AWS Cloud Operations Blog
Cross-Region AWS PrivateLink monitoring with Amazon CloudWatch Network Synthetic Monitor
Introduction
Global, distributed AWS architectures are the backbone for customers seeking high availability, resilience, and regulatory compliance. Workloads are commonly deployed across multiple AWS Regions and Availability Zones (AZs), often using AWS PrivateLink to connect services securely and privately across Amazon Virtual Private Cloud (Amazon VPC) networks. This approach enhances security and separation while requiring additional monitoring capabilities to maintain comprehensive observability.
To detect subtle, path-specific “grey failures” in your distributed architecture, you need Amazon CloudWatch Network Synthetic Monitor, which runs end-to-end probes against your actual VPC paths, PrivateLink endpoints, and service ports. You may need this level of targeted monitoring to detect packet loss or latency on a critical path.
To complement Network Synthetic Monitor’s path-specific testing, AWS Network Manager Infrastructure Performance publishes latency and availability measurements across Regions, AZs, and AWS Direct Connect edges. This backbone-level telemetry is valuable for understanding broader AWS network conditions, such as elevated latency between two Regions. In addition, you can monitor AWS Health events for notifications about service availability and account-specific impacts that may affect your resources.
Network Synthetic Monitor deploys AWS-managed probe infrastructure directly within your VPC subnets, enabling it to monitor any network reachable using a Private IP address, including PrivateLink endpoints, cross-VPC links, and multi-AZ or multi-Region paths. Network Synthetic Monitor itself leverages PrivateLink internally to securely connect monitoring infrastructure without traversing the internet. This native integration helps Network Synthetic Monitor deliver accurate, real-time metrics on network latency, packet loss, and health across distributed AWS architectures.
With Network Synthetic Monitor, customers gain enhanced network observability for both hybrid and internal AWS workload connectivity scenarios to help detect and diagnose network degradations affecting their critical workloads, with network-level health indicators such as packet loss and round-trip time (RTT) combined with dashboards and minimal maintenance overhead.
Solution overview
Figure 1 – Cross-Region PrivateLink-enabled service with Network Synthetic Monitor
The solution architecture diagram illustrates the end-to-end monitoring approach for PrivateLink-enabled cross-Region network paths using Network Synthetic Monitor. A service provider in the us-east-1 region exposes services through PrivateLink behind a Network Load Balancer. The service consumer in us-west-2 region connects via a VPC Endpoint with a private IP address. Network Synthetic Monitor probes deployed in the consumer VPC, target this endpoint IP. These probes traverse the AWS backbone infrastructure between regions, delivering critical RTT and packet loss metrics relevant to your application path.
Network Synthetic Monitor probes need to be configured with TCP because PrivateLink endpoints do not forward ICMP (ping) traffic. The probes travel through the AWS backbone infrastructure: inter-AZ or inter-region as required, giving you RTT and packet loss data relevant to your application path.
Prerequisites
Before getting started, you’ll need:
An active AWS account with appropriate IAM permissions to create and manage the following services:
At least two VPCs (ideally in different AWS Regions) where you can deploy the provider and consumer resources
Basic familiarity with AWS networking concepts, particularly VPC and PrivateLink.
For detailed permission requirements, see the CloudWatch Network Synthetic Monitor documentation.
Monitoring PrivateLink endpoint across Regions
1. Set up your PrivateLink connection
- In the service provider VPC (e.g., in us-east-1), expose your backend via a Network Load Balancer; create a VPC Endpoint Service.
Figure 2 – VPC Endpoint service in us-east-1 with Network Load Balancer
- In the service consumer VPC (e.g., in us-west-2), configure a VPC Interface Endpoint targeting the provider’s endpoint service.
- Confirm the endpoint’s ENI(s) are provisioned in your desired subnet(s).
Figure 3 – VPC Interface Endpoint in us-west-2 connected to VPC Endpoint service in us-east-1
2. Locate the PrivateLink endpoint IP address
- Find the interface endpoint ENI in your consumer VPC/subnet. Note the private IP. It will be the monitoring target.
3. Create a Network Synthetic Monitor
- In the CloudWatch console, go to Network Synthetic Monitor and select Create monitor. Enter a name for your monitor.
- Under Advanced Settings, choose your probe interval.
Figure 4 – Create Network Synthetic Monitor
- Choose the source subnets (from which you want probes to run. For cross-Region, choose subnets in the desired observer Region).
- Set the destination to the PrivateLink endoint IP.
- Protocol: select TCP.
- Port: Set this to the port exposed by your service via the NLB/PrivateLink (e.g., 443 for HTTPS, 80 for HTTP, or your custom port).
Figure 5 – Create Network Synthetic Monitor, probe configuration
- Choose your packet size.
- Review settings and create your monitor.
4. Visualize and Alert
- Out-of-the-box CloudWatch dashboards provide RTT and packet loss graphs for each probe.
- Set CloudWatch Alarms on thresholds relevant to your application (e.g., packet loss > 1%, RTT > 200ms).
- Integrate with AWS User Notifications, Amazon Simple Notification Service, Lambda function or EventBridge to trigger remediation or alerting workflows.
Figure 6 – Network Synthetic Monitor dashboard
Additional services for network monitoring
- AWS Health: Provides visibility into account-specific and public events affecting AWS services.
- Network Manager Infrastructure Performance: Provides backbone-level AWS-collected latency and availability data across Regions, Availability Zones, and Direct Connect locations.
- Amazon CloudWatch Synthetics Canaries: Useful at the application layer to measure application (HTTP/API) availability and latency, not raw network metrics.
- VPC Flow Logs: Retrospective log-based network forensic analysis, but not proactive for latency or loss.
- Amazon VPC Network Flow Monitor: Provides near real-time visibility into network traffic patterns for active traffic. It does not proactively test connectivity or performance when there’s no active traffic.
- Reachability Analyzer: Provides on-demand path and security check only, not continuous probing.
Clean up
To avoid charges, delete the Network Synthetic Monitor from the CloudWatch console. Delete the VPC Interface Endpoint in the consumer VPC and the VPC Endpoint Service in the provider VPC. Delete the Network Load Balancer and remove any CloudWatch Alarms you created for the monitor.
Conclusion
CloudWatch Network Synthetic Monitor enables customers to detect and troubleshoot cross-Region, cross-AZ, and PrivateLink path degradations within minutes of occurrence through continuous synthetic testing.
By using private, managed, agentless probes that directly observe your network conditions, you can automate response and monitoring, integrate with CloudWatch dashboards and alerts, and enhance visibility into your network paths.