Observability isn't just about knowing your system is running‐it's about understanding how it's running, identifying issues before they become problems, and having the data you need when troubleshooting. For UDP-based systems, where the connectionless nature of the protocol means you don't get the built-in visibility of connection-oriented protocols, observability becomes even more critical.
Proxylity UDP Gateway integrates deeply with AWS CloudWatch to provide comprehensive observability at the destination level, where your infrastructure meets our platform. This article explores how to leverage CloudWatch Metrics and Logs to build production-ready, observable UDP infrastructure.
UDP Gateway's observability model operates at three levels:
At the destination level‐where UDP Gateway delivers packets to your AWS resources‐you have direct control over observability through two properties in your destination configuration:
MetricsEnabled - Track packet and byte volumes,
both ingress and egress, plus error countsLogGroupName - Capture detailed error and warning
messages for troubleshootingThese operate at the destination level because that's where your IAM role grants UDP Gateway permission to write to your CloudWatch resources. This design ensures you maintain complete control over what gets logged and where costs are incurred.
Your destination resources‐Lambda functions, SQS queues, DynamoDB tables, etc.‐come with their own built-in AWS observability tools. Lambda CloudWatch Logs show function executions, SQS metrics track queue depth, DynamoDB metrics monitor consumed capacity. These complement UDP Gateway's metrics to give you end-to-end visibility.
The UDP Gateway console provides account-level usage metrics for billing and capacity planning purposes. This gives you a high-level view across all your listeners and destinations without requiring CloudWatch integration.
Enabling CloudWatch Metrics is straightforward‐just set MetricsEnabled: true in your destination
configuration. Once enabled, UDP Gateway publishes metrics to your AWS account for that specific
destination.
The following metrics are published per destination:
These metrics enable powerful use cases:
Track traffic patterns over time to understand usage trends, identify peak periods, and plan capacity. Create CloudWatch dashboards that combine UDP Gateway metrics with your destination resource metrics for a complete picture of your data pipeline.
CloudWatch Anomaly Detection can automatically establish baseline traffic patterns and alert you to unusual behavior. A sudden drop in ingress packets might indicate a client connectivity issue. An unexpected spike could signal a misconfiguration or an attack.
Since UDP Gateway pricing includes a per-packet component, tracking packet volumes helps you understand and attribute costs. For multi-tenant systems, you can create separate destinations per tenant and track their individual usage patterns.
{
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName": "udp-gateway-high-error-rate",
"MetricName": "ErrorCount",
"Namespace": "Proxylity/UdpGateway",
"Statistic": "Sum",
"Period": 300,
"EvaluationPeriods": 2,
"Threshold": 1,
"ComparisonOperator": "GreaterThanThreshold",
"AlarmDescription": "Alert when UDP Gateway encounters repeated delivery errors",
"AlarmActions": ["arn:aws:sns:us-east-1:123456789012:ops-alerts"]
}
}
While metrics tell you what is happening, logs tell you why. Setting
LogGroupName on your destination configuration instructs UDP Gateway to send detailed error and
warning messages to the specified CloudWatch Logs log group.
UDP Gateway logs destination-level issues that require attention:
To prevent log flooding during widespread issues, UDP Gateway deduplicates log messages within short time
windows. Instead of writing the same error message hundreds of times, you'll see a single message with an
occurrence count like [x127], indicating that error occurred 127 times in the deduplication
window.
This approach keeps your logs actionable and your CloudWatch Logs costs reasonable, even during incidents.
The most common issue in new deployments is incomplete IAM permissions. You might see a log message like:
User: arn:aws:sts::123456789012:assumed-role/ProxylityDestinationRole/session is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789012:function:packet-handler [x12]
This tells you exactly which permission is missing and how many times the error occurred. Update your IAM role policy, and the errors resolve immediately.
If someone deletes or renames a destination resource without updating the UDP Gateway configuration, you'll see log messages indicating the resource can't be found. This is particularly valuable in larger teams where infrastructure changes might not be immediately communicated.
When your Lambda function hits concurrent execution limits or your DynamoDB table encounters throttling, CloudWatch Logs will show the throttling errors. This helps you distinguish between UDP Gateway issues and downstream capacity constraints.
The cost of CloudWatch Metrics is minimal compared to the visibility gained. For production workloads, always
set MetricsEnabled: true. Consider leaving it disabled in development environments to reduce
noise and cost.
Rather than sending all destination logs to a single log group, create separate log groups per destination or per environment. This makes log filtering easier and allows you to set different retention policies based on importance.
LogGroupName: !Sub "/proxylity/destinations/${EnvironmentName}/${DestinationName}"
CloudWatch Logs retention can be expensive if logs are kept indefinitely. Set retention policies that balance troubleshooting needs with cost. For most use cases, 7-30 days is sufficient for destination error logs.
LogGroupRetentionInDays: 14
Build CloudWatch Dashboards that combine UDP Gateway metrics with destination resource metrics. A good dashboard might show:
This holistic view helps you quickly identify whether issues are in UDP delivery or downstream processing.
Don't wait to discover issues manually. Create CloudWatch Alarms for:
When you specify LogGroupName, ensure your destination's IAM role includes the necessary
permissions:
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/proxylity/destinations/*"
}
Forgetting these permissions is a common oversight that prevents error logging from working.
UDP Gateway assumes your destination role using STS. If you've set a custom session duration in your
destination's Role configuration, ensure CloudWatch Logs access doesn't expire during
long-running scenarios.
CloudWatch Logs Insights lets you query your logs to identify patterns. For example, find the most common errors in the last 24 hours:
fields @timestamp, @message | filter @message like /error/ | stats count() by @message | sort count desc | limit 10
CloudWatch Metrics and Logs integrate seamlessly with third-party observability platforms. Whether you're using Datadog, SumoLogic, New Relic, Grafana, or another tool, you can export CloudWatch data to create unified dashboards across your entire infrastructure.
For teams using AWS-native stacks, CloudWatch provides everything you need without additional tools or costs beyond standard CloudWatch pricing.
Observability isn't optional for production systems‐it's the foundation of reliable operations. UDP Gateway's integration with CloudWatch Metrics and Logs gives you the visibility you need to confidently run UDP-based infrastructure at scale.
By enabling metrics, configuring log groups, and setting up appropriate alarms, you transform UDP Gateway from a black box into a transparent, monitorable component of your infrastructure. You'll catch permission issues during deployment, identify capacity constraints before they impact users, and troubleshoot problems with concrete data rather than guesswork.
Start with metrics enabled for all production destinations, add log groups for critical paths, and build dashboards that give you confidence in your system's health. Your future self‐and your on-call team‐will thank you.
MetricsEnabled and LogGroupNameGet started with Proxylity UDP Gateway today. No upfront costs ‐ pay only for what you use.
Buy with AWS Try the Examples Explore Documentation