pair of AWS Access Key ID and AWS Secret Access Key will remain functional until October 15, 2023.

Ensure you review and update all your existing CloudWatch direct data sources with the new authentication method, Cross Account IAM Roles. Refer to the section below for detailed instructions on how to make this transition.

AWS Access Key ID and AWS Secret Access Key

deprecated

Click to see details

Applications integrated with AWS must sign their API requests with AWS Access Keys to sign programmatic requests that users make to AWS. Access keys consist of:

• AWS Access Key ID

• AWS Secret Access Key

AWS Access Key ID and AWS Secret Access Key are created as a pair. Your Access Key ID and Secret Access Key are encrypted before being stored on the Nobl9 server.

You can create your AWS Access Key ID and AWS Secret Access Key by using the AWS Management Console. For more details, go to Getting Started with the AWS SDK for Go.

You also need Cloudwatch GetMetricData API permissions to make programmatic requests to AWS API.

caution

If you're using AWS Free Tier, you won't be able to use the GetMetricData API to collect CloudWatch metrics, and you won't be able to use Cloudwatch as a data source.

Cross-Account IAM Roles

new

You can activate cross-account access in AWS using the External ID and Nobl9 AWS Account ID. Copy these values in the Data Source wizard. You need them to create an IAM role ARN with cross-account access.

Image 1: Configuring IAM Role ARN in the Data Source Wizard

IAM Role ARN Creation

note

Check Cross Account Resource Access in IAM | AWS Documentation to learn more.

Sign in to the AWS Management Console. Open the IAM console.

1. Choose Roles on the navigation pane.

The Roles section opens.

2. Click Create Role:

   

To create the access role, you select a trusted entity first.

3. Choose AWS account role.

   

4. Choose Another AWS account. Paste the Nobl9 Account ID you copied in the Nobl9 Data Source Wizard.
   This is the account you're granting access to your resources.

5. Select Require External ID. Paste the Nobl9 External ID you copied in the Nobl9 Data Source Wizard.
   This option automatically adds a condition to the trust policy, allowing users to assume the role only if the request includes the correct sts:ExternalID.
   

   

6. Click Next.

7. Attach the CloudWatchReadOnlyAccess permission for your account:

   

8. Click Next and save the role. Then, copy its IAM Role ARN to the Data Source Wizard in Nobl9 UI.

Adding Amazon CloudWatch as a Data Source in the UI

To add CloudWatch as a data source in Nobl9 using the Agent or Direct connection method, follow these steps:

1. Navigate to Integrations > Sources.
2. Click the button.
3. Click the relevant Source icon.
4. Choose a relevant connection method (Agent or Direct), then configure the source as described below.

CloudWatch Direct

Direct Configuration in the UI

Direct connection to CloudWatch requires users to enter their credentials which Nobl9 stores safely. To set up this type of connection:

1. Select one of the following Release Channels:

   • The stable channel is fully tested by the Nobl9 team. It represents the final product; however, this channel does not contain all the new features of a beta release. Use it to avoid crashes and other limitations.
   • The beta channel is under active development. Here, you can check out new features and improvements without the risk of affecting any viable SLOs. Remember that features in this channel may be subject to change.

2. Enter the IAM Role ARN.
   Check the instructions above for more details.

3. Select a Project.
   Specifying a Project is helpful when multiple users are spread across multiple teams or projects. When the Project field is left blank then object is assigned to project default.
4. Enter a Display Name.
   You can enter a friendly name with spaces in this field.
5. Enter a Name.
   The name is mandatory and can only contain lowercase, alphanumeric characters and dashes (for example, my-project-name). This field is populated automatically when you enter a display name, but you can edit the result.
6. Enter a Description.
   Here you can add details such as who is responsible for the integration (team/owner) and the purpose of creating it.
7. Customize the Query delay to set a customized delay for queries when pulling the data from the data source.

   • The default value in Amazon Cloudwatch integration for Query delay is 1 minute.

   info

   Changing the Query delay may affect your SLI data. For more details, check the Query delay documentation.
8. Enter a Maximum Period for Historical Data Retrieval.

   • This value defines how far back in the past your data will be retrieved.
   • The value for the Maximum period of data retrieval depends on the Source. Check the Replay documentation for details.
   • Entering a more extended Period might slow down the loading time when creating an SLO.
   • The value must be a positive integer.
9. Enter a Default Period for Historical Data Retrieval.

   • It is the Period that will be used by the SLO connected to this data source.
   • The value must be a positive integer or 0.
   • By default, this value is set to 0. If you set it to >0, you will create an SLO with Replay.
10. Click the Add Data Source button.

note

The value for the Maximum Period for Data Retrieval for CloudWatch Configurations queries is 15 days.

caution

Replay for CloudWatch does not support SQL and JSON queries.

If you set the Default Value Historical Data Retrieval value to >0, you won’t be able to use JSON and SQL queries.

Direct using CLI - YAML

The YAML for setting up a Direct connection to CloudWatch looks like this:

apiVersion: n9/v1alpha
kind: Direct
metadata:
  name: cloudwatch-direct
  displayName: CloudWatch direct
  project: cloudwatch-direct
spec:
  description: Direct integration with CloudWatch
  sourceOf:
    - Metrics
  releaseChannel: beta # string, one of: beta || stable
  queryDelay:
      unit: Minute # string, one of: Second || Minute
      value: 720 # numeric, must be a number less than 1440 minutes (24 hours)
  cloudWatch:
    roleARN: "" # secret
  logCollectionEnabled: false # boolean, defaults to 'false'. Set to true if you'd like your source to collect logs. It's a beta functionality available only through direct release channel. Reach out to support@nobl9.com to activate it.
  historicalDataRetrieval:
      maxDuration:
        value: 15 # integer greater than or equal to 0
        unit: Day # accepted values: Minute, Hour, Day
      defaultDuration: # value must be less than or equal to value of maxDuration
        value: 0 # integer greater than or equal to 0, default 0
        unit: Day # accepted values: Minute, Hour, Day

Important Notes:

• spec[n].historicalDataRetrieval - refer to Replay | Nobl9 Documentation for more details.
  • defaultDuration.value - If you set the value for the Default Value Historical Data Retrieval to >0, you won’t be able to use JSON and SQL queries. Refer to the replay documentation for more details.

CloudWatch Agent

Agent Configuration in the UI

Follow the instructions below to create your CloudWatch agent connection. Refer to the section above for the description of the fields.

1. Enter a Project.
2. Enter a Name.
3. Create a Description.
4. In the Advanced Settings you can:
1. Enter a Maximum Period for Historical Data Retrieval.
2. Enter a Default Period for Historical Data Retrieval.
5. Click the Add Data Source button.

note

See notes above for the Maximum Period for Data Retrieval for CloudWatch.

Agent Using CLI - YAML

The YAML for setting up an Agent connection to CloudWatch looks like this:

apiVersion: n9/v1alpha
kind: Agent
metadata:
  name: cloudwatch
  displayName: AWS CloudWatch # optional
  project: cloudwatch
spec:
  description: Integration with CloudWatch # optional
  sourceOf:
    - Metrics
  releaseChannel: beta # string, one of: beta || stable
  queryDelay:
      unit: Minute # string, one of: Second || Minute
      value: 720 # numeric, must be a number less than 1440 minutes (24 hours)
  cloudWatch: {}
  historicalDataRetrieval:
      maxDuration:
        value: 15 # integer greater than or equal to 0
        unit: Day # accepted values: Minute, Hour, Day
      defaultDuration: # value must be less than or equal to value of maxDuration
        value: 0 # integer greater than or equal to 0, default 0
        unit: Day # accepted values: Minute, Hour, Day

Notes:

• spec[n].historicalDataRetrieval - refer to Replay | Nobl9 Documentation for more details.
  • defaultDuration.value - If you set value for the Default Value Historical Data Retrieval to >0, you won’t be able to use JSON and SQL queries. Refer to documentation for more details.

warning

You can deploy only one Agent in one YAML file by using the sloctl apply command.

Deploying CloudWatch Agent

When you add the data source, Nobl9 automatically generates a Kubernetes configuration and a Docker command line for you to use to deploy the Agent. Both of these are available in the web UI, under the Agent Configuration section. Be sure to swap in your credentials (e.g., if you are using AWS Access Key ID and Secret Access Key, replace AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY in the following deployment descriptions).

caution

Ensure AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables are set appropriately if you are using Access/Secret Keys. If these variables are not set, a Default Credential Provider Chain will be used.

Kubernetes

If you use Kubernetes, you can apply the supplied YAML config file to a Kubernetes cluster to deploy the Agent. It will look something like this:

# DISCLAIMER: This deployment description contains only the fields necessary for the purpose of this demo.
# It is not a ready-to-apply k8s deployment description, and the client_id and client_secret are only exemplary values.

apiVersion: v1
kind: Secret
metadata:
  name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
  namespace: default
type: Opaque
stringData:
  aws_access_key_id: <AWS_ACCESS_KEY_ID>
  aws_secret__access_key: <AWS_SECRET_ACCESS_KEY>
  client_id: "unique_user_id"
  client_secret: "unique_client_secret"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      nobl9-agent-name: cloudwatch
      nobl9-agent-project: cloudwatch
      nobl9-agent-organization: nobl9-dev
  template:
    metadata:
      labels:
        nobl9-agent-name: cloudwatch
        nobl9-agent-project: cloudwatch
        nobl9-agent-organization: nobl9-dev
    spec:
      containers:
        - name: agent-container
          image: nobl9/agent:latest
          resources:
            requests:
              memory: "350Mi"
              cpu: "0.1"
          env:
            - name: N9_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  key: client_id
                  name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
            - name: N9_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  key: client_secret
                  name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: aws_access_key_id
                  name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: aws_secret_access_key
                  name: nobl9-agent-nobl9-dev-cloudwatch-cloudwatch
            # The N9_METRICS_PORT is a variable specifying the port to which the /metrics and /health endpoints are exposed.
            # The 9090 is the default value and can be changed.
            # If you don’t want the metrics to be exposed, comment out or delete the N9_METRICS_PORT variable.
            - name: N9_METRICS_PORT
              value: "9090"

Docker

If you use Docker, you can run the Docker command to deploy the Agent. It will look something like this:

# DISCLAIMER: This docker command description is containing only the necessary fields for the purpose of this demo.
# It is not a ready-to-apply docker command.

docker run -d --restart on-failure \
--name nobl9-agent-nobl9-dev-cloudwatch-cloudwatch \
-e N9_CLIENT_ID="unique_client_id" \
-e N9_CLIENT_SECRET="unique_client_secret" \
# The N9_METRICS_PORT is a variable specifying the port to which the /metrics and /health endpoints are exposed.
# The 9090 is the default value and can be changed.
# If you don’t want the metrics to be exposed, comment out or delete the N9_METRICS_PORT variable.
-e N9_METRICS_PORT=9090 \
-e AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>" \
-e AWS_SECRET_ACCESS_KEY="<AWS_SECRET_ACCESS_KEY>" \
nobl9/agent:latest

Creating SLOs with CloudWatch

Using Amazon CloudWatch, you can create SLOs by:

• Entering standard Threshold and Ratio metrics

• Entering an SQL query

• Entering multiple queries through JSON

All three methods are available both in the UI and through applying YAML (see the Creating CloudWatch SLOs - YAML section).

Creating SLOs in the UI

Follow the instructions below to create your SLOs with CloudWatch in the UI:

1. Navigate to Service Level Objectives.

2. Click the button.
   The SLO Wizard opens.

3. In step 1, select the Service the SLO will be associated with.

4. In step 2, select Amazon CloudWatch as the Data Source for your SLO.

5. Specify the Metric. You can choose either:

   1. A Threshold Metric where a single time series is evaluated against a threshold.

   2. A Ratio Metric that allows you to enter two-time series for comparison. You can choose one of the following metric type:

      • Good Metric, meaning a ratio of good requests and total requests.
      • Bad Metric where good requests for evaluation are calculated as a result of total - bad calculation.
   note

   For the Ratio Metric, you can choose the Data Count Method:

   • For the Non-incremental method, we expect it to be the components of the sum
   • For the Incremental method, we expect the value of a metric to be the current sum of some numerator
     
     

   For more information, refer to the SLO Calculations Guide.

6. Configure the metric.
   CloudWatch allows you to create your query in the following ways:

   • Enter standard Threshold and Ratio metrics (click Configurations)
   • Enter an SQL query
   • Enter a multiple query through JSON

   Read Entering CloudWatch Query for detailed instructions.

7. In step 3, define a Time Window for the SLO.

8. In step 4, specify the Error Budget Calculation Method and your Objective(s).

9. In step 5, add a Name, Description, and other details about your SLO. You can also select Alert Policies and Labels on this screen.

10. When you’re done, click Create SLO.

Entering CloudWatch Query

Both, Ratio and Threshold metrics for a standard CloudWatch metric use the same parameters. For the Ratio Metric, choose one of the following metric type:

• Good Metric, meaning a ratio of good requests and total requests
• Bad Metric where good requests for evaluation are calculated as a result of total - bad calculation
  and define the parameters separately.
  

Standard Configuration

1. Add a Region.
It is a region code in AWS. Use one of the regional codes that are listed here.
2. Add a Namespace (mandatory, max. number of characters 255).
A namespace can contain alphanumeric characters, period, a hyphen, underscore, forward slash, hash, or colon. A Namespace is a container for CloudWatch metrics. For further details, see CloudWatch Concepts | Amazon CloudWatch Documentation.
3. Add a Metric Name (mandatory, max. number of characters 255).
4. Add Statistic function.
Statistic functions are aggregations of metric data over specified periods. For example, you can use Maximum, Minimum, Sum, Average. To see all statistics are supported by CloudWatch for metrics, go to Statistics Definition | Amazon CloudWatch Documentation.
5. Add Dimensions (optional, list).
A dimension is a name/value pair that is part of the identity of a metric. Users can assign a max. of 10 dimensions to a metric.

• Add a Name (mandatory, max. number of characters 255, don't trim whitespaces). The name of the dimension. Dimension names must contain only ASCII characters and must include at least one non-whitespace character.
• Add a Value required (max. number of characters 255). It is the value of the dimension. Dimension values must contain only ASCII characters and must include at least one non-whitespace character.

SQL Query

1. Select SQL in the feature toggle.
2. Select a Region.
3. Select a type of Metric, and enter a Query.
Sample SQL queries for CloudWatch:

• SQL Threshold metric for Cloudwatch: Query: SELECT AVG(CPUUtilization) FROM "AWS/EC2”
• SQL Ratio metric for CloudWatch:
• Good Query: SELECT AVG(CPUUtilization) FROM "AWS/EC2"
• Total Query: SELECT MAX(CPUUtilization) FROM "AWS/EC2"

JSON

CloudWatch integration enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics. You can do this by entering Multiple JSON Queries:

1. Choose JSON in the feature toggle.
2. Choose a Region.
3. Select a type of Metric, and enter a Query.
4. Enter your JSON query.
• For samples of Multiple JSON Queries refer to the Amazon CloudWatch JSON Queries section in the Nobl9 Documentation.
• For further details on CloudWatch metric math functions, go to Using Metric Math | Amazon CloudWatch Documentation.

Your query must be a valid JSON query. It must contain arrays of metrics. Refer to the CloudWatch Metrics Insights Queries | Amazon CloudWatch Documentation for more detailed information.

SLO using CloudWatch - YAML samples

SLO using CloudWatch - Standard Configuration

rawMetric

Here’s an example of CloudWatch using a rawMetric (Threshold Metric):

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-occurrences-threshold
  project: cloudwatch
spec:
  budgetingMethod: Occurrences
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service: cloudwatch-service
  objectives:
  - target: 0.8
    op: lte
    rawMetric:
      query:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/RDS
          metricName: ReadLatency
          stat: Average
          dimensions:
            - name: DBInstanceIdentifier
              value: <identifier_of_your_db_instance> # replace with value that corresponds to your DBInstanceIdentifier
    value: 0.0004
  timeWindows:
    - calendar:
        startTime: "2020-11-14 12:30:00"
        timeZone: Etc/UTC
      count: 1
      isRolling: false
      unit: Day
---
apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-timeslices-threshold
  project: cloudwatch
spec:
  budgetingMethod: Timeslices
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service:  cloudwatch-service
  objectives:
    - target: 0.8
      op: lte
      rawMetric:
        query:
          cloudwatch:
            region: eu-central-1
            namespace: AWS/RDS
            metricName: ReadLatency
            stat: Average
            dimensions:
              - name: DBInstanceIdentifier
                value: <identifier_of_your_db_instance> # replace with value that corresponds to your DBInstanceIdentifier
      value: 0.0004
      timeSliceTarget: 0.5
  timeWindows:
    - calendar:
        startTime: "2020-11-14 12:30:00"
        timeZone: Etc/UTC
      count: 1
      isRolling: false
      unit: Day

countMetric

Here’s an example of CloudWatch using a countMetric (Ratio metric):

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-calendar-occurrences-ratio
  project: cloudwatch
spec:
  budgetingMethod: Occurrences
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service:  cloudwatch-service
  objectives:
  - target: 0.9
    countMetrics:
      good:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: HTTPCode_Target_2XX_Count
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/prod-default-appingress
      incremental: false
      total:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: RequestCount
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/prod-default-appingress
    displayName: ""
    value: 1
  timeWindows:
  - calendar:
      startTime: "2020-11-14 12:30:00"
      timeZone: Etc/UTC
    count: 1
    isRolling: false
    unit: Day
---
apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-rolling-occurrences-ratio
  project: cloudwatch
spec:
  budgetingMethod: Occurrences
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service:  cloudwatch-service
  objectives:
  - target: 0.7
    countMetrics:
      good:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: HTTPCode_Target_2XX_Count
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/prod-default-appingress
      incremental: false
      total:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: RequestCount
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/prod-default-appingress
    displayName: ""
    value: 1
  timeWindows:
  - count: 1
    isRolling: true
    unit: Hour
---
apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-calendar-timeslices-ratio
  project: cloudwatch
spec:
  budgetingMethod: Timeslices
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service:  cloudwatch-service
  objectives:
  - target: 0.5
    countMetrics:
      good:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: HTTPCode_Target_2XX_Count
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/main-default-appingress
      incremental: false
      total:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: RequestCount
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/main-default-appingress
    displayName: ""
    timeSliceTarget: 0.5
    value: 1
  timeWindows:
  - calendar:
      startTime: "2020-11-14 12:30:00"
      timeZone: Etc/UTC
    count: 1
    isRolling: false
    unit: Day
---
apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-rolling-timeslices-ratio
  project: cloudwatch
spec:
  budgetingMethod: Timeslices
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service:  cloudwatch-service
  objectives:
  - target: 0.5
    countMetrics:
      good:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: HTTPCode_Target_2XX_Count
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/main-default-appingress
      incremental: false
      total:
        cloudwatch:
          region: eu-central-1
          namespace: AWS/ApplicationELB
          metricName: RequestCount
          stat: SampleCount
          dimensions:
            - name: LoadBalancer
              value: app/main-default-appingress
    timeSliceTarget: 0.5
    value: 1
  timeWindows:
  - count: 1
    isRolling: true
    unit: Hour

Important Notes:

Both, Ratio and Threshold metrics for CloudWatch use the same parameters.
For Ratio metric, define these parameters separately for the Good/Bad Metric and Total Metric.

• region is required. It is a region code in AWS. Use one of the regional codes listed here.

• namespace is required (string, max. number of characters 255). It can contain alphanumeric characters, period ., hyphen -, underscore _, forward slash /, hash #, or colon :. A namespace is a container for CloudWatch metrics. For further details, see CloudWatch Concepts | Amazon CloudWatch Documentation. Example: AWS/ApplicationELB.

• metricName is required (string, max. number of characters 255).

• stat is required. stats are aggregations of metric data over specified periods of time. To see what statistics are supported by CloudWatch for metrics, go to Statistics Definitions | Amazon CloudWatch Documentation. Examples: SampleCount, Average, p95, TC(0.005:0.030).

• dimensions field is optional (list). A dimension is a name/value pair that is part of the identity of a metric. Users can assign a max. of 10 dimensions to a metric.

  • name is required (string, max. number of characters 255). Dimension names must contain only ASCII characters and must include at least one non-whitespace character.

  • value is required (string, max. number of characters 255). Dimension values must contain only ASCII characters and must include at least one non-whitespace character.

SLO using CloudWatch SQL query

rawMetric

Here’s an example of CloudWatch SQL query using rawMetric (Threshold metric):

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-occurrences-threshold-via-sql
  project: cloudwatch
spec:
  budgetingMethod: Occurrences
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service: cloudwatch-service
  objectives:
    - target: 0.8
      op: lte
      rawMetric:
        query:
          cloudwatch:
            region: us-east-1
            sql: 'SELECT AVG(CPUUtilization)FROM "AWS/EC2"'
      value: 0.0004
  timeWindows:
    - calendar:
        startTime: "2021-10-01 12:30:00"
        timeZone: Etc/UTC
      count: 1
      isRolling: false
      unit: Day

countMetric-good

Here’s an example of CloudWatch SQL query using countMetric (Good Ratio metric):

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-calendar-occurrences-ratio-sql
  project: cloudwatch
spec:
  budgetingMethod: Occurrences
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  service:  cloudwatch-service
  objectives:
  - target: 0.9
    countMetrics:
      good:
        cloudwatch:
          region: eu-central-1
          sql: 'SELECT AVG(CPUUtilization) FROM "AWS/EC2"'
      incremental: false
      total:
        cloudwatch:
          region: eu-central-1
          sql: 'SELECT MAX(CPUUtilization) FROM "AWS/EC2"'
    displayName: ""
    value: 1
  timeWindows:
  - calendar:
      startTime: "2020-11-14 12:30:00"
      timeZone: Etc/UTC
    count: 1
    isRolling: false
    unit: Day

countMetric-bad

Here’s an example of CloudWatch using a countMetric (Bad Ratio metric):

- apiVersion: n9/v1alpha
  kind: SLO
  metadata:
    name: cloudwatch-sql-bad-over-total
    project: cloudwatch-direct
  spec:
    alertPolicies: []
    budgetingMethod: Occurrences
    description: ""
    indicator:
      metricSource:
        kind: Direct
        name: cloudwatch-direct
        project: cloudwatch-direct
    objectives:
      - countMetrics:
          bad:
            cloudWatch:
              region: us-east-1
              sql: SELECT COUNT(HTTPCode_Target_4XX_Count) FROM "AWS/EC2"
          incremental: false
          total:
            cloudWatch:
              region: us-east-1
              sql: SELECT COUNT(RequestCount) FROM "AWS/EC2"
        displayName: ""
        name: bad
        target: 0.1
        value: 0.9
      - countMetrics:
          good:
            cloudWatch:
              region: us-east-1
              sql: SELECT COUNT(HTTPCode_Target_2XX_Count) FROM "AWS/EC2"
          incremental: false
          total:
            cloudWatch:
              region: us-east-1
              sql: SELECT COUNT(RequestCount) FROM "AWS/EC2"
        displayName: ""
        name: good
        target: 0.1
        value: 1
    service: cloudwatch-direct-service
    timeWindows:
      - count: 28
        isRolling: true
        period:
          begin: "2023-08-01T06:00:16Z"
          end: "2023-08-29T06:00:16Z"
        unit: Day

Important notes:

Both, Ratio and Threshold metrics for CloudWatch use the same parameters.
For Ratio metric, define these parameters separately for the Good/Bad Metric and Total Metric.

When using SQL Query only these fields are required:

• region is mandatory. It is a regional code in AWS. Use one of the regional codes listed here. Note: CloudWatch SQL query is available in all AWS Regions, except China.

• sql is mandatory. It is an SQL query that enables you to compare, aggregate, and group your metrics by labels to gain real-time operational insights.

CloudWatch SLOs using multiple metrics (JSON)

rawMetric

Here’s an example of CloudWatch JSON query using rawMetric (Threshold metric):

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-rawmetric-via-json
  project: cloudwatch
spec:
  budgetingMethod: Occurrences
  description: ""
  indicator:
    metricSource:
      kind: Agent
      name: cloudwatch
      project: cloudwatch
  objectives:
  - displayName: ""
    op: lte
    rawMetric:
      query:
        cloudWatch:
          json: |-
            [
                {
                    "Id": "e1",
                    "Expression": "m1 / m2",
                    "Period": 60
                },
                {
                    "Id": "m1",
                    "MetricStat": {
                        "Metric": {
                            "Namespace": "AWS/ApplicationELB",
                            "MetricName": "HTTPCode_Target_2XX_Count",
                            "Dimensions": [
                                {
                                    "Name": "LoadBalancer",
                                    "Value": "app/main-default-appingress-350b/904311bedb964754"
                                }
                            ]
                        },
                        "Period": 60,
                        "Stat": "SampleCount"
                    },
                    "ReturnData": false
                },
                {
                    "Id": "m2",
                    "MetricStat": {
                        "Metric": {
                            "Namespace": "AWS/ApplicationELB",
                            "MetricName": "RequestCount",
                            "Dimensions": [
                                {
                                    "Name": "LoadBalancer",
                                    "Value": "app/main-default-appingress-350b/904311bedb964754"
                                }
                            ]
                        },
                        "Period": 60,
                        "Stat": "SampleCount"
                    },
                    "ReturnData": false
                }
            ]
          region: eu-central-1
    target: 0.8
    value: 0.9
  service: cloudwatch-service
  timeWindows:
    - count: 1
      isRolling: true
      period:
        begin: "2021-11-10T14:49:37Z"
        end: "2021-11-10T15:49:37Z"
      unit: Hour

countMetric

Here’s an example of CloudWatch JSON query using countMetric (Ratio metric):

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: cloudwatch-timeslices-json
  project: cloudwatch
spec:
  budgetingMethod: Timeslices
  description: ""
  indicator:
    metricSource:
      name: cloudwatch
  objectives:
  - countMetrics:
      good:
        cloudWatch:
          json: |
            [
              {
                "Id": "e1",
                "MetricStat": {
                  "Metric": {
                    "Namespace": "AWS/ApplicationELB",
                    "MetricName": "HTTPCode_Target_2XX_Count",
                    "Dimensions": [
                      {
                        "Name": "LoadBalancer",
                        "Value": "app/main-default-appingress-350b/123456789"
                      }
                    ]
                  },
                  "Period": 60,
                  "Stat": "SampleCount"
                }
              }
            ]
          region: eu-central-1
      incremental: false
      total:
        cloudWatch:
          json: |
            [
              {
                "Id": "e2",
                "MetricStat": {
                  "Metric": {
                    "Namespace": "AWS/ApplicationELB",
                    "MetricName": "RequestCount",
                    "Dimensions": [
                      {
                        "Name": "LoadBalancer",
                        "Value": "app/main-default-appingress-350b/123456789"
                      }
                    ]
                  },
                  "Period": 60,
                  "Stat": "SampleCount"
                }
              }
            ]
          region: eu-central-1
    displayName: ""
    target: 0.5
    timeSliceTarget: 0.5
    value: 1
  service: cloudwatch-service
  timeWindows:
  - count: 1
    isRolling: true
    period:
      begin: "2021-11-10T12:19:58Z"
      end: "2021-11-10T13:19:58Z"
    unit: Hour

Important Notes:

Both, Ratio and Threshold metrics for CloudWatch use the same parameters.
For Ratio metric, define these parameters separately for the Good/Bad Metric and Total Metric.

When using Multiple Queries (JSON) it is important to remember about:

• region field is mandatory. It is a regional code in AWS. Use one of the regional codes listed here.

• json field is mandatory. It is a JSON query that enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics.

The following JSON validation applies:

• The JSON query must be valid.

• The JSON query should be an array of metrics.

• Only one ReturnData field can be set to true (when it is not set, by default it is true), and the rest of the ReturnData fields in other metrics has to be set explicitly to false.

• The Period field in MetricStat is required and it has to be equal to 60, if MetricStat' does not exist, the Period field should be set in the base object to 60.

For further details on CloudWatch metric math functions, go to Using Metric Math | Amazon CloudWatch Documentation.

Querying the CloudWatch Server

Once the SLO is set up, Nobl9 queries the CloudWatch server every 60 seconds.

CloudWatch API Rate Limits

For GetMetricData API, CloudWatch has limit of 50TPS per Region set by default. This is the maximum number of operation requests you can make per second. For more information, refer to the CloudWatch service quotas | CloudWatch Documentation.

CloudWatch has minimum query and store period - 1 second. By default, CloudWatch stores data with a 1-minute period.

CloudWatch retains metric data differently for various store period. For more information, refer to the GetMetricData | CloudWatch Documentation.

Known Limitations

CloudWatch SQL query is available in all AWS Regions, except China.

Useful Links

Put Metric Data | Amazon CloudWatch Documentation

Get Metric Data | Amazon CloudWatch Documentation

Amazon CloudWatch Concepts | Amazon CloudWatch Documentation

CloudWatch Statistics Definitions | Amazon CloudWatch Documentation

AWS Regional Endpoints | Amazon CloudWatch Documentation

CloudWatch Metrics Insights | Amazon CloudWatch Documentation

CloudWatch Service Quotas | CloudWatch Documentation

Agent Metrics | Nobl9 Documentation

Creating SLOs via Terraform | Nobl9 Terraform Documentation

Creating Agents via Terraform | Nobl9 Terraform Documentation