The EC2 instances are accessible via bastion hosts. Been thinking about the options possible to monitor these non agent based clients.
Wonder how people monitor them using Icinga2?
Thanks
First, I have next to zero experience with any AWS service, but would generalize your question to “how to monitor a node which needs a jump/hop/bastion host to connect to”.
If the amount of hosts to be monitored is small, I would just create a VPN connection between those hosts and a monitoring node, e.g., with WireGuard. Afterwards, you have an authenticated encrypted overlay network to use any monitoring agent you like, may it be Icinga 2 or by_ssh or whatever.
This only scales to a certain degree. If you have a multitude of servers in one EC2 zone, you might create one distinct monitoring host there, connect this one to your main monitoring host via a VPN and use it to monitor the other nodes. Therefore all your EC2 hosts must be reachable from the EC2 monitoring host, maybe by putting them in a dedicated VLAN or however AWS brands this service.
For the future, it might be an option to patch ssh -J into check_by_ssh.
1 Like