Set up Dynatrace SaaS for AWS monitoring
You can integrate Dynatrace with Amazon Web Services (AWS) for intelligent monitoring of services running in the Amazon Cloud. AWS integration helps you stay on top of the dynamics of your data center in the cloud.
Dynatrace can be deployed with or without an Environment ActiveGate. Configuring role-based access differs for Dynatrace deployments that use an Environment ActiveGate.
Overview
Follow these basic steps to integrate Dynatrace SaaS with Amazon Web Services (AWS):
-
Choose an access method:
- Key-based access.
- Role-based access.
If you choose role-based access, use the appropriate procedure for your deployment scenario:
You must install and configure an Environment ActiveGate if you want to monitor either or both of the following:
- More than 2,000 AWS resources (AWS service instances)
- AWS Supporting Services
As of 2021, all cloud services consume Davis data units (DDUs). The amount of DDU consumption per service instance depends on the number of monitored metrics and their dimensions (each metric dimension results in the ingestion of 1 data point; 1 data point consumes 0.001 DDUs).
AWS costs
Dynatrace makes Amazon API requests every 5 minutes. In addition to CloudWatch API calls, Dynatrace makes API calls to the monitored AWS services in order to learn about their instances, tags, etc. The list of called services and actions is available below in the Create the monitoring policy section. Here's a rough estimate of AWS monitoring costs:
| AWS service | Number of metrics | Daily cost per instance (USD) |
|---|---|---|
| Elastic Compute Cloud (EC2) | 7 | $0.02016 |
| Elastic Block Store (EBS) | 10 | $0.02304 |
| Elastic Load Balancer (ELB) | 11 | $0.03168 |
| Relational Database Service (RDS) | 11 | $0.03168 |
| DynamoDB | 15 | $0.06912 |
| Lambda | 4 | $0.01152 |
Amazon will charge about $0.01 per 1,000 metrics requested from the CloudWatch API and include the cost in the bill for the AWS account you use with Dynatrace.
AWS monitoring policy
The AWS monitoring policy defines the minimum scope of permissions you need to give to Dynatrace to monitor the services running in your AWS account. Create it once and use anytime when enabling Dynatrace access to your AWS account.
AWS IAM permission boundaries may prohibit AWS actions required by Dynatrace. If you use IAM permission boundary on your AWS account, make sure that actions from policy are allowed in all AWS regions within permission boundary.
-
Go to Identity and Access Management (IAM) in your Amazon Console.
-
Go to Policies and click Create policy.
-
Select the JSON tab, and paste the predefined policy from the box below.
-
Give the policy a name. For example
Dynatrace_monitoring_policy. Type it in the Name field. -
Click Create policy.
Access methods
To get the information required for comprehensive AWS cloud-computing monitoring, Dynatrace needs to identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize Dynatrace to access your Amazon metrics.
You can enable Dynatrace access to your AWS metrics by either using a private access key (key-based access) or defining a special role for Dynatrace (role-based access). In all the cases, make sure that your Environment ActiveGate has a working connection to AWS. Configure your proxy for ActiveGate, or allow access to *.amazonaws.com in your firewall settings.
As a best practice, use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account root user access keys.
Key-based access
If you decide to use the key-based authentication, remember to rotate the keys periodically. Keep in mind that you need to perform this procedure each time you change the key.
- Rights to create a new AWS user
- Your AWS account ID
- Your Amazon Access key ID and Secret access key
Enabling access to your Amazon account using key-based access
Dynatrace can use access keys to make secure REST or Query protocol requests to the AWS service API. You'll need to generate an Access key ID and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.
-
In your Amazon Console, go to Users and click Add User.
-
Enter a name for the key you want to create (for example,
Dynatrace_monitoring_user). In Select AWS access type, select Programmatic access, and click Next:Permissions. -
Click Attach existing policies directly and choose the monitoring policy you defined, for example
Dynatrace_monitoring_policy. Click Next: Review. -
Review the user details and click Create user.
-
Store the Access Key ID name (AKID) and Secret access key values.
You can either download the user credentials or copy the credentials displayed online (click Show).
Connecting your Amazon account to Dynatrace using key-based access
Once you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.
-
In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS and select Connect new instance.
-
Select Key-based authentication method.
- Create a name for this connection. This is mandatory. Dynatrace needs this name to identify and display the connection.
- In the Access key ID field, paste the identifier of the key you created in Amazon for Dynatrace access.
- In the Secret access key field, paste the value of the key you created in Amazon for Dynatrace access.
- Click Connect to verify and save the connection.
-
Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.
Role-based access
Dynatrace SaaS deployments might vary. Integrating Dynatrace SaaS with AWS is different when deployment includes an Environment ActiveGate. Select the appropriate set up procedure for your Dynatrace SaaS deployment scenario.
Role-based access for SaaS deployments with Environment ActiveGate
In typical setup, you'll create and attach two roles, one for Dynatrace and one for your Environment ActiveGate hosted in your AWS infrastructure.
- Environment ActiveGate installed on an AWS EC2 host. They must be able to assume a role within your AWS account that allows it to read the Dynatrace monitoring data.
- Dynatrace AWS account ID: 509560245411
- The ID of the AWS account that hosts the ActiveGate (i.e., the account that hosts your Dynatrace components, in this case, the one hosting Environment ActiveGate).
- The Amazon Web Services monitored account ID, that is the account you want to monitor.
- The name of the role with which your Environment ActiveGate was started.
- The External Id copied from Settings > Cloud and virtualization > AWS.
Enabling access to your Amazon account using role-based access
The steps described below apply both when the source and monitored accounts are the same and when they're different. If you want to monitor multiple accounts, repeat Step 1 for each account and add them all to the Statement.Resource array in the policy in Step 2.4
Step 1. Create a monitoring role for Dynatrace on your monitored account
-
In your browser, open a new tab and sign in to Dynatrace to get the External ID. Go to Settings > Cloud and virtualization > AWS, select Connect new instance, select Role-based authentication from the Authentication method list, and then select Copy next to the Token field.
-
Go to Identity and Access Management (IAM) in your Amazon Console.
-
Go to Roles and click Create role
-
Select the Another AWS account tile and establish trust with the Dynatrace account.
-
Paste the 12-digit account ID (hosting the ActiveGate) that is used to access the monitored account.
-
Select Require external ID option.
-
Paste the External ID you copied in the first step. Click Next: Permissions.
-
In the Attach permissions policies section, choose the monitoring policy you created, for example
Dynatrace_monitoring_policy. Click Next: Review. -
On the Review page, provide the role name, for example
Dynatrace_monitoring_role. Remember it, you'll need it later to connect your Amazon account to Dynatrace. Click Create Role.
Step 2. Create a role for the ActiveGate host on the account that hosts the ActiveGate
Once the Dynatrace_monitoring_role is created on the monitored account, create a role for Environment ActiveGate that will be responsible for AWS monitoring.
-
In your Amazon Console, go to Roles, click Create role. Select AWS service and EC2 as the service that will use the role. Click Next: Permissions and skip to the Review page.
-
On the Review page, provide the role a name, for example
Dynatrace_ActiveGate_roleand click Create role. -
Select
Dynatrace_ActiveGate_roleand click Add inline policy -
Select the JSON and paste the predefined policy from below. Edit it and add:
- The 12-digit monitored account number,
- The role name created in previous steps, (for example
Dynatrace_monitoring_role), that is used to assume a monitoring role.
Don't include the < and > characters.
If you want to monitor multiple target accounts, add monitoring roles Amazon Resource Names (ARNs) of all monitoring accounts to
"Resource"array.When done, click Review policy.
-
Name the inline policy you've just created, for example
Dynatrace_assume_policyand click Create policy. -
Go back to the
Dynatrace_monitoring_roleyou created earlier, select Trust relationships on the role summary page, and click Edit Trust Relationships. -
Paste the JSON sample below into a text editor. Edit it and add:
- The 12-digit AWS number of the account hosting the ActiveGate
- The role with which your Environment ActiveGate was started and the external ID you copied in previous steps
Don't include the < and > characters.
Paste the modified text and click Update Trust Policy.
-
Go to the EC2 console, right-click an instance hosting your Environment ActiveGate, and select Security > Modify IAM role.
-
Select the role created earlier,
Dynatrace_ActiveGate_role, and click Apply.
Step 3. Modify ActiveGate configuration
Starting with ActiveGate version 1.217, AWS monitoring is enabled by default. For configuration details, see Customize ActiveGate properties. The following configuration settings refer to earlier ActiveGate versions.
-
Edit the
custom.propertiesfile of your Environment ActiveGate. -
Set the following properties as below:
ActiveGate version 1.183 or earlier[aws_monitoring] use_aws_proxy_role = false aws_monitoring_enabled = true[vertical.topology] use_aws_proxy_role = false[aws_monitoring] aws_monitoring_enabled = trueIf the ActiveGate is dedicated to AWS monitoring, you must also set the
MSGrouterproperty tofalse:[collector] MSGrouter = falseRemove
aws_proxy_accountandaws_proxy_roleproperties. -
Save the file and restart ActiveGate.
Role-based access for SaaS deployments without Environment ActiveGate
To give Dynatrace SaaS the role-based monitoring access to your AWS account, you need to create a dedicated monitoring role for Dynatrace in your AWS account. Dynatrace will use this role to authenticate in your AWS environment with the scope of permissions as defined by the monitoring policy. For multiple accounts, you must repeat the following steps for every account that you wish to monitor.
Note: You won't be able to monitor the AWS Supporting Services without an AWS-hosted Environment ActiveGate.
- Your Amazon Web Services account ID
- Dynatrace AWS account ID: 509560245411
- Rights to assign role-based access to your AWS account
- The External ID copied from Settings > Cloud and virtualization > AWS
-
In your browser, open a new tab and sign in to Dynatrace to get the External Id. Go to Settings > Cloud and virtualization > AWS, click Connect new instance, select Role-based authentication method and click Copy next to the Token field.
-
Go to Identity and Access Management (IAM) in your Amazon Console.
-
Go to Roles and create a new role for Dynatrace.
-
Select the Another AWS account tile and establish trust with the Dynatrace account.
Paste the External ID you copied in the first step. Type 509560245411 as the Account ID that can access your account. Click Next: Permissions. -
In the Attach permissions policies section, choose the monitoring policy you created, for example
Dynatrace_monitoring_policy. Click Next: Review. -
On the Review page, provide the role name, for example
Dynatrace_monitoring_role. Remember it, you'll need it later to connect your Amazon account to Dynatrace. Click Create Role.
Connecting your Amazon account to Dynatrace using role-based access
After you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.
-
In Dynatrace, go to Settings > Cloud and virtualization > AWS and click Connect new instance.
-
Enter a name for this connection. If you leave it empty, the name Role will be used on Dynatrace pages to define this connection.
-
Select Role based authentication and enter configuration details:
- Enter the name of the role you created in Amazon for Dynatrace (for example,
Dynatrace_monitoring_role). - Enter your Amazon account ID (the account you want Dynatrace to pull metrics from).
- Click Connect to verify and save the connection.
- Enter the name of the role you created in Amazon for Dynatrace (for example,
-
After the connection is verified and saved, your AWS account is listed on the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.
Define AWS resource tagging
We recommend to limit the scope of your AWS monitoring and reduce the number API calls to Amazon. You can use the tagging to limit the AWS resources that are monitored by Dynatrace. For details see How do I tag AWS resources?
Set up metric events for alerting
To configure metric events for alerting
- In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS.
- Under Metric events for alerting, select Manage alerting rules.
- On the Metric events for alerting page, you can create, enable/disable, and configure recommended alerting rules.
For an overview of all recommended alerting rules for all supporting services, see the list below.
The number of recommended alerting rules depends on the number of your monitored supporting services.
To add recommended alerting rules for a new supporting service, you first need to add the new service to monitoring.
- In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS.
- On the AWS overview page, select the edit button (pencil icon) for the AWS instance you want to edit.
- Select Manage services and Add service, choose the service name from the list, and select Add service.
- Select Save changes.
Note that not all supporting services have their own predefined alerting rules.
-
Create and enable alerting rules.
To enable recommended alerting rules, you first need to create them. You can create alerting rules and automatically enable them, or (if you clear Automatically enable created rules) create them and manually enable them after possible configuration changes.
For example, you can create and automatically enable a first batch of alerts. When you start monitoring new services, you can create alerts for these new services without automatically enabling them (because you want to configure them first).
-
Configure alerting rules. How you edit rules depends on whether you chose to automatically enable alerts.
-
If you chose to automatically enable alerts when creating them, go to Adjust recommended alerting rules, expand Enabled recommended alerting rules, and select any rule. This takes you to Edit custom event for alerting, where you can change the configuration rules for that specific service.
-
If you didn't choose to automatically enable alerts when creating them, go to Enable recommended alerting rules, expand Disabled recommended alerting rules, and select any of the disabled rules. This takes you to the same Edit custom event for alerting page.
-
-
Disable alerting rules.
-
You can disable all alerting rules, or disable or delete them selectively.
- To disable all alerting rules, go to Adjust recommended alerting rules and select Disable all enabled recommended alerting rules.
- To disable or delete alerting rules selectively, go to Adjust recommended alerting rules and select Custom events for alerting. On the Custom events for alerting page, you can disable an alert by turning it off in the On/Off column, or you can delete it by selecting
xin the Delete column.
Note: If you disable any or all of the alerting rules, you can always re-enable them.
