How do I troubleshoot Network Manager registration and events monitoring issues?

4 minute read

I am unable to register my transit gateway to the global network and monitor the global network with Amazon CloudWatch Events. How do I troubleshoot this?

Resolution

To troubleshoot AWS Network Manager registration and events monitoring issues, do the following:

Check your global network configuration and transit gateway registration

First, be sure you already created a global network. To create a global network as an AWS Identity and Access Management (IAM) user, you must have the service-linked role (SLR) named AWSServiceRoleForNetworkManager. For more information, see AWS Network Manager service-linked roles. For instructions on creating service-linked role, see Using service-linked roles.

Then, confirm that you registered the transit gateway with your global network using the Network Manager console or the AWS Command Line Interface (AWS CLI). If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
Note: You must specify the US West (Oregon) Region if you're using AWS CLI or AWS SDK.

If the transit gateway isn't located in the same AWS account as the global account, then confirm the following:

The transit gateway and global accounts are part of the same AWS Organization. For more information, see Manage multiple accounts in Network Manager with AWS Organizations.
Trusted access is turned on to deploy the required SLRs and custom IAM roles to the transit gateway account. Trusted access is required for the management account or delegated administrator account to assume these roles.
Multi-account access is turned on. It's a best practice to turn on multi-account access using the Network Manager console. The Network Manager console automatically creates all required roles and permissions for trusted access and allows for registering delegated administrators.

Check your Amazon CloudWatch Log Insights configuration

Confirm that you have onboarded with CloudWatch Logs Insights. To confirm that you have onboarded with CloudWatch Logs Insights, run the following command:

aws logs describe-resource-policies --region us-west-2

Then, verify a CloudWatch resource policy with the name DO_NOT_DELETE_networkmanager_TrustEventsToStoreLogEvents is created in the US West (Oregon) Region. The following resources must also be present:

A CloudWatch Event rule with the name DO_NOT_DELETE_networkmanager_rule in the US West (Oregon) Region.
A CloudWatch Logs log group with the name /aws/events/networkmanagerloggroup in the US West (Oregon) Region
The CloudWatch Event rule is configured with the CloudWatch Logs log group as a target.

If you're unable to onboard to CloudWatch Logs Insights, check that the IAM user or role has the following permissions to perform this action:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "events:PutTargets",
                "events:DescribeRule",
                "logs:PutResourcePolicy",
                "logs:DescribeLogGroups",
                "logs:DescribeResourcePolicies",
                "events:PutRule",
                "logs:CreateLogGroup"
            ],
            "Resource": "*"
        }
    ]
}

Note: You must specify the US West (Oregon) Region if you're using AWS CLI or AWS SDK.

For adding or modifying role permissions, see Adding permissions to a user (console) or Modifying a role permissions policy (console).

Check your CloudWatch Events monitoring configuration

First, be sure that you have created a global network and onboarded with CloudWatch Logs Insights.

Note: Monitoring events are captured only after registering the transit gateway in the global network. Any changes made to the transit gateway before registration won't show up under events monitoring.

If you're still unable to monitor events, then confirm the following:

The CloudWatch Event rule with the name DO_NOT_DELETE_networkmanager_rule was invoked for each captured event. This action must be performed in the US West (Oregon) Region.
The FailedInvocations graph for event rule DO_NOT_DELETE_networkmanager_rule is 0. Locate the FailedInvocations graph by accessing the event rule with the name DO_NOT_DELETE_networkmanager_rule, and then choose the Monitoring tab.
If there are successful rule invocations matching captured events, then confirm that these events are present in the CloudWatch Logs log group with the name /aws/events/networkmanagerloggroup in the US West (Oregon) Region.

Topics

Networking & Content Delivery

Relevant content

How monitor AWS managed service
AWS-User-7334924
asked 2 years ago
Monitoring MSK events visually
Accepted Answer
Sary Al-Assad
asked 7 months ago
Issue with SSO user registration
AWS-User-4815031
asked 2 years ago
Can we trigger events based on AWS Systems Manager Instance Registration?
liamab
asked a year ago
Dead letter queues, SQS events and network issues
Accepted Answer
CharlesNelsonReilly
asked 4 months ago
How do I troubleshoot Systems Manager Run Command timeout issues?
AWS OFFICIALUpdated 10 months ago
How do I perform route analysis and monitor my transit gateway Connect attachment using Network Manager?
AWS OFFICIALUpdated 2 years ago
How do I monitor IAM events and set up event notifications with AWS CloudFormation?
AWS OFFICIALUpdated 2 years ago
How do I monitor my transit gateway and Site-to-Site VPN on a transit gateway using Network Manager?
AWS OFFICIALUpdated 2 years ago
Network Load Balancer (NLB) troubleshooting guide
EXPERT
Alok Srivastava
published 6 months ago