Panopta offers native integration with AWS CloudWatch, enabling Panopta to ingest your CloudWatch monitoring data. As well, Panopta can perform automatic discovery and monitoring of instances within your AWS account. This is configurable by service type and region, and can also be fully customized using your AWS tags.

CloudWatch data should be used as an augmentation of, not a replacement for, the data obtained by the Panopta server agent and external monitoring. The server agent can provide more detailed and accurate data across any OS distribution or application you may be running on your compute instance. As well, our external monitoring ensures you're getting the full picture of your current operating environment as well as a view into what your customers are experiencing.

Connecting Panopta & CloudWatch

To grant Panopta access your CloudWatch data, you'll need to create an external account role within your AWS account that is tied to Panopta's External AWS Account.

  1. Click the + Add button in the global navigation bar at the top of your screen. From the Catalog Modal that appears, select AWS
  2. On the Cloud Monitoring splash page, select AWS
  3. Follow the on-page instructions to create an AWS Policy and Role for the external Panopta account.
  4. Once you've obtained your ARN, select Verify.
  5. Once your ARN has been validated, you can configure your monitoring settings
    • Service Filtering: select the AWS services you'd like to monitor. It's better to only select the ones you're using, otherwise it uses vital API calls
    • Instance Filtering: you can choose to only import instances that match the AWS tag filters you define
    • Regions: only select the regions you operate in, otherwise it uses vital API calls
    • Options - Tag Import: enabling tag import will pull in your AWS tags with your AWS instances
    • Options - Routine Scan: every 20 minutes, we'll look for new instances in your account and will begin monitoring them assuming they meet your filter criteria. EC2 instances using the Panopta agent can be monitored immediately if you install the agent on boot.
    • Options - Destination Group: any time instances are imported, they'll be placed in this group in the control panel. This is great for setting default values which are inherited from their parent group as well as apply default templates
    • Options - Template: apply a template to every instance that's imported
  6. Click Import. We'll start pulling in your instances which meet your filter criteria and begin monitoring them.

API Limits & Throttling

By default, each AWS account gets 1M CloudWatch API calls per month for free. When Panopta makes CloudWatch calls to obtain metrics (every 10 minutes), it utilizes your API calls quota. Due to the highly decoupled design of the CloudWatch API, calls have to be made on a per-instance-per-metric basis - this means API calls add up fast. We encourage you utilize the Panopta agent on EC2 instances, not only for the cost savings, but also the increased functionality and granularity. You can read more about it here.

Once you exceed 1M CloudWatch calls for the month, AWS will charge your account $10 per 1M calls. You can read more about their pricing here.

In certain large-scale scenarios, AWS could begin throttling API calls. We will begin backing-off at that time. If you expect to utilize close to or the full 1M calls per month, we recommend reaching out to AWS to ask for a limit increase. If you'd like Panopta to collect CloudWatch metrics more often than every 10 minutes, please email support@panopta.com. As well, you can override this at the metric level by editing the metric. Check out templates to do this in bulk.

Existing Monitoring

If you're running the agent (Linux version > 2017.40, Windows version > 18.34), EC2 metrics will be automatically added to your existing agent-based instances.

Example: if you have a Linux Virtual Machine instance you're already monitoring with the agent, and the agent version is > 2017.40, we won't create a second "EC2" instance with the CloudWatch connection - the new CloudWatch metrics will be added to your existing instance

EC2 Incident Confirmation

If you're monitoring an EC2 instance with external checks - such as HTTP, HTTPS, or Ping - and we identify an incident, we'll first confirm with AWS that the instance is still around. If it was gracefully removed, we will not alert. If the instance was not removed gracefully, we will alert as normal.