Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS Services Monitoring with Dynatrace


Hi, I am sure this question must have been asked before but I still have some doubts with my deployment scenario.

So we are using Dynatrace managed and it's deployed within our Corp Data centre with one Cluster Active gate, and 2 Environment Active gates. The requirement is to monitor AWS services.

From the documentation ( and other online resources I have drawn one architecture diagram but I am not sure if that is correct and if it is then how will it work.

Questions -

  1. I believe It will require a new Environment Active gate set up in AWS, but where exactly in AWS that will need to be deployed/installed?
  2. The documentation says it will fetch the required metrics from cloudwatch API and other resources but how? What is the configuration? What ports needs to be open from Environment AG to AWS resources?
  3. How will that data flow into my Dynatrace clusters? Will it be via Cluster AG? Should that Cluster AG needs to be internet exposed?
  4. We already have 2 Environment Active Gates available in our managed deployment. Is it not possible to use them to connect to AWS and fetch the data? Is it mandatory that the Env Active Gate needs to be installed on AWS?

Please if someone can have a look into the attached diagram and guide me in the right direction that will be really useful.


Best Regards,



Not applicable

For AWS you have two options, it depends on how you Auth to AWS.

* If you use it via Role. You need an additional AG in AWS since it use IAM Roles.

* If you do it via secret the AG needs to have an internet connection. it doesn't need to be publicly exposed, connecting via proxy is fine.

For your questions:

1) Only if you use a Role connection model you need to deploy it to AWS.

2) it needs to reach * I think is 80/443. This is on the AWS side. You can even use a Proxy for AWS:

3) only for Role-based AG monitoring.

4) The idea of having a Cluster AG is having it at the DMZ and handle external traffic coming to the cluster.

Read this like External traffic that is not initiated by any local network component of dynatrace. Ex: External Users data from RUM applications. External OneAgents... so this covers when the connection is reaching the Cluster and starts from outside the local network. Inside the local network, it reaches the Cluster/EnvAG.

The connection model is AG make the request to aws endpoint, pulls data from AWS. You don't need to open ports from your side. AG does a request and downloads the data to the cluster.


Hi @Dante P. thank you for your detailed response. That explains a lot and clear lot of my confusions. I have one more query So the Clusters AG's are not designed to make a connection/integration to AWS. We need to have environment Active Gate right?

So as i mentioned before my current architecture consist of x1 CAG and x2 EAG. And we are building a new CAG which will be exposed to internet for RUM. I've attached another diagram for better view.

Is it possible to one of the existing EAG for AWS integration? We can certainly use Proxy to connect to it. In that case how will be the flow?

Will it be like EAG will pull the metrics from AWS and send it to CAG or will it send directly to the managed clusters

Not applicable

The Cluster AG can do the connection to AWS, in fact in CAG the AWS module is enabled by default:

Environment ActiveGate: false;
Cluster ActiveGate: true

Remember that CAG is assumed that is a public endpoint. To be honest i had never use it, in fact i think the last time i worked with a managed installation i disable the AWS integration in the cluster AG and use only the Env. AG. for better control


And you can connect via proxy in a Enviroment AG (I did never tested a proxy conf with a CAG)

Yes, EnvAG1/2 can connect via proxy. They will pull the info and send it to the cluster using the index priority:

Index 1—Embedded ActiveGates

Index 2—Cluster ActiveGates

Additionally, I have never tested with 2 Cluster AG one in the local network and one external/dmz with public endpoint... I would talk to support about that really.

Also I would recommend checking it shows managed deployment scenarios supported/recommended by Dynatrace.

Hi @Dante P. Again thank you for the detailed explanation. I think you have cleared so many doubts.

So i had a chat with Dynatrace people as well and they are like Cluster AG's are not designed to do the integrations so you have to use Environment AG's

So I've decided to use one of my existing Environment AG's for the start to monitor AWS. Will configure proxy sometime next week and then give it a go to see how it works.

I believe the flow will be AWS Cloudwatch <----- Env AG -----> Cluster AG -----> Managed Clusters.

And they also said having multiple Cluster CAG's are fine and we have no other option because the existing CAG is designed internally so we won't be able to use RUM unless we set up another one public facing.

Thank you again for all the help. I will let you know if i face any issues and I am sure you will be glad to help. 🙂

I've also attached a new design which I am going to follow. hopefully it works.

Not applicable


As I said before docs said that the AWS integration is True by default in Cluster AG, but I never really try to use it and change it to false just to be safe and set control of the enviroment, so awesome if support said that 🙂 hope it goes well. And ask away, no problem!

Featured Posts