Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring Route 53 Resolver DNS Firewall rule groups with Amazon CloudWatch

You can use Amazon CloudWatch to monitor the number of DNS queries that are filtered by Route 53 Resolver DNS Firewall rule groups. Amazon CloudWatch collects and processes raw data into readable, near real-time metrics. These statistics are recorded for a period of two weeks, so that you can access historical information and gain a better perspective on how your resources are performing. By default, metric data for DNS Firewall rule groups is automatically sent to CloudWatch at five-minute intervals.

For more information about DNS Firewall, see Route 53 Resolver DNS Firewall. For more information about CloudWatch, see What is Amazon CloudWatch? in the Amazon CloudWatch User Guide.

Metrics and dimensions for Route 53 Resolver DNS Firewall

When you associate a Route 53 Resolver DNS Firewall rule group with a VPC to filter DNS queries, DNS Firewall starts to send metrics and dimensions once every 5 minutes to CloudWatch about the queries that it filters. For information about the metrics and dimensions for DNS Firewall, see CloudWatch metrics for Route 53 Resolver DNS Firewall.

You can use the following procedures to view the metrics in the CloudWatch console or view them by using the Amazon Command Line Interface (Amazon CLI).

CloudWatch metrics for Route 53 Resolver DNS Firewall

The AWS/Route53Resolver namespace includes metrics for Route 53 Resolver DNS Firewall rule groups.

Metrics for Route 53 Resolver DNS Firewall rule groups

Metrics for VPCs

Metrics for firewall rule group and VPC association

Metrics for a domain list in a firewall rule group