Learn About Network Monitoring, Observability, and Management
Use the OCI Command Center and the available tools to monitor and observe your network. Set up notifications and alarms in the event of any issues to enable you to proactively take action to address the issues.
Use the OCI Network Command Center Tools
The OCI Network Command Center offers the following observability tools to support various operations use cases:
- Network Visualizer: Offers intuitive topology visualization to understand connections and relationships between your virtual network resources, inspect the configuration from one place, and visually troubleshoot any configuration issues.
- Network Path Analyzer: Allows you to troubleshoot complex virtual network configurations when you have reachability problems. It provides automated configuration analysis to determine the network path the traffic takes, identify routing and security configuration issues, and provide configuration information along the path.
- Inter-Region Latency: Provides real-time and historical latency information between OCI regions.
- VCN Flow Logs: Offers network traffic telemetry critical to support your security and network operations use cases. You can gain extensive insights on the network traffic, stream the flow logs to your chosen tool using standard protocols such as Kafka, and archive the flow logs in OCI Object Storage for compliance purposes.
- Virtual Test Access Point (VTAP): Offers traffic mirroring capabilities that enable full packet capture for security analysis, troubleshooting applications, or network performance issues. VTAP is also useful for troubleshooting complex network problems by analyzing the packet contents and headers.
Oracle recommends the following:
- Review OCI documentation, and videos linked in the Explore More section to become familiar with the Network Command Center tools and their capabilities and limitations.
- Try out the Network Visualizer, Network Path Analyzer, Inter-Region Latency, and VCN Flow Logs as they are non-intrusive tools.
- For VTAP, read through the documentation and blogs to learn how to use VTAP and try it out in your environment.
Tip:
Pin the Network Command Center and relevant tools to your OCI Console Home page for quick and easy access.Set Up Notifications for Key Network Changes
The following are examples of some key or critical OCI network components that you may want to set up notifications on are:
- Security List or Network Security Groups
- Dynamic Routing Gateway (DRG)
- Network Firewall
- Route Table
- Virtual Cloud Network (VCN) or Subnet
More components are available with the Events service. You can set up notifications anytime these resources are created, deleted, or updated.
Oracle recommends the following:
- Identify the key and critical network resources that you want to be proactively notified about when changes are made. For example, a specific security list applied to a particular public subnet is important and you want to know when someone adds, updates, or deletes a rule in that security list. Another example could be identifying network components in a production compartment.
- Review the OCI documentation and blogs to understand how the OCI Audit, Events, and Notification services work.
Set Up Alarms for Key Network Metric Threshold Breaches
The following are some examples of notifications you can receive:
- When the state of a FastConnect or Site-to-Site Virtual Private Network (VPN) goes from up to down
- When FastConnect or Site-to-Site VPN traffic goes above or below a set threshold
- When the Border Gateway Protocol (BGP) state on FastConnect or Site-to-Site VPN goes from up to down
- When the number of unhealthy backends in a Flexible Load Balancer backend set reaches a set threshold
Tip:
You can create an alarm on any metric that you see inside the OCI Console. On the metric graph, just click the options drop-down list and select Create an alarm on this query.Oracle recommends the following:
- Identify the key or critical metrics and associated thresholds that you want to be notified on
- Familiarize yourself with the OCI documentation for the relevant OCI services such as OCI Monitoring and Notifications.
Enable VCN Flow Logs for Each Subnet
VCN flow logs show details about traffic flow that is sourced from, or destined to your VCN. VCN flow logs are not enabled by default when a subnet is created.
Enabling VCN flow logs on all subnets will help you later with auditing traffic and troubleshooting your VCN and security lists.
Oracle recommends the following:
- Enable VCN flow logs for each subnet after you create the subnet
- Consider creating a separate log group just for VCN flow logs
- VCN flow logs should be one piece of an overall OCI logging architecture and design
Tip:
There is a cost for OCI logging storage above a certain threshold. Make sure you understand your OCI logging needs and budget and consider only enabling VCN Flow Logs on a temporary and as needed basis for troubleshooting purposes if you want to limit the usage.