Monitoring script for VNS3 VPN tunnels
This repository contains the script vpn_monitor.py for monitoring VPN tunnels and store information about available tunnels status in DataDog. The script uses the API of the Cohesive Networks VNS3 VPN controller, as well as the Datadog API to send a custom metric to Datadog to create an alert if any VPN tunnel goes down.
To deploy, simply grab the latest release, upload the zip to Lambda and configure the environment variables, as described below.
- Navigate to Lambda in the same region as the VPN controller you are monitoring and create a function called
- Upload the zip file and configure the function inside the VPC and proper subnets
- Add a security group (no incoming rules are needed; outgoing should be open, which is the default) and a role
- Navigate to the security group of the VNS3 and allow incoming traffic over port 8000 from the Lambda function's security group (a nested security group)
- The function should trigger every minute
- HANDLER should be
DD_API_KEY: This variable is the Datadog API key, which is generated in in the Integrations section of Datadog. This links the Datadog metric to our customers’ Datadog accounts. You will find these keys in the
APIs section of your Datadog account.
DD_APP_KEY: The Datadog app key is required for custom metrics.
VPNENV: This variable is a Datadog tag applied to all tunnels being monitored by this Lambda function (whether that be on one controller or multiple controllers). For example, if the VPN controller is in pre-production, then
VPNENV can be equal to
preproduction. A second Lambda function should then be launched to monitor the production VPN controller. In this scenario,
VPNENV would be equal to
production. These tags will be used when configuring the Datadog monitors.
VPN_CONTROLLER1: This variable has some additional logic and parsing behind it. It defines the VPN controller(s) to monitor and must be entered with these three parameters, separated by single spaces:
VNS3_HOST=<privateIPAddress> VNS3_API_USER=api VNS3_API_PASSWD=<APIPassword>. In the variable,
CONTROLLER1 is a placeholder for any string. Remember that we are using the private IP here because the Lambda function is being launched within the VPC.
VPN_CONTROLLER2 (optional): The function can monitor multiple VPN controllers within a single VPC. For example, maybe you want to maintain separate VPN controllers for connecting to different customer/vendor networks. All you need to do is add a second (or third, fourth, etc.) variable to configure monitoring on your second VPN controller. You can replace
CONTROLLER2 with any string. Note that if you want to monitor both a production and pre-production controller, you should not use this variable; instead, create two separate Lambda functions and change the VPNENV accordingly. Remember that the value of each
VPN_ config environment variables is a space separated set of variables. THIS MUST BE PERFECT. No extra spaces or commas or anything. For example, the variable
VPN_1 will equal
VNS3_HOST=22.214.171.124 VNS3_API_USER=api VNS3_API_PASSWD=S0m3P4ssW0rd and a new variable,
VPN_2 can equal
VNS3_HOST=126.96.36.199 VNS3_API_USER=api99 VNS3_API_PASSWD=S0m3P4ssW0rd99
Once the configurations are complete, run a test to make sure there are no errors.
Navigate to your Datadog account and create a new monitor with the following configurations. You should create a separate monitor for each Lambda function where the
VPNENV variable is different:
- Define metric
Getshoud be set to
fromshould be set to
variableConfiguredAbovewill likely equal either preproduction or production, depending on the VPN controller you want to monitor)
- Configure a
Multi Alertwould create a ticket for each individual tunnel that goes down. This may be desirable depending on your use case. For the majority of use cases, if one tunnel goes down, all tunnels will be down. Thus, a single alert makes more sense)
Alert Conditions section will vary based on the your use case and organization's monitoring policies
Say What's Happening section will vary based on your use case and organization's monitoring policies
Building From Source
To install all requirements (before building a zip):
- Initialize venv:
pip install -t vendored -r requirements.txt