Amazon Virtual Private Cloud
用户指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

使用 Amazon CloudWatch 监控 NAT 网关

您可以使用 CloudWatch 监控 NAT 网关,该工具可从 NAT 网关中收集信息并创建可读的、近乎实时的指标。您可以使用该信息监控 NAT 网关并进行问题排查。NAT 网关指标数据以每分钟一次的频率提供,统计数据的记录期限为 15 个月。

有关 Amazon CloudWatch 的更多信息,请参阅 Amazon CloudWatch 用户指南。有关定价的更多信息,请参阅 Amazon CloudWatch 定价

NAT 网关指标与维度

NAT 网关指标按 1 分钟的时间间隔发送到 CloudWatch。您可以按照以下步骤查看 NAT 网关的指标。

目前,您只能使用 CloudWatch 控制台或命令行工具查看 NAT 网关指标。

使用 CloudWatch 控制台查看指标

指标的分组首先依据服务命名空间,然后依据每个命名空间内的各种维度组合。

  1. 通过以下网址打开 CloudWatch 控制台:https://console.amazonaws.cn/cloudwatch/

  2. 在导航窗格中,选择 Metrics

  3. All metrics 下,选择 NAT gateway 指标命名空间。

  4. 要查看指标,请选择指标维度。

使用 AWS CLI 查看指标

  • 在命令提示窗口中,使用以下命令可列出可用于 NAT 网关服务的指标:

    aws cloudwatch list-metrics --namespace "AWS/NATGateway"

The following metrics are available from the NAT gateway service.

Metric Description

PacketsOutToDestination

The number of packets sent out through the NAT gateway to the destination.

A value greater than zero indicates that there is traffic going to the internet from clients that are behind the NAT gateway. If the value for PacketsOutToDestination is less than the value for PacketsInFromSource, there may be data loss during NAT gateway processing.

Unit: Count

PacketsOutToSource

The number of packets sent through the NAT gateway to the clients in your VPC.

A value greater than zero indicates that there is traffic coming from the internet to clients that are behind the NAT gateway. If the value for PacketsOutToSource is less than the value for PacketsInFromDestination, there may be data loss during NAT gateway processing, or traffic being actively blocked by the NAT gateway.

Unit: Count

PacketsInFromSource

The number of packets received by the NAT gateway from clients in your VPC.

If the value for PacketsOutToDestination is less than the value for PacketsInFromSource, there may be data loss during NAT gateway processing.

Unit: Count

PacketsInFromDestination

The number of packets received by the NAT gateway from the destination.

If the value for PacketsOutToSource is less than the value for PacketsInFromDestination, there may be data loss during NAT gateway processing, or traffic being actively blocked by the NAT gateway.

Unit: Count

BytesOutToDestination

The number of bytes sent out through the NAT gateway to the destination.

A value greater than zero indicates that there is traffic going to the internet from clients that are behind the NAT gateway. If the value for BytesOutToDestination is less than the value for BytesInFromSource, there may be data loss during NAT gateway processing.

Unit: Bytes

BytesOutToSource

The number of bytes sent through the NAT gateway to the clients in your VPC.

A value greater than zero indicates that there is traffic coming from the internet to clients that are behind the NAT gateway. If the value for BytesOutToSource is less than the value for BytesInFromDestination, there may be data loss during NAT gateway processing, or traffic being actively blocked by the NAT gateway.

Units: Bytes

BytesInFromSource

The number of bytes received by the NAT gateway from clients in your VPC.

If the value for BytesOutToDestination is less than the value for BytesInFromSource, there may be data loss during NAT gateway processing.

Units: Bytes

BytesInFromDestination

The number of bytes received by the NAT gateway from the destination.

If the value for BytesOutToSource is less than the value for BytesInFromDestination, there may be data loss during NAT gateway processing, or traffic being actively blocked by the NAT gateway.

Units: Bytes

ErrorPortAllocation

The number of times the NAT gateway could not allocate a source port.

A value greater than zero indicates that too many concurrent connections are open through the NAT gateway.

Units: Count

ActiveConnectionCount

The total number of concurrent active TCP connections through the NAT gateway.

A value of zero indicates that there are no active connections through the NAT gateway.

Units: Count

ConnectionAttemptCount

The number of connection attempts made through the NAT gateway.

If the value for ConnectionEstablishedCount is less than the value for ConnectionAttemptCount, this indicates that clients behind the NAT gateway attempted to establish new connections for which there was no response.

Unit: Count

ConnectionEstablishedCount

The number of connections established through the NAT gateway.

If the value for ConnectionEstablishedCount is less than the value for ConnectionAttemptCount, this indicates that clients behind the NAT gateway attempted to establish new connections for which there was no response.

Unit: Count

IdleTimeoutCount

The number of connections that transitioned from the active state to the idle state. An active connection transitions to idle if it was not closed gracefully and there was no activity for the last 350 seconds.

A value greater than zero indicates that there are connections that have been moved to an idle state. If the value for IdleTimeoutCount increases, it may indicate that clients behind the NAT gateway are re-using stale connections.

Unit: Count

PacketsDropCount

The number of packets dropped by the NAT gateway.

A value greater than zero may indicate an ongoing transient issue with the NAT gateway. If this value is high, see the AWS service health dashboard.

Units: Count

You can filter the NAT gateway data using the following dimensions.

Dimension Description
NatGatewayId This dimension filters data by the NAT gateway ID.

创建 CloudWatch 警报以监控 NAT 网关

您可以创建 CloudWatch 警报,以在警报改变状态时发送 Amazon SNS 消息。警报会监控您指定的时间段内的某个指标。它将根据指标值在多个时间段内相对于给定阈值的情况向 Amazon SNS 主题发送通知。

例如,您可以创建警报来监控进入或离开 NAT 网关的流量。以下警报监控从您的 VPC 中的客户端通过 NAT 网关传到 Internet 的出站流量。如果在 15 分钟的时间段内字节数达到 500 万阈值,它将发送通知。

创建通过 NAT 网关的出站流量的警报

  1. 通过以下网址打开 CloudWatch 控制台:https://console.amazonaws.cn/cloudwatch/

  2. 在导航窗格中,依次选择 AlarmsCreate Alarm

  3. 选择 NAT gateway

  4. 选择所需的 NAT 网关和 BytesOutToDestination 指标,然后选择 Next

  5. 按如下所示配置警报,然后在完成后选择 Create Alarm

    • Alarm Threshold 下,输入警报的名称和说明。对于 Whenever,选择 >= 并输入 5000000。输入 1 作为连续周期数。

    • Actions 下,选择现有通知列表,或者选择 New list 以创建一个新的通知列表。

    • Alarm Preview 下,选择 15 分钟的周期并指定 Sum 的统计数据。

您可以创建一个警报来监控 ErrorPortAllocation 指标并且在该值在三个连续 5 分钟的时间段内大于零 (0) 时发送通知。

创建警报以监控端口分配错误

  1. 通过以下网址打开 CloudWatch 控制台:https://console.amazonaws.cn/cloudwatch/

  2. 在导航窗格中,依次选择 AlarmsCreate Alarm

  3. 选择 NAT Gateway

  4. 选择所需的 NAT 网关和 ErrorPortAllocation 指标,然后选择 Next

  5. 按如下所示配置警报,然后在完成后选择 Create Alarm

    • Alarm Threshold 下,输入警报的名称和说明。对于 Whenever,选择 > 并输入 0。输入 3 作为连续周期数。

    • Actions 下,选择现有通知列表,或者选择 New list 以创建一个新的通知列表。

    • Alarm Preview 下,选择 5 分钟的周期并指定 Maximum 的统计数据。

有关创建警报的更多示例,请参阅 Amazon CloudWatch 用户指南 中的创建 Amazon CloudWatch 警报