View logs and metrics

Stay organized with collections Save and categorize content based on your preferences.

Cloud VPN gateways send logging information to Cloud Logging, and Cloud VPN tunnels send monitoring metrics to Cloud Monitoring. This page describes logs and metrics and how to view them.

To monitor VPN tunnel utilization, you can define alerts for VPN tunnel bandwidth. This monitoring method is recommended for production workloads. For non-production workloads, you can try the VPN tunnel utilization recommender (Preview).

View logs

Cloud VPN gateways send certain logs to Cloud Logging. Cloud VPN log entries contain useful information for monitoring and debugging your VPN tunnels, such as the following:

  • General information shown in most Google Cloud logs, such as severity, project ID, project number, and timestamp.
  • Other information that varies depending on the log entry.

For a list of useful logs, see VPN logs.

Console

To view logs for Cloud VPN, follow these steps:

  • In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

    VPN logs are indexed by the VPN gateway that created them:

    • To view all VPN logs, in the first drop-down menu, select Cloud VPN gateway, and then click All gateway_id.
    • To view logs for only one gateway, select a single gateway name from the menu.
  • Log fields of type boolean typically only appear if they have a value of true. If a boolean field has a value of false, that field is omitted from the log.

  • UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks.

Route logs

You can configure the routing of logs-based metrics for Cloud VPN resource logs.

Cloud Logging stores Cloud VPN logs for only 30 days. If you want to keep your logs for a longer period, you must route them. You can route Cloud VPN logs to Pub/Sub or BigQuery for analysis.

View metrics

To view metrics and create alerts related to your VPN tunnels, use Cloud Monitoring.

In addition to the predefined dashboards in Cloud Monitoring, you can create custom dashboards, set up alerts, and query the metrics by using the Monitoring API or the Google Cloud console.

View Monitoring dashboards

The following sections describe the different ways that you can view Monitoring dashboards for Cloud VPN.

View metrics in the Monitoring VPN resource

Console

To use the Monitoring VPN resource to view the metrics for a monitored resource, follow these steps:

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. If the Monitoring navigation pane displays Resources, then select Resources and VPN. To view the dashboard for a specific gateway, locate it in the list, and then click its name.

  3. Otherwise, select Dashboards, and then select the dashboard named VPN. The Inventory card contains a list of VPNs. To view the dashboard for a specific gateway, locate it in the list, and then click its name.

View metrics in Metrics Explorer

Console

To use Metrics Explorer to view the metrics for a monitored resource, follow these steps:

  1. In the Google Cloud console, go to the Metrics Explorer page within Monitoring.
  2. Go to Metrics Explorer

  3. In the toolbar, select the Explorer tab.
  4. Select the Configuration tab.
  5. Expand the Select a metric menu, enter Cloud VPN in the filter bar, and then use the submenus to select a specific resource type and metric:
    1. In the Active resources menu, select Cloud VPN. This resource type is valid for either Classic VPN gateways or HA VPN gateways.
    2. To select a metric, use the Active metric categories and Active metrics menus. For a full list of metrics, see Cloud VPN metrics list.
    3. Click Apply.
  6. Optional: To configure how the data is viewed, add filters and use the Group By, Aggregator, and chart-type menus. For example, you can group by resource or metric labels. For more information, see Select metrics when using Metrics Explorer.
  7. Optional: Change the graph settings:
    • For quota and other metrics that report one sample per day, set the time frame to at least one week and set the plot type to Stacked bar chart.
    • For distribution valued metrics, set the plot type to Heatmap chart.

View metrics from within a VPN tunnel

You can also view metrics in the Google Cloud console by clicking the Monitoring tab for a tunnel. This tab shows various timeseries graphs.

Define Monitoring alerts

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. In the Monitoring navigation pane, select Alerting.
  3. If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
  4. From the Alerting page, select Create policy.
  5. To select the metric, expand the Select a metric menu and then do the following:
    1. To limit the menu to relevant entries, enter Cloud VPN gateway into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle.
    2. For the Resource type, select Cloud VPN gateway.
    3. Select a Metric category and a Metric, and then select Apply.
  6. Click Next.
  7. The settings in the Configure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, see Condition trigger.
  8. Click Next.
  9. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
  10. Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
  11. Optional: Click Documentation, and then add any information that you want included in a notification message.
  12. Click Alert name and enter a name for the alerting policy.
  13. Click Create Policy.
For more information, see Alerting policies.

Define alerts for VPN tunnel bandwidth

To create alerting policies for the bytes per second (bps) and packets per second (pps) limits described in Network bandwidth, use Monitoring Query Language (MQL).

When entering your queries, follow the instructions in Creating MQL alerting policies (console) and see the following examples.

For active/active tunnel configurations, which are the default, Google recommends setting a 50% usage threshold on your VPN tunnels. Setting 50% alerting policies on your VPN tunnel bandwidth usage ensures that you have sufficient capacity in the event of tunnel failover.

  • Query for bps: This example query notifies you when the sum of sent_bytes_count and received_bytes_count exceeds 50% of the 3-Gbps (375 MBps) limit for a given VPN tunnel. "MBy" specifies megabytes as the unit of measurement. The value of 187.5 "MBy" is automatically scaled to compare to val(), which has the unit "Bytes". The align rate should be scaled appropriately to capture the necessary data. It can be set to as low as one second (1s), and scaled higher if more data sampling points over a longer period of days are needed.

    fetch vpn_gateway
    | { metric vpn.googleapis.com/network/sent_bytes_count
    ; metric vpn.googleapis.com/network/received_bytes_count }
    | align rate (1m)
    | filter (metric.tunnel_name == 'TUNNEL_NAME')
    | outer_join 0,0
    | value val(0) + val(1)
    | condition val() > 187.5 "MBy/s"
    
  • Query for pps: This example query notifies you when the sum of sent_packets_count and received_packets_count exceeds 50% of the maximum recommended packet rate of 250,000 pps for a given VPN tunnel.

    fetch vpn_gateway
    | { metric vpn.googleapis.com/network/sent_packets_count
    ; metric vpn.googleapis.com/network/received_packets_count }
    | filter (metric.tunnel_name == 'TUNNEL_NAME')
    | outer_join 0,0
    | value val(0) + val(1)
    | condition val() > 125000
    

For more information about MQL, see Introduction to Monitoring Query Language.

Define Monitoring custom dashboards

Console

To create custom Monitoring dashboards over Cloud VPN metrics, follow these steps:

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. In the Monitoring navigation pane, click Dashboards, and then click Create dashboard.

  3. Ensure that the Edit toggle is in the on position.

  4. Click the widget in the Chart library that you want to add to the dashboard. You can also drag the widget from the library to the graph area.

  5. Configure the widget by using the widget's configuration pane, which is displayed when the dashboard is editable and the widget is selected.

  6. In the dashboard toolbar, to activate the Chart library, click Add chart. Repeat the previous steps for each widget that you want to add to the dashboard.

  7. Select metrics and filters. For metrics, the resource type is Cloud VPN gateway.

For more information about configuring the widget, see Add dashboard widget.

For more information about setting up custom dashboards, see Manage custom dashboards.

View Monitoring metrics for Cloud VPN

The following metrics for Cloud VPN are reported into Monitoring. Metrics that are not individual events are for the time interval.

The "metric type" strings in this table must be prefixed with vpn.googleapis.com/. That prefix has been omitted from the entries in the table.

Metric type Launch stage
Display name
Kind, Type, Unit
Monitored resources
Description
Labels
gateway/connections GA
Number of connections
GAUGEINT641
vpn_gateway
Indicates the number of HA connections per VPN gateway. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
configured_for_sla: (BOOL) Whether the HA connection is fully configured for SLA.
gcp_service_health: (BOOL) Whether the Google Cloud side of the HA connection is fully functional.
end_to_end_health: (BOOL) Whether the HA connection is functional end-to-end.
network/dropped_received_packets_count GA
Incoming packets dropped
DELTAINT641
vpn_gateway
Ingress (received from peer VPN) packets dropped for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/dropped_sent_packets_count GA
Outgoing packets dropped
DELTAINT641
vpn_gateway
Egress (directed to peer VPN) packets dropped for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/received_bytes_count GA
Received bytes
DELTAINT64By
vpn_gateway
Ingress (received from peer VPN) bytes for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/received_packets_count GA
Received packets
DELTAINT64{packets}
vpn_gateway
Ingress (received from peer VPN) packets for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
status: Delivery status, for example, [successful, exceeds_mtu, throttled].
tunnel_name: The name of the tunnel.
network/sent_bytes_count GA
Sent bytes
DELTAINT64By
vpn_gateway
Egress (directed to peer VPN) bytes for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.
network/sent_packets_count GA
Sent packets
DELTAINT64{packets}
vpn_gateway
Egress (directed to peer VPN) packets for tunnel. Sampled every 60 seconds. After sampling, data is not visible for up to 60 seconds.
status: Delivery status, for example, [successful, exceeds_mtu, throttled].
tunnel_name: The name of the tunnel.
tunnel_established GA
Tunnel established
GAUGEDOUBLE1
vpn_gateway
Indicates successful tunnel establishment if > 0. Sampled every 60 seconds. After sampling, data is not visible for up to 180 seconds.
tunnel_name: The name of the tunnel.
gateway_name: The name of the gateway managing the tunnel.

Table generated at 2023-01-27 01:53:03 UTC.

View HA connection health metrics

The following metrics indicate if the connection for an HA VPN gateway is healthy and if its configuration meets the 99.99% SLA.

When creating a chart, if you specify the resource type and metric as Cloud VPN gateway and Number of connections, you can find these labels in the Filter field. For more information, see Metrics, filters, and aggregation.

Status Description
configured_for_sla Indicates if the HA connection has been fully configured, meaning that the connection contains the necessary number of tunnels and is properly connected to a Cloud Router.
gcp_service_health Indicates if the HA connection is functioning properly on the Google Cloud side. For example, the tunnel is allocated.
end_to_end_health Indicates if packets are being successfully sent and received inside the HA connection.

View metrics in Network Topology

You can use Network Topology to audit your networking configuration and troubleshoot networking issues.

Network Topology overlays throughput values on each connection. This feature lets you quickly see the amount of traffic moving between entities, such as the traffic traversing the VPN tunnels between Google Cloud and the on-premises network.

For information about the supported metrics for each connection, see the Metrics reference.

Metric values are based on the final five minutes of the currently selected hour. You can also view historical metrics for six weeks by clicking on any of the edges.

For more information, see Data collection and freshness.

Console

  1. In the Google Cloud console, go to the Network Topology page.

    Go to Network Topology

  2. In the entities selection pane, select a metric from the Edge metric drop-down menu.

  3. Navigate to a specific entity hierarchy to view traffic that is related to that entity.

    For example, if you want to view traffic bandwidth traversing the VPN tunnel between Google Cloud and the on-premises network, expand the entities until you see that VPN tunnel connection.

  4. Click the entity to highlight all its traffic paths.

    Network Topology displays metric values for each connection that supports the currently selected metric.

View reasons for drops

When a Cloud VPN gateway drops a packet, the gateway provides a reason for the drop.

Reason Description Source of traffic
dont_fragment_icmp The dropped packet was an ICMP packet of a size greater than the MTU with the do not fragment bit set. Such packets are used for path-mtu-discovery. Google Cloud VM
exceeds_mtu The first fragment of a UDP or ESP egress packet is greater than the MTU and has the do not fragment bit set. Google Cloud VM
dont_fragment_nonfirst_fragment A fragment of a UDP or ESP egress packet that is not the first fragment, and which is greater than the MTU and has the do not fragment bit set. Google Cloud VM
Sent packets::invalid Packet was invalid or corrupt in some way. For example, the packet might have had an invalid IP header. Google Cloud VM
Sent packets::throttled Packet dropped due to excessive load on the Cloud VPN gateway. Google Cloud VM
fragment_received Received a fragmented packet from the peer. Peer VPN gateway
sequence_number_lost A packet has arrived at the gateway with a sequence number greater than the expected sequence number, indicating that a packet with an earlier sequence number might have been dropped. Peer VPN gateway
suspected_replay ESP packet received with a sequence number that had already been received. Peer VPN gateway
Received packets::invalid Packet was invalid or corrupt in some way. For example, the packet might have had an invalid IP header. Peer VPN gateway
Received packets::throttled Packet dropped due to excessive load on the Cloud VPN gateway. Peer VPN gateway
sa_expired Received a packet with unknown Security Association (SA). Could be as a result of using an SA that is already expired or one that was never negotiated. Peer VPN gateway
unknown Packet was dropped for a reason that the gateway could not or did not know how to categorize. Either

Check for VPN tunnel overutilization

This section describes how to check for VPN tunnel overutilization.

You can use the VPN tunnel utilization recommender to check for VPN tunnel overutilization. A recommender is a service in Google Cloud that provides usage recommendations for cloud resources. For more information, see the Recommender overview.

VPN tunnels have limits of 3 Gbps for bandwidth and 250,000 packets per second (pps) for the packet rate. The VPN tunnel utilization recommender generates recommendations when utilization is at 80% of these limits so that you can add a new VPN tunnel before a limit is reached. For more information, see the Limits section of the VPN quotas page.

As your amount of workloads or user traffic increases, you might reach the VPN tunnel limits without knowing. Reaching these limits can cause packet loss and degradation of application performance. Adding a VPN tunnel early can help you avoid extended periods of impact caused by an overutilized VPN tunnel.

This recommender can help with the following scenarios:

  • Identifying and linking application issues to VPN limits requires troubleshooting, which can take a considerable amount of time.
  • Setting up an additional VPN tunnel is often a lengthy process. It requires configuration and capacity on both sides of the connection. In on-premises environments, setting up another tunnel typically involves multiple teams and sometimes hardware procurement.
  • There might not be a quick workaround for an overutilized VPN tunnel because it might be infeasible to remove business critical traffic from the connection.

How it works

The VPN tunnel utilization recommender analyzes VPN tunnel utilization over the past seven days. When a VPN tunnel is overutilized, it generates the recommendations and insights described in the following table.

Insight Insight subtype Recommendation
Total sent and received bytes per second is higher than 300 MBps* HIGH_BYTES_THROUGHPUT Add a new VPN tunnel.
Total sent and received packets per second is higher than 200,000 pps HIGH_PACKETS_THROUGHPUT Add a new VPN tunnel.

*300 MBps is 80% of the 3-Gbps limit.
200,000 pps is 80% of the 250,000-pps limit.
For more information, see Network bandwidth.

For more information about the metrics used to generate these insights, see View Monitoring metrics for Cloud VPN.

For general information, see Recommendations and Insights in the Recommender documentation.

To check for new recommendations and insights, see View recommendations and insights.

Pricing

For pricing information, see the Recommender pricing page. There are no additional costs for the VPN tunnel utilization feature.

Before you begin

Before you can view recommendations and insights, you must do the following:

  • If you have not already, enable the Recommender API.
  • Make sure that you have one of the required roles for viewing VPN utilization recommendations:

    • Cloud VPN Recommender Admin (roles/recommender.vpnAdmin)
    • Cloud VPN Recommender Viewer (roles/recommender.vpnViewer)

    For more information about roles, see Understanding roles.

View recommendations and insights

This section describes how to check for VPN overutilization by using the Google Cloud console, the Google Cloud CLI, or the API to view recommendations and insights.

For more information about using the Google Cloud console, see Getting started with Recommendation Hub.

For more information about using the gcloud CLI or the API, see Using the API - Recommendations and Using the API - Insights.

Console

  1. In the Google Cloud console, go to the Recommendation Hub.

    Go to the Recommendation Hub

  2. Check the Recommendation Hub dashboard for the Optimize Cloud VPN configuration recommendation.

    • If you do not see the recommendation, then there are no VPN tunnels approaching overutilization, and the rest of this procedure does not apply.
    • If you see the recommendation, click View all at the bottom of the recommendation to open the recommendations list. Each recommendation in the list corresponds to an overutilized VPN tunnel.
  3. Click a recommendation from the list to open the recommendation details page. The details page includes the following sections:

    • Insight: Displays the insights that caused the recommendation. Each insight includes the name of the VPN tunnel, utilization metrics, and the observation period for which the recommender analyzed utilization and generated the insight.
    • Recommendation: Provides a link to the VPN page of the Google Cloud console, where you can create an additional VPN tunnel to share the load of the overutilized tunnel.
  4. Optional: If you want to add a VPN tunnel based on the recommendations and insights, see Add a VPN tunnel.

gcloud

  1. To list all VPN tunnel recommendations, run the following command:

    gcloud recommender recommendations list \
        --project=PROJECT_ID \
        --location=LOCATION \
        --recommender=google.compute.vpnTunnel.Recommender
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    If the command does not return any recommendations, then currently there are no VPN tunnels approaching overutilization, and there are no insights.

  2. To list all VPN tunnel insights, run the following command:

    gcloud recommender insights list \
        --project=PROJECT_ID \
        --location=LOCATION \
        --insight-type=google.compute.vpnTunnel.UtilizationInsight
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    Each insight includes the name of the VPN tunnel, utilization metrics, and the observation period for which the recommender analyzed utilization and generated the insight.

  3. Optional: If you want to add a VPN tunnel based on the recommendations and insights, see Add a VPN tunnel.

API

  1. Call the recommendations.list method:

    GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.compute.vpnTunnel.Recommender/recommendations
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    If the API call does not return any recommendations, then currently there are no VPN tunnels approaching overutilization, and there are no insights.

  2. Call the insights.list method:

    GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.compute.vpnTunnel.UtilizationInsight/insights
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    Each insight includes the name of the VPN tunnel, utilization metrics, and the observation period for which the recommender analyzed utilization and generated the insight.

  3. Optional: If you want to add a VPN tunnel based on the recommendations and insights, see Add a VPN tunnel.

What's next

  • To find more information about monitoring, see Cloud Monitoring.
  • To find more information about collecting logs and configuring sinks for Cloud VPN, see Cloud Logging.
  • To calculate network throughput within Google Cloud and to your on-premises or third-party cloud locations, see Calculate network throughput.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.