Integrate Amazon CloudWatch with Tiger Cloud

Amazon CloudWatch is a monitoring and observability service designed to help collect, analyze, and act on data from applications, infrastructure, and services running in AWS and on-premises environments.

You can export telemetry data from your Tiger Cloud services with the time-series and analytics capability enabled to CloudWatch. See Exported metrics for the full list of default and additional metrics you can export.

This pages explains how to export telemetry data from your Tiger Cloud service into CloudWatch by creating a Tiger Cloud data exporter, then attaching it to the service. This integration is available for Scale and Enterprise pricing tiers.

Prerequisites

To follow the steps on this page:

• Create a target Tiger Cloud service with the Real-time analytics capability.

  You need your connection details.

• Sign up for Amazon CloudWatch.

Note

This feature is currently not supported for Tiger Cloud on Microsoft Azure.

Create a data exporter

A Tiger Cloud data exporter sends telemetry data from a Tiger Cloud service to a third-party monitoring tool. You create an exporter on the project level, in the same AWS region as your service:

1. In Tiger Console, open Exporters
2. Click New exporter
3. Select the data type and specify AWS CloudWatch for provider

   
4. Provide your AWS CloudWatch configuration

   • The AWS region must be the same for your Tiger Cloud exporter and AWS CloudWatch Log group.
   • The exporter name appears in Tiger Console, best practice is to make this name easily understandable.
   • For CloudWatch credentials, either use an existing CloudWatch Log group or create a new one. If you’re uncertain, use the default values. For more information, see Working with log groups and log streams.
5. Choose the authentication method to use for the exporter

   

   IAM role

   1. In AWS, navigate to IAM > Identity providers, then click Add provider.
   2. Update the new identity provider with your details:

      Set Provider URL to the region where you are creating your exporter.

      
   3. Click Add provider.
   4. In AWS, navigate to IAM > Roles, then click Create role.
   5. Add your identity provider as a Web identity role and click Next.

      
   6. Set the following permission and trust policies:

      • Permission policy:

        {
          "Version": "2012-10-17",
          "Statement": [
             {
                 "Effect": "Allow",
                 "Action": [
                     "logs:PutLogEvents",
                     "logs:CreateLogGroup",
                     "logs:CreateLogStream",
                     "logs:DescribeLogStreams",
                     "logs:DescribeLogGroups",
                     "logs:PutRetentionPolicy",
                     "xray:PutTraceSegments",
                     "xray:PutTelemetryRecords",
                     "xray:GetSamplingRules",
                     "xray:GetSamplingTargets",
                     "xray:GetSamplingStatisticSummaries",
                     "ssm:GetParameters"
                 ],
                 "Resource": "*"
             }
         ]
        }

      • Role with a Trust Policy:

        {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "Federated": "arn:aws:iam::12345678910:oidc-provider/irsa-oidc-discovery-prod.s3.us-east-1.amazonaws.com"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                      "StringEquals": {
                          "irsa-oidc-discovery-prod.s3.us-east-1.amazonaws.com:aud": "sts.amazonaws.com"
                      }
                  }
              },
              {
                  "Sid": "Statement1",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "arn:aws:iam::12345678910:role/my-exporter-role"
                  },
                  "Action": "sts:AssumeRole"
              }
          ]
        }

      1. Click Add role.

   CloudWatch credentials

   When you use CloudWatch credentials, you link an Identity and Access Management (IAM) user with access to CloudWatch only with your Tiger Cloud service:

   1. Retrieve the user information from IAM > Users in AWS console.

      If you do not have an AWS user with access restricted to CloudWatch only, create one. For more information, see Creating IAM users (console).

   2. Enter the credentials for the AWS IAM user.

      AWS keys give access to your AWS services. To keep your AWS account secure, restrict users to the minimum required permissions. Always store your keys in a safe location. To avoid this issue, use the IAM role authentication method.

6. Select the AWS Region your CloudWatch services run in
7. Optionally tick PostgreSQL metrics to export additional metrics, then click Create exporter

   See Exported metrics for the full list.

Manage a data exporter

This section shows you how to attach, edit, and delete a data exporter.

Attach a data exporter to a Tiger Cloud service

To send telemetry data to an external monitoring tool, you attach a data exporter to your Tiger Cloud service. You can attach only one exporter to a service.

To attach an exporter:

1. In Tiger Console, choose the service
2. Click Operations > Exporters
3. Select the exporter, then click Attach exporter
4. If you are attaching a first Logs data type exporter, restart the service

You can now monitor your service metrics.

Edit a data exporter

To update a data exporter:

1. In Tiger Console, open Exporters
2. Next to the exporter you want to edit, click the menu > Edit
3. Edit the exporter fields and save your changes

Delete a data exporter

To remove a data exporter that you no longer need:

1. Disconnect the data exporter from your Tiger Cloud service

   1. In Tiger Console, choose the service.
   2. Click Operations > Exporters.
   3. Click the trash can icon next to the exporter.
   4. Repeat for every service attached to the exporter you want to remove.

   The data exporter is now unattached from all services. However, it still exists in your project.

2. Delete the exporter on the project level

   1. In Tiger Console, open Exporters
   2. Next to the exporter you want to edit, click menu > Delete
   3. Confirm that you want to delete the data exporter.

Reference

When you create the IAM OIDC provider, the URL must match the region you create the exporter in. It must be one of the following:

Region	Zone	Location	URL
ap-southeast-1	Asia Pacific	Singapore	irsa-oidc-discovery-prod-ap-southeast-1.s3.ap-southeast-1.amazonaws.com
ap-southeast-2	Asia Pacific	Sydney	irsa-oidc-discovery-prod-ap-southeast-2.s3.ap-southeast-2.amazonaws.com
ap-northeast-1	Asia Pacific	Tokyo	irsa-oidc-discovery-prod-ap-northeast-1.s3.ap-northeast-1.amazonaws.com
ca-central-1	Canada	Central	irsa-oidc-discovery-prod-ca-central-1.s3.ca-central-1.amazonaws.com
eu-central-1	Europe	Frankfurt	irsa-oidc-discovery-prod-eu-central-1.s3.eu-central-1.amazonaws.com
eu-west-1	Europe	Ireland	irsa-oidc-discovery-prod-eu-west-1.s3.eu-west-1.amazonaws.com
eu-west-2	Europe	London	irsa-oidc-discovery-prod-eu-west-2.s3.eu-west-2.amazonaws.com
sa-east-1	South America	São Paulo	irsa-oidc-discovery-prod-sa-east-1.s3.sa-east-1.amazonaws.com
us-east-1	United States	North Virginia	irsa-oidc-discovery-prod.s3.us-east-1.amazonaws.com
us-east-2	United States	Ohio	irsa-oidc-discovery-prod-us-east-2.s3.us-east-2.amazonaws.com
us-west-2	United States	Oregon	irsa-oidc-discovery-prod-us-west-2.s3.us-west-2.amazonaws.com