Set up Dynatrace Managed for AWS monitoring
You can integrate Dynatrace with Amazon Web Services (AWS) for intelligent monitoring of services running in the Amazon Cloud. AWS integration helps you stay on top of the dynamics of your data center in the cloud.
Dynatrace can be deployed with or without Environment ActiveGate. If you use the role-based access method, make sure that you meet one of the following deployment requirements.
- For deployments with Environment ActiveGate, the Environment ActiveGate must be hosted in AWS.
- For deployments without Environment ActiveGate, a Dynatrace Managed Server must be hosted in AWS.
Overview
Follow these basic steps to integrate Dynatrace Managed with Amazon Web Services (AWS):
-
Choose an access method:
All cloud services consume Davis data units (DDUs). The amount of DDU consumption per service instance depends on the number of monitored metrics and their dimensions (each metric dimension results in the ingestion of 1 data point; 1 data point consumes 0.001 DDUs).
AWS costs
Dynatrace makes Amazon API requests every five minutes. In addition to CloudWatch API calls, Dynatrace makes API calls to the monitored AWS services to learn about their instances, tags, etc. The list of called services and actions is available below in the Create the monitoring policy section.
Here's a rough estimate of AWS monitoring costs:
AWS service | Number of metrics | Daily cost per instance (USD) |
---|---|---|
Elastic Compute Cloud (EC2) | 7 | $0.02016 |
Elastic Block Store (EBS) | 8 | $0.02304 |
Elastic Load Balancer (ELB) | 11 | $0.03168 |
Relational Database Service (RDS) | 11 | $0.03168 |
DynamoDB | 15 | $0.06912 |
Lambda | 4 | $0.01152 |
Amazon will charge about $0.01 per 1,000 metrics requested from the CloudWatch API and include the cost in the bill for the AWS account you use with Dynatrace.
AWS monitoring policy
The AWS monitoring policy defines the minimal scope of permissions you need to give to Dynatrace to monitor the services running in your AWS account. Create it once and use it any time when enabling Dynatrace access to your AWS account.
AWS IAM permissions boundaries may prohibit AWS actions required by Dynatrace. If you use an IAM permissions boundary on your AWS account, make sure that the actions from that policy are allowed in all AWS regions within that permissions boundary.
-
Go to Identity and Access Management (IAM) in your Amazon Console.
-
Go to Policies and select Create policy.
-
Select the JSON tab, and paste the following predefined policy.
-
In the Name field, give the policy a name (for example,
Dynatrace_monitoring_policy
). -
Select Create policy.
Access methods
To get the information required for comprehensive AWS cloud-computing monitoring, Dynatrace needs to identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize Dynatrace to access your Amazon metrics.
You can enable Dynatrace access to your AWS metrics by either using a private access key (key-based access) or defining a special role for Dynatrace (role-based access). In all cases, make sure that your Environment ActiveGate or Managed Cluster has a working connection to AWS. Configure your proxy for Managed or ActiveGate, or allow access to *.amazonaws.com
in your firewall settings.
As a best practice, use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account root user access keys.
Key-based access
If you decide to use key-based authentication, remember to rotate the keys periodically. Keep in mind that you need to perform this procedure each time you change the key.
- Rights to create a new AWS user
- Your AWS account ID
- Your Amazon Access key ID and Secret access key
Enabling access to your Amazon account using key-based access
Dynatrace can use access keys to make secure REST or Query protocol requests to the AWS service API. You'll need to generate an Access key ID and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.
-
In your Amazon Console, go to Users and select Add User.
-
Enter a name for the key you want to create (for example,
Dynatrace_monitoring_user
). In Select AWS access type, select Programmatic access, and select Next:Permissions. -
Select Attach existing policies directly and choose the monitoring policy you defined (for example,
Dynatrace_monitoring_policy
). Select Next: Review. -
Review the user details and select Create user.
-
Store the Access Key ID name (AKID) and Secret access key values.
You can either download the user credentials or copy the credentials displayed online (select Show).
Connecting your Amazon account to Dynatrace using key-based access
Once you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.
-
In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS and select Connect new instance.
-
Select the Key-based authentication method.
- Create a name for this connection. This is mandatory. Dynatrace needs this name to identify and display the connection.
- In the Access key ID field, paste the identifier of the key you created in Amazon for Dynatrace access.
- In the Secret access key field, paste the value of the key you created in Amazon for Dynatrace access.
- Select Connect to verify and save the connection.
-
Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.
Role-based access with Environment ActiveGate or Dynatrace Managed Server
The instructions below apply whether or not the account hosting your ActiveGate is the same as your monitored account.
In a typical setup, you need to create two CloudFormation stacks using CloudFormation templates:
- A CloudFormation stack from the account hosting your ActiveGate, containing the following resources:
- A role for your Environment ActiveGate or Dynatrace Managed Server hosted in your AWS infrastructure, on an Amazon EC2 host.
- Its attached policy, which defines the monitored account permissions.
- A CloudFormation stack from the monitored account, containing the following resources:
- A dedicated monitoring role for Dynatrace in your AWS account.
- Its attached policy, which defines the Dynatrace authentication permissions to your AWS environment.
Note: To monitor multiple accounts, add all resources to the Resource array in the template in Step 1 and repeat Step 2 to create a stack for each monitored account.
Prerequisites for role-based access, with Environment ActiveGate or Dynatrace Managed Server
-
Dynatrace Managed Server installed on an Amazon EC2 host. It must be able to assume a role within your AWS account that allows it to read the Dynatrace monitoring data.
-
The ID of the AWS account that hosts the ActiveGate (for example, the account that hosts your Dynatrace components, which in this case is the one hosting Environment ActiveGate or Dynatrace Managed Server).
-
The Amazon Web Services monitored account ID (the account you want to monitor).
-
The name of the role with which your Environment ActiveGate or Dynatrace Managed Server was started.
-
The External ID.
To enable access to your Amazon account using role-based access, follow the steps below.
Create a role for ActiveGate on the account that hosts ActiveGate
Create a monitoring role for Dynatrace on your monitored account
Modify ActiveGate configuration
Create a role for ActiveGate on the account that hosts ActiveGate
- Create a YAML file and paste the contents of github
role_based_access_AG_account_template.yml
.
For each account you want to monitor, in the Resource section of the template above, add a new item to the !Sub
array in the following format: 'arn:aws:iam::<new_monitored_account_id>:role/<new_monitoring_role_name>'
.
Note: Be sure to replace the placeholders (<new_monitored_account_id>
and <new_monitoring_role_name>
) with your own values.
- Create the stack in your Amazon Console or using the CLI.
-
Go to the Amazon EC2 console, right-click an instance hosting your Environment ActiveGate, and select Security > Modify IAM role.
-
Select the role you created at step 1 (for example, Dynatrace_ActiveGate_role), and select Apply.
Create a monitoring role for Dynatrace on your monitored account
After the Dynatrace_ActiveGate_role
is created on the account hosting the ActiveGate, create a role for the account to be monitored.
-
Create a YAML file and paste the content from the github
role_based_access_monitored_account_template.yml
. -
Create the stack in your Amazon Console or using the CLI.
Modify ActiveGate configuration
Starting with ActiveGate version 1.217, AWS monitoring is enabled by default. For configuration details, see Customize ActiveGate properties. The following configuration settings refer to earlier ActiveGate versions.
-
Edit the
custom.properties
configuration file of the ActiveGate that you want to use for AWS monitoring. -
Set the following properties as below:
[aws_monitoring] use_aws_proxy_role = false aws_monitoring_enabled = true
ActiveGate version 1.183 or earlier
[vertical.topology] use_aws_proxy_role = false
[aws_monitoring] aws_monitoring_enabled = true
Multiple ActiveGatesIt's enough to use only one ActiveGate dedicated for AWS monitoring. However, some deployment scenarios (for example, for redundancy purposes) might require multiple ActiveGates in your deployment.
Make sure that only properly configured ActiveGates have
aws_monitoring_enabled
set totrue
.- They need network access to AWS endpoints.
- For role-based monitoring, they must have proper roles attached.
Keep in mind that Dynatrace cluster nodes contain embedded ActiveGates. Make sure to set the
aws_monitoring_enabled
property tofalse
on these ActiveGates if they're not configured fully for AWS monitoring.If the ActiveGate is dedicated to AWS monitoring, you must also set the
MSGrouter
property tofalse
:[collector] MSGrouter = false
Remove
aws_proxy_account
andaws_proxy_role
properties. -
Save the file and restart the ActiveGate main service.
Connect your Amazon account to Dynatrace using role-based access
Once you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.
-
In Dynatrace, go to Settings > Cloud and virtualization > AWS and select Connect new instance.
-
Select the Role-based authentication method.
- Create a name for this connection. If you leave this field empty, the name Role will be used on Dynatrace pages to define this connection.
- In the Role field, type the name of the role you created in Amazon for Dynatrace (for example,
Dynatrace_monitoring_role
). - Type your Account ID (the account you want us to pull metrics from).
- Select Connect to verify and save the connection.
-
Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page.
You should soon begin to see AWS cloud monitoring data.
Select your AWS partition
If your AWS account is on a different partition than the default aws
partition, you can select it and Dynatrace will connect to it instead.
To change your AWS partition
- In the Dynatrace menu, go to Settings and select Cloud and virtualization > AWS.
- Find the instance where you want to change the partition and select
to edit the instance.
- In the AWS partition list, select your partition.
- Select Save.
Adjust monitoring to your needs
You can alter the scope and content of your monitoring depending on your preferences by using tags and listing services needed.
Limit monitored resources using tags
We recommend that you limit the scope of your AWS monitoring and reduce the number API calls to Amazon. You can use tagging to limit the AWS resources (AWS service instances) that are monitored by Dynatrace.
Set up metric events for alerting
To configure metric events for alerting
- In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS.
- Under Metric events for alerting, select Manage alerting rules.
- On the Metric events for alerting page, you can create, enable/disable, and configure recommended alerting rules.
For an overview of all recommended alerting rules for all supporting services, see the list below.
The number of recommended alerting rules depends on the number of your monitored supporting services.
To add recommended alerting rules for a new supporting service, you first need to add the new service to monitoring.
Note that not all supporting services have their own predefined alerting rules.
-
Create and enable alerting rules.
To enable recommended alerting rules, you first need to create them. You can create alerting rules and automatically enable them, or (if you clear Automatically enable created rules) create them and manually enable them after possible configuration changes.
For example, you can create and automatically enable a first batch of alerts. When you start monitoring new services, you can create alerts for these new services without automatically enabling them (because you want to configure them first).
-
Configure alerting rules. How you edit rules depends on whether you chose to automatically enable alerts.
-
If you chose to automatically enable alerts when creating them, go to Adjust recommended alerting rules, expand Enabled recommended alerting rules, and select any rule. This takes you to Edit custom event for alerting, where you can change the configuration rules for that specific service.
-
If you didn't choose to automatically enable alerts when creating them, go to Enable recommended alerting rules, expand Disabled recommended alerting rules, and select any of the disabled rules. This takes you to the same Edit custom event for alerting page.
-
-
Disable alerting rules.
-
You can disable all alerting rules, or disable or delete them selectively.
- To disable all alerting rules, go to Adjust recommended alerting rules and select Disable all enabled recommended alerting rules.
- To disable or delete alerting rules selectively, go to Adjust recommended alerting rules and select Metric events. On the Metric events page, you can disable an alert by turning it off in the On/Off column, or you can delete it by selecting
x
in the Delete column.
Note: If you disable any or all of the alerting rules, you can always re-enable them.
Choose Cloud services to be monitored
Once your credentials are saved, you can decide which services will be monitored. To select your preferred services
- In the Dynatrace menu, go to Settings and select Cloud and virtualization > AWS.
- Find the instance where you want to perform your monitoring and select
to edit the instance.
- In the Services section, select Manage services.
- The following services are added by default: Amazon EC2, Amazon Lambda, Amazon RDS, Amazon DynamoDB, Amazon ALB, Amazon ELB, Amazon S3, and Amazon EBS. You can extend this list by choosing services from the dropdown menu. The full list of services is also available at Amazon Web Services.
- Select Add service and Save changes.