Oracle Cloud Infrastructure Documentation

VNIC Metrics

You can monitor the health, capacity, and performance of your Networking service VNICs by using metrics, alarms, and notifications.

This topic describes the metrics emitted by the metric namespace oci_vcn (the Networking service).

Resources: virtual network interface cards (VNICs).

Overview of Metrics for an Instance and Its Network Devices

If you're not already familiar with the different types of metrics available for an instance and its storage and network devices, see Compute Instance Metrics.

Overview of Metrics: oci_vcn

Each Compute instance has one or more Networking service VNICs. A VNIC connects the instance to a subnet in a virtual cloud network (VCN). A given VNIC controls how the instance communicates with endpoints inside the VCN (other instances) and endpoints outside the VCN (hosts on the internet, in your on-premises network, in another VCN, and so on).

With the Networking service metrics (in metric namespace oci_vcn), you can get this information for a VNIC:

  • Traffic to and from the network: Per-VNIC traffic levels (packets and bytes), which can help you identify meaningful increases or decreases in traffic coming in and out of your instances
  • Packets dropped due to security list violations: Per-VNIC drops (dropped packets), which can help you identify changes in traffic caused by security list changes

The following diagram illustrates the general concept. A given instance resides in a subnet within a VCN that has one or more gateways to communicate with other networks. The instance is enlarged to show its VNIC, which the instance uses to communicate with the network. In this context, the term network means both the other instances in the VCN and hosts outside the VCN available through the gateways.

The VNIC receives traffic from the network and sends traffic to the network. The Networking service drops packets according to security list rules you set up for the instance's subnet. Traffic coming to the VNIC from the network is measured after the Networking service drops the packets that violate the subnet's security list rules. Traffic leaving the VNIC is measured before the Networking service drops the packets that violate the subnet's security list rules.

This image shows instances in a VCN, and a single instance enlarged with the VNIC and traffic following in and out.

The Compute service separately reports network-related metrics as measured on the instance itself and aggregated across all the attached VNICs. Those metrics are available in the oci_computeagent metric namespace. For more information, see Compute Instance Metrics.

Raw Data Point Frequency

For every 1-minute interval, the Networking service posts one raw data point to the Monitoring service. The Monitoring service charts show data points at 1-minute, 5-minute, and 60-minute intervals. The available statistics are calculated by using the count of 1-minute data points in the select interval. For example, for a given metric:

  • The mean for each 5-minute interval is calculated over 5 raw data points.
  • The mean for each 60-minute interval is calculated over 60 raw data points.

Required IAM Policy

When writing an IAM policy for viewing VNIC metrics, it's important to remember that:

  • The VNIC and the VNIC's metrics (emitted by the oci_vcn metric namespace) reside in the subnet's compartment, and not the instance's compartment.
  • The VNIC attachment (which is an object different from the VNIC itself) resides in the instance's compartment.

If the instance and subnet are in the same compartment, these details aren't so important when you write the IAM policy.

Minimum required policy for getting VNIC metrics
Policy for viewing a VNIC's details and metrics in the Console

Available Metrics: oci_vcn

The metrics listed in the following table are automatically available for any VNIC on any instance you create. You do not need to enable monitoring on the instance to get these metrics for the VNIC or VNICs on the instance.

You also can use the Monitoring service to create custom queries.

Each metric includes the following dimension: 

resourceId
The An Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). This ID is included as part of the resource's information in both the Console and API. of the VNIC.
Metric Metric Display Name Unit Description Dimensions

VnicEgressDropsSecurityList

Egress Packets Dropped by Security List

packets

Packets sent by the VNIC, destined for the network, dropped due to security rule violations.

resourceId

VnicIngressDropsSecurityList

Ingress Packets Dropped by Security List

packets

Packets received from the network, destined for the VNIC, dropped due to security rule violations.

VnicFromNetworkBytes*

Bytes from Network

bytes

Bytes received at the VNIC from the network, after drops.

VnicFromNetworkPackets*

Packets from Network

packets

Packets received at the VNIC from the network, after drops.

VnicToNetworkBytes*

Bytes to Network

bytes

Bytes sent from the VNIC to the network, before drops.

VnicToNetworkPackets*

Packets to Network

packets

Packets sent from the VNIC to the network, before drops.

* The Compute service separately reports network-related metrics as measured on the instance itself and aggregated across all the attached VNICs. Those metrics are available in the oci_computeagent metric namespace. For more information, see Compute Instance Metrics.

Tips for Working with VNIC Metrics

Here are some tips to help you use VNIC metrics.

Default Metric Charts for One VNIC Versus Multiple VNICs

The default charts for VNIC metrics use these default settings:

  • Time range = the last hour
  • Interval = 1 minute
  • Statistic displayed: Sum
  • Aggregation of metric streams = not selected (which means each VNIC is displayed as a separate line on the chart)

You can view the default charts with data for only a single VNIC by viewing the VNIC's details in the Console. When looking at a single VNIC, these statistics are the most useful: sum, mean, max, and min.

You can view the default charts with data for multiple VNICs by going to the Service Metrics page in the Console. Make sure to select the desired compartment and metric namespace (oci_vcn) at the top of the page. For all the charts, you can either show each VNIC as a separate line, or show a single line that aggregates the data for all the VNICs in your selected compartment. To aggregate the data, select the check box for Aggregate Metric Streams.

When viewing aggregated data, you can use the P90 - P99.9 statistics to help identify typical behavior of your instance fleet and outliers. To view these statistics over an even larger number of data points, expand the chart's start and end time (for example, view the last 7 days instead of the last hour), and set the interval to 1 hour.

For general information about how to work with and modify the default metric charts, see Using the Console in the Monitoring documentation.

Alarms for VNIC Metrics

You can set up alarms for a given metric. For VNICs, an alarm makes the most sense for the egress security list drops metric (VnicEgressDropsSecurityList). In a normal situation, you shouldn't have egress security list drops. If you do, it most likely means that one or both of these is true:

  • An application is behaving in an unexpected manner
  • Your security list is configured incorrectly

In either case, an alarm is warranted.

Using the Console

To view default metric charts for a single VNIC
To view default metric charts for multiple VNICs

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following APIs for monitoring: