Cloud VPN gateways send logging information to Cloud Logging, and Cloud VPN tunnels send monitoring metrics to Cloud Monitoring. This page describes logs and metrics and how to view them.
To monitor VPN tunnel utilization, you can define alerts for VPN tunnel bandwidth. This monitoring method is recommended for production workloads.
View logs
Cloud VPN gateways send certain logs to Cloud Logging. Cloud VPN log entries contain useful information for monitoring and debugging your VPN tunnels, such as the following:
- General information shown in most Google Cloud logs, such as severity, project ID, project number, and timestamp.
- Other information that varies depending on the log entry.
For a list of useful logs, see VPN logs.
Console
To view logs for Cloud VPN, follow these steps:
In the Google Cloud console, go to the Logs Explorer page.
VPN logs are indexed by the VPN gateway that created them:
- To view all VPN logs, in the first drop-down menu, select Cloud VPN gateway, and then click All gateway_id.
- To view logs for only one gateway, select a single gateway name from the menu.
Log fields of type boolean typically only appear if they have a value of
true
. If a boolean field has a value offalse
, that field is omitted from the log.UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks.
Route logs
You can configure the routing of logs-based metrics for Cloud VPN resource logs.
Cloud Logging stores Cloud VPN logs for only 30 days. If you want to keep your logs for a longer period, you must route them. You can route Cloud VPN logs to Pub/Sub or BigQuery for analysis.
View metrics
To view metrics and create alerts related to your VPN tunnels, use Cloud Monitoring.
In addition to the predefined dashboards in Cloud Monitoring, you can create custom dashboards, set up alerts, and query the metrics by using the Monitoring API or the Google Cloud console.
View Monitoring dashboards
The following sections describe the different ways that you can view Monitoring dashboards for Cloud VPN.
View metrics in the Monitoring VPN resource
Console
To use the Monitoring VPN resource to view the metrics for a monitored resource, follow these steps:
In the Google Cloud console, go to the Monitoring page.
If the Monitoring navigation pane displays Resources, then select Resources and VPN. To view the dashboard for a specific gateway, locate it in the list, and then click its name.
Otherwise, select Dashboards, and then select the dashboard named VPN. The Inventory card contains a list of VPNs. To view the dashboard for a specific gateway, locate it in the list, and then click its name.
View metrics in Metrics Explorer
Console
To view the metrics for a monitored resource by using the Metrics Explorer, do the following:
-
In the Google Cloud console, go to the leaderboard Metrics explorer page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring.
- In the Metric element, expand the Select a metric menu,
enter
Cloud VPN
in the filter bar, and then use the submenus to select a specific resource type and metric:- In the Active resources menu, select Cloud VPN. This resource type is valid for either Classic VPN gateways or HA VPN gateways.
- To select a metric, use the Active metric categories and Active metrics menus. For a full list of metrics, see Cloud VPN metrics list.
- Click Apply.
To remove time series from the display, use the Filter element.
To combine time series, use the menus on the Aggregation element. For example, to display the CPU utilization for your VMs, based on their zone, set the first menu to Mean and the second menu to zone.
All time series are displayed when the first menu of the Aggregation element is set to Unaggregated. The default settings for the Aggregation element are determined by the metric type you selected.
- For quota and other metrics that report one sample per day, do the following:
- In the Display pane, set the Widget type to Stacked bar chart.
- Set the time period to at least one week.
View metrics from within a VPN tunnel
You can also view metrics in the Google Cloud console by clicking the Monitoring tab for a tunnel. This tab shows various time series graphs.
Define Monitoring alerts
Console
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.
-
In the Google Cloud console, go to the notifications Alerting page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring.
- If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
- From the Alerting page, select Create policy.
- To select the metric, expand the Select a metric menu and then do the following:
- To limit the menu to relevant entries, enter
Cloud VPN gateway
into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle. - For the Resource type, select Cloud VPN gateway.
- Select a Metric category and a Metric, and then select Apply.
- To limit the menu to relevant entries, enter
- Click Next.
- The settings in the Configure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, see Create metric-threshold alerting policies.
- Click Next.
- Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
- Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
- Optional: Click Documentation, and then add any information that you want included in a notification message.
- Click Alert name and enter a name for the alerting policy.
- Click Create Policy.
Define alerts for VPN tunnel bandwidth
To create alerting policies for the bytes per second (bps) and packets per second (pps) limits described in Network bandwidth, use Monitoring Query Language (MQL).
When entering your queries, follow the instructions in Creating MQL alerting policies (console) and see the following examples.
For active/active tunnel configurations, which are the default, Google recommends setting a 50% usage threshold on your VPN tunnels. Setting 50% alerting policies on your VPN tunnel bandwidth usage ensures that you have sufficient capacity in the event of tunnel failover.
Query for bps: This example query notifies you when the sum of
sent_bytes_count
andreceived_bytes_count
exceeds 50% of the 3-Gbps (375 MBps) limit for a given VPN tunnel."MBy"
specifies megabytes as the unit of measurement. The value of187.5 "MBy"
is automatically scaled to compare toval()
, which has the unit"Bytes"
. The align rate should be scaled appropriately to capture the necessary data. It can be set to as low as one second (1s), and scaled higher if more data sampling points over a longer period of days are needed.fetch vpn_gateway | { metric vpn.googleapis.com/network/sent_bytes_count ; metric vpn.googleapis.com/network/received_bytes_count } | align rate (1m) | filter (metric.tunnel_name == 'TUNNEL_NAME') | outer_join 0,0 | value val(0) + val(1) | condition val() > 187.5 "MBy/s"
Query for pps: This example query notifies you when the sum of
sent_packets_count
andreceived_packets_count
exceeds 50% of the maximum recommended packet rate of 250,000 pps for a given VPN tunnel.fetch vpn_gateway | { metric vpn.googleapis.com/network/sent_packets_count ; metric vpn.googleapis.com/network/received_packets_count } | align rate (1m) | filter (metric.tunnel_name == 'TUNNEL_NAME') | outer_join 0,0 | value val(0) + val(1) | condition val() > 125000 "{packets}/s"
For more information about MQL, see Introduction to Monitoring Query Language.
Define Monitoring custom dashboards
Console
To create custom Monitoring dashboards over Cloud VPN metrics, follow these steps:
In the Google Cloud console, go to the Monitoring page.
In the Monitoring navigation pane, click Dashboards, and then click Create dashboard.
Ensure that the Edit toggle is in the on position.
Click the widget in the Chart library that you want to add to the dashboard. You can also drag the widget from the library to the graph area.
Configure the widget by using the widget's configuration pane, which is displayed when the dashboard is editable and the widget is selected.
In the dashboard toolbar, to activate the Chart library, click Add chart. Repeat the previous steps for each widget that you want to add to the dashboard.
Select metrics and filters. For metrics, the resource type is Cloud VPN gateway.
For more information about configuring the widget, see Add dashboard widget.
For more information about setting up custom dashboards, see Manage custom dashboards.
View Monitoring metrics for Cloud VPN
The following metrics for Cloud VPN are reported into Monitoring. Metrics that are not individual events are for the time interval.
The "metric type" strings in this table must be prefixed
with vpn.googleapis.com/
. That prefix has been
omitted from the entries in the table.
When querying a label, use the metric.labels.
prefix; for
example, metric.labels.LABEL="VALUE"
.
Metric type Launch stage (Resource hierarchy levels) Display name |
|
---|---|
Kind, Type, Unit Monitored resources |
Description Labels |
gateway/connections
GA
(project)
Number of connections |
|
GAUGE , INT64 , 1
vpn_gateway |
Indicates the number of HA connections per VPN gateway. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
configured_for_sla :
(BOOL)
Whether the HA connection is fully configured for SLA.
gcp_service_health :
(BOOL)
Whether the Google Cloud side of the HA connection is fully functional.
end_to_end_health :
(BOOL)
Whether the HA connection is functional end-to-end.
|
network/dropped_received_packets_count
GA
(project)
Incoming packets dropped |
|
DELTA , INT64 , 1
vpn_gateway |
Ingress (received from peer VPN) packets dropped for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name :
The name of the tunnel.
gateway_name :
The name of the gateway managing the tunnel.
|
network/dropped_sent_packets_count
GA
(project)
Outgoing packets dropped |
|
DELTA , INT64 , 1
vpn_gateway |
Egress (directed to peer VPN) packets dropped for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name :
The name of the tunnel.
gateway_name :
The name of the gateway managing the tunnel.
|
network/received_bytes_count
GA
(project)
Received bytes |
|
DELTA , INT64 , By
vpn_gateway |
Ingress (received from peer VPN) bytes for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name :
The name of the tunnel.
gateway_name :
The name of the gateway managing the tunnel.
|
network/received_packets_count
GA
(project)
Received packets |
|
DELTA , INT64 , {packets}
vpn_gateway |
Ingress (received from peer VPN) packets for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
status :
Delivery status, for example, [successful, exceeds_mtu, throttled].
tunnel_name :
The name of the tunnel.
|
network/sent_bytes_count
GA
(project)
Sent bytes |
|
DELTA , INT64 , By
vpn_gateway |
Egress (directed to peer VPN) bytes for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name :
The name of the tunnel.
gateway_name :
The name of the gateway managing the tunnel.
|
network/sent_packets_count
GA
(project)
Sent packets |
|
DELTA , INT64 , {packets}
vpn_gateway |
Egress (directed to peer VPN) packets for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
status :
Delivery status, for example, [successful, exceeds_mtu, throttled].
tunnel_name :
The name of the tunnel.
|
tunnel_established
GA
(project)
Tunnel established |
|
GAUGE , DOUBLE , 1
vpn_gateway |
Indicates successful tunnel establishment if > 0. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name :
The name of the tunnel.
gateway_name :
The name of the gateway managing the tunnel.
|
vpn_tunnel/gateway_ip_version
GA
(project)
Gateway IP version |
|
GAUGE , BOOL ,
vpn_tunnel |
The IP version of the HA VPN gateway. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
gateway_ip_version :
The IP version of the HA VPN gateway.
|
Table generated at 2024-12-17 17:50:10 UTC.
View HA connection health metrics
The following metrics indicate if the connection for an HA VPN gateway is healthy and if its configuration meets the 99.99% SLA.
When creating a chart, if you specify the resource type and metric as Cloud VPN gateway and Number of connections, you can find these labels in the Filter field. For more information, see Metrics, filters, and aggregation.
Status | Description |
---|---|
configured_for_sla |
Indicates if the HA connection has been fully configured, meaning that the connection contains the necessary number of tunnels and is properly connected to a Cloud Router. |
gcp_service_health |
Indicates if the HA connection is functioning properly on the Google Cloud side. For example, the tunnel is allocated. |
end_to_end_health |
Indicates if packets are being successfully sent and received inside the HA connection. |
View metrics in Network Topology
You can use Network Topology to audit your networking configuration and troubleshoot networking issues.
Network Topology overlays throughput values on each connection. This feature lets you quickly see the amount of traffic moving between entities, such as the traffic traversing the VPN tunnels between Google Cloud and the on-premises network.
For information about the supported metrics for each connection, see the Metrics reference.
Metric values are based on the final five minutes of the selected hour. You can also view historical metrics for six weeks by clicking any of the edges.
For more information, see Data collection and freshness.
Console
- In the Google Cloud console, go to the Network Topology page.
In the entities selection pane, select a metric from the Edge metric drop-down menu.
Navigate to a specific entity hierarchy to view traffic that is related to that entity.
For example, if you want to view traffic bandwidth traversing the VPN tunnel between Google Cloud and the on-premises network, expand the entities until you see that VPN tunnel connection.
Click the entity to highlight all its traffic paths.
Network Topology displays metric values for each connection that supports the selected metric.
View reasons for drops
When a Cloud VPN gateway drops a packet, the gateway provides a reason for the drop.
Reason | Description | Source of traffic |
---|---|---|
dont_fragment_icmp |
The dropped packet was an ICMP packet of a size greater than the MTU
with the do not fragment bit set. Such packets are used for
path-mtu-discovery .
|
Google Cloud VM |
exceeds_mtu |
The first fragment of a UDP or ESP egress packet is greater than the MTU
and has the do not fragment bit set. |
Google Cloud VM |
dont_fragment_nonfirst_fragment |
A fragment of a UDP or ESP egress packet that is not the first fragment,
and which is greater than the MTU and has the
do not fragment bit set. |
Google Cloud VM |
Sent packets::invalid |
Packet was invalid or corrupt in some way. For example, the packet might have had an invalid IP header. | Google Cloud VM |
Sent packets::throttled |
Packet dropped due to excessive load on the Cloud VPN gateway. | Google Cloud VM |
fragment_received |
Received a fragmented packet from the peer. | Peer VPN gateway |
sequence_number_lost |
A packet has arrived at the gateway with a sequence number greater than the expected sequence number, indicating that a packet with an earlier sequence number might have been dropped. | Peer VPN gateway |
suspected_replay |
ESP packet received with a sequence number that had already been received. | Peer VPN gateway |
Received packets::invalid |
Packet was invalid or corrupt in some way. For example, the packet might have had an invalid IP header. | Peer VPN gateway |
Received packets::throttled |
Packet dropped due to excessive load on the Cloud VPN gateway. | Peer VPN gateway |
sa_expired |
Received a packet with unknown Security Association (SA). Could be as a result of using an SA that is already expired or one that was never negotiated. | Peer VPN gateway |
unknown |
Packet was dropped for a reason that the gateway could not or did not know how to categorize. | Either |
What's next
- To find more information about monitoring, see Cloud Monitoring.
- To find more information about collecting logs and configuring sinks for Cloud VPN, see Cloud Logging.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.