End-to-End Observability for SAP on AWS: Part-3 Amazon CloudWatch Internet Monitor for SAP

Amazon CloudWatch Internet Monitor for SAP applications provides real-time insights into internet connectivity, helping enterprises troubleshoot issues and optimize network performance.

Introduction

This is part 3 of a blog series for End-to-End SAP Observability on AWS.
Earlier blog posts in this series have explored the importance of observability for SAP systems hosted on AWS.

Part 1 introduced SAP’s three-tier architecture and showed how AWS services like Amazon CloudWatch Application Insights, CloudWatch RUM, and AWS Network Manager support proactive monitoring, faster troubleshooting, and capacity planning.

Part 2 focused on SAP network latency monitoring, highlighting tools such as AWS Network Manager and NIPING, along with solutions like Global Accelerator and CloudFront for global connectivity.

Building on these foundations, this blog focuses on ensuring reliable Internet connectivity for SAP applications accessed remotely, addressing challenges introduced by hybrid work environments. It highlights strategies to monitor and optimize network performance to maintain the reliability and efficiency of SAP systems on AWS.

Historically, SAP applications were accessed over corporate networks. However, 58% of enterprises now enable users to access SAP applications like Fiori via the Internet from remote offices, mobile devices, and hybrid work environments, shifting away from corporate network-only access. This shift introduces new challenges in ensuring reliable network connectivity. Network connectivity directly affects the performance and reliability of SAP applications, requiring continuous monitoring and optimization.

AWS address these challenges using Amazon CloudWatch Internet Monitor. For SAP Applications, monitoring and managing the network connectivity is an important aspect in maintaining system availability and ensuring responsive user experiences. As illustrated in Figure 1 below, major internet outages and their effects on SAP client locations can be visualized with the Internet Monitor dashboard.

Figure 1: Internet Weather Map – This map displays major internet outages and their impact on client locations.

Understanding Amazon CloudWatch Internet Monitor

Amazon CloudWatch Internet Monitor is an extension of the existing Amazon CloudWatch service, which is used for monitoring AWS resources and applications. CloudWatch Internet Monitor focuses specifically on monitoring the internet connectivity of AWS resources and helps users visualize network performance between their AWS environment and the internet. It enables businesses to measure network latency and packet loss, helping them identify any issues impacting the accessibility and responsiveness of their applications and services.

The primary components of Amazon CloudWatch Internet Monitor include:

Monitor: Amazon CloudWatch Internet Monitor comprises resources for a single application, enabling viewing of internet performance and receiving health alerts. It includes defined locations (Cities) and monitored resources like Amazon Virtual Private Cloud (VPCs), Network Load Balancers, Amazon WorkSpaces directories, and Amazon CloudFront distributions. These resources establish the scope for monitoring and publishing internet performance measurements.

Figure 2: CloudWatch Internet Monitor Overview – An overview of the Amazon CloudWatch Internet Monitor interface showing health events, metrics, and configuration options.

Metrics: Amazon CloudWatch Internet Monitor generates aggregated metrics for CloudWatch, including performance, availability, round-trip time, and throughput. These metrics, visible in CloudWatch Metrics under custom namespace “AWS/InternetMonitor”, cover global traffic to your application and each AWS Region.

Internet measurements: Amazon CloudWatch Internet Monitor publishes measurements into CloudWatch Logs every five minutes. These measurements cover the top 500 city-networks in your account. These include performance score, availability score, bytes transferred, and round-trip time for specific VPCs, Load Balancers, CloudFront distributions, or Workspaces directories. Optionally, data can be stored on Amazon S3. An example of these measurements is shown in Figure 3.

Figure 3: Internet Measurements Graph – A graph illustrating internet performance metrics such as latency, packet loss, and throughput over a specified period.

Health event: Amazon CloudWatch Internet Monitor generates health events to alert problems affecting your application, such as increased network latency worldwide. Using historical data across AWS’s global infrastructure, it calculates impacts and creates events based on preset thresholds. Health events detail impacted city-networks and can be viewed in CloudWatch or via AWS SDK/CLI.

Performance and availability scores: Performance and availability scores in Amazon CloudWatch Internet Monitor represent the estimated percentage of traffic unaffected by performance or availability drops. These scores are calculated based on analyzed data compared to estimated baselines. For instance, a performance score of 99% indicates only 1% of traffic experiencing a performance drop. Availability scores similarly reflect uninterrupted service for the specified traffic. An example of this is shown in Figure 2.

Round-trip time (RTT): It measures the duration for a client request to receive a response. Aggregated across client locations, it’s weighted by the traffic volume from each location. An example of this is shown in Figure 4

Figure 4: Round-Trip Time (RTT) Graph – A graph showing the round-trip time for client requests across different percentiles (P95, P90, P50) over time.

Why does Amazon CloudWatch Internet Monitor Matters for SAP?

SAP applications are mission-critical and depend on reliable network connectivity. CloudWatch Internet Monitor enables SAP teams to detect, troubleshoot, and improve connectivity, minimizing downtime for end users.

Amazon CloudWatch Internet Monitor offers the following key features and benefits:

1. Visibility: Real-time monitoring of internet connectivity to promptly identify and address network issues, reducing SAP system downtime.
2. Troubleshooting: Access to detailed flow logs accelerates root cause analysis for network performance problems affecting SAP workloads.
3. Geographic Insights: Monitor connectivity from multiple regions, enabling proactive response to user-specific or location-based issues.
4. Performance Optimization: Actionable metrics for latency, packet loss, and jitter allow manual adjustments to improve SAP application performance.
5. Security: Detect suspicious traffic and unauthorized access to enhance SAP environment security.
6. Scalability: Easily scale monitoring as SAP workloads grow, keeping performance consistent.
7. AWS Integration: Seamlessly connect with CloudWatch Alarms and AWS Lambda for automated notifications and remediation.

Best Practices for using with SAP Best Practices for Leveraging Amazon CloudWatch Internet Monitor for SAP

To maximize the benefits of Amazon CloudWatch Internet Monitor for your SAP environment, consider implementing these best practices:

• Enable VPC Flow Logs: Capture detailed network traffic for all SAP interfaces (e.g., between SAP Fiori front-end and HANA back end). Use logs to identify congestion, misconfigurations, or unauthorized access, then fine-tune routing or security as needed.
• Define Relevant Metrics: Set up CloudWatch metrics for key KPIs (latency, packet loss, throughput, availability). For example, monitor end-user to SAP system latency and set actionable thresholds to trigger alerts and rapid troubleshooting.
• Set Up Alarms and Alerts: Create custom alarms for critical SAP traffic (such as packet loss >1% or latency >100ms). These alarms help teams quickly detect and resolve disruptions affecting SAP processes.
• Utilize Dashboards: Build dashboards to visualize SAP network health and combine metrics like latency, packet loss, and throughput across your SAP components. Act quickly when spikes or outages are detected.
• Regularly Review Logs: Periodically analyze CloudWatch Internet Monitor logs for trends and bottlenecks (e.g., regular latency spikes during peak SAP activity). Use findings to optimize bandwidth and load balancing.
• Optimize Network Routes: Act on insights from logs and metrics by refining routes and bandwidth allocation. Consider solutions like AWS Direct Connect or Global Accelerator for persistent or global connectivity issues impacting SAP workloads.
• Integrate with AWS Health Events: Link CloudWatch Internet Monitor with AWS Health to get proactive notifications on relevant AWS incidents or planned maintenance—allowing rerouting or safeguarding of SAP workloads ahead of time.

Getting Started with SAP monitoring

To leverage the capabilities of CloudWatch Internet Monitor, follow these steps to monitor SAP application’s internet connectivity:

Step 1: SAP System running on AWS with internet connectivity

As a first step, ensure your SAP system on AWS has a public-facing endpoint for internet accessibility. Use the SAP Web Dispatcher as the entry point to route requests to application servers. Place the Web Dispatcher behind an Application Load Balancer (ALB) to distribute traffic for better performance and availability. Configure AWS Web Application Firewall (WAF) in front of the ALB to protect against common web exploits, such as SQL injection and XSS.

Step 2: Navigate to CloudWatch

Once you have logged in to the AWS account, navigate to the AWS Management Console. Search for “CloudWatch” in the AWS services search bar or find it under “Management & Governance” in the services menu.

Figure 5: AWS Management Console search results showing the CloudWatch service for monitoring resources and applications.

Step 3: Enable CloudWatch Internet Monitor

CloudWatch Internet Monitor is a feature of Amazon CloudWatch, and it is enabled by default in all AWS regions. You don’t need to take any specific action to enable it. However, to make the most of the Internet Monitor, you should have VPC Flow Logs enabled for the VPCs you want to monitor.

Step 4: Enable VPC Flow Logs (Optional but Recommended)

To get detailed insights into internet traffic between your AWS resources and the internet, enable VPC Flow Logs. These logs capture information about the IP traffic going to and from network interfaces in your VPC. This data is crucial for monitoring and analyzing internet traffic patterns.

To enable VPC Flow Logs:

• Go to the AWS Management Console and navigate to the “VPC” service.
• Select “Your VPCs” from the left navigation pane.
• Choose the VPC you want to monitor and click on the “Actions” button.
• Select “Create Flow Log” from the dropdown menu.

Image 6: AWS VPC dashboard showing the process to create a flow log for a selected VPC using the Actions menu.

• Configure the Flow Log settings, including the log destination (CloudWatch Logs), IAM role, and filter if needed. Make sure to choose the appropriate traffic types you want to log.

Figure 7: AWS VPC console displaying existing flow logs and the option to create a new flow log for the selected VPC.

Here are some common traffic types you should consider logging for a typical SAP environment:

• SAP Application Traffic: Log traffic between Fiori/GUI clients and backend SAP servers to monitor latency, packet loss, and user disruptions.
• Database Traffic: Log between SAP app servers and HANA or other databases to catch issues affecting real-time transactions.
• Integration Traffic: Monitor flows between SAP PI/PO and external or third-party systems to troubleshoot failed integrations.
• External Access: Log incoming connections to SAP over the internet (Fiori, VPN) to spot performance, security, or unauthorized access issues.
• Security Group Traffic: Log between SAP web/database servers to detect misconfigurations or unauthorized access.

Step 5: Access CloudWatch Internet Monitor

To access CloudWatch Internet Monitor, follow these steps:

In the AWS Management Console, click on “CloudWatch” in the “Management & Governance” section.

In the CloudWatch dashboard, navigate to the “Network Monitoring” section in the left pane.

Click on “Internet Monitors”

Figure 8: CloudWatch Dashboard – A screenshot of the Amazon CloudWatch dashboard highlighting the Internet Monitor section with other metrics and alarms.

Step 6: Explore Internet Monitor Metrics

In the Internet Monitor dashboard, you will find metrics related to your AWS resources’ internet connectivity and performance. These metrics can include data related to internet gateways, VPC endpoints, NAT gateways, and more.

Step 7: Create CloudWatch Internet Monitor Dashboards

Once you are in the CloudWatch console, you can create custom dashboards to visualize your SAP application’s internet connectivity and performance metrics.

To create a custom dashboard:

• Click on “Dashboards” in the CloudWatch navigation pane.
• Choose “Create Dashboard.”
• Give your dashboard a name and click “Create Dashboard.”
• Add widgets to your dashboard to display relevant metrics. You can include metrics related to VPC Flow Logs, internet gateways, endpoints, and other network-related parameters.

Figure 9: Create Custom Dashboard – Steps to create a custom dashboard in Amazon CloudWatch to visualize specific metrics and data points for SAP applications.

Example Dashboards:

• Fiori App Performance: Monitor latency and packet loss affecting Fiori apps. Example: Visualize latency between Fiori servers and backends to detect slowdowns.
• SAP HANA Database Servers Connectivity: Monitor internet connectivity to SAP HANA Database Servers. Example: Track packet loss between application servers and HANA for performance issues.
• External Integrations: Monitor SAP PI/PO connectivity. Example: Visualize traffic between SAP and external systems (CRM) to ensure smooth integration.

Step 8: Set Up Alarms and Alerting

Configure CloudWatch alarms to quickly detect and address SAP performance issues. Set thresholds for key metrics such as network latency (200ms), packet loss (1%), integration availability (99%), TCP connection time (500ms), backend throughput (50 Mbps), HTTP response time (3 seconds), and backend errors (over 5 per minute). When thresholds are breached, CloudWatch can send notifications or trigger automated responses.

To create an alarm:

• In CloudWatch, select “Alarms,” then “Create Alarm.”
• Choose a metric, set conditions, and define actions.
• Activate the alarm to begin monitoring.

Figure 10: Set Up Alarms and Alerting – Instructions for setting up custom alarms and alert thresholds based on specific SAP application requirements in Amazon CloudWatch.

Example Alarms:

• Network Latency: Alert if latency exceeds a threshold (e.g., 200ms). Example: Notify if Fiori app latency goes above 200ms.
• SAP HANA Database Servers Packet Loss: Alarm if packet loss exceeds a set percentage. Example: Trigger an alert if packet loss > 1% between SAP servers and HANA.
• Integration Failures: Alert for disruptions in SAP PI/PO. Example: Notify if integration traffic drops, signaling sync issues.

Step 9: Monitor and Optimize

To ensure the long-term performance and availability of SAP applications, teams should incorporate the dashboards and alerts generated by Internet Monitor into their organization’s overall operational health review processes. This includes:

• Embedding Dashboards in Operational Reviews
• Defining Ownership and SLAs
• Trend Analysis for Continuous Improvement
• Automation and Escalation
• Simulating and Testing Responses

By operationalizing CloudWatch Internet Monitor insights, organizations can shift from reactive troubleshooting to proactive network governance, reducing downtime and supporting SAP workloads more effectively.

Pricing for SAP Monitoring

CloudWatch Internet Monitor offers a cost-effective, pay-as-you-go pricing model, allowing you to monitor your SAP infrastructure based on actual usage. The pricing is split into two main components:

1. Monitored SAP Resources
   This is based on the number of SAP resources such as application servers, databases, and other key components. You incur a charge per hour for each resource.
2. Per City-Network Fee
   The per city-network fee depends on the number of city-networks monitored. The first 100 city-networks are included in the base price, with additional city-networks billed separately.
3. CloudWatch Logs and Metrics Charges
   As part of the monitoring service, diagnostic logs are published to CloudWatch Logs for your top city-networks by traffic volume (up to 500 city-networks). You will incur CloudWatch Logs charges for these logs, based on your usage.

For more details about pricing of CW internet monitor please refer –

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.pricing.html

What’s Next:

Users interested in learning more about utilizing Internet Monitor for SAP applications and related scenarios can explore the following resources:

• The Internet Monitor documentation  provides detailed guidance on setup, use cases, and features like health event notifications and geographic insights.
• AWS blogs such as Introducing Amazon CloudWatch Internet Monitor and Utilizing CloudWatch Internet Monitor with Amazon WorkSpaces Personal offer practical examples and integration tips for monitoring application health and optimizing user experiences.

Conclusion:

Amazon CloudWatch Internet Monitor equips SAP teams with near real-time visibility into internet connectivity and performance, allowing organizations to proactively resolve network issues and maintain optimal operation of SAP workloads on AWS.