Monitoring AWS EC2 instances

The EC2 instances are accessible via bastion hosts. Been thinking about the options possible to monitor these non agent based clients.

Wonder how people monitor them using Icinga2?


First, I have next to zero experience with any AWS service, but would generalize your question to “how to monitor a node which needs a jump/hop/bastion host to connect to”.

If the amount of hosts to be monitored is small, I would just create a VPN connection between those hosts and a monitoring node, e.g., with WireGuard. Afterwards, you have an authenticated encrypted overlay network to use any monitoring agent you like, may it be Icinga 2 or by_ssh or whatever.

This only scales to a certain degree. If you have a multitude of servers in one EC2 zone, you might create one distinct monitoring host there, connect this one to your main monitoring host via a VPN and use it to monitor the other nodes. Therefore all your EC2 hosts must be reachable from the EC2 monitoring host, maybe by putting them in a dedicated VLAN or however AWS brands this service.

For the future, it might be an option to patch ssh -J into check_by_ssh.

1 Like