File: //usr/lib/netdata/conf.d/health.d/azure_monitor_vpn_gateway.conf
# you can disable an alarm notification by setting the 'to' line to: silent
# --- Errors: Tunnel Packet Drops ---
template: am_vpn_gateway_tunnel_packet_drops
on: azure_monitor.vpn_gateway.tunnel_packet_drops
class: Errors
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of egress ingress
units: packets/s
every: 1m
warn: $this > (($status >= $WARNING) ? (10) : (50))
crit: $this > (($status == $CRITICAL) ? (50) : (200))
delay: down 5m multiplier 1.5 max 1h
summary: VPN Gateway tunnel packet drops on ${label:resource_name}
info: Packets being dropped across VPN tunnels on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Drops indicate tunnel instability or capacity issues
to: sysadmin
# --- Errors: Tunnel TS Mismatch Drops ---
template: am_vpn_gateway_tunnel_ts_mismatch_drops
on: azure_monitor.vpn_gateway.tunnel_ts_mismatch_drops
class: Errors
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of egress ingress
units: packets/s
every: 1m
warn: $this > (($status >= $WARNING) ? (1) : (10))
crit: $this > (($status == $CRITICAL) ? (10) : (50))
delay: down 5m multiplier 1.5 max 1h
summary: VPN Gateway TS mismatch drops on ${label:resource_name}
info: Packets dropped due to traffic selector mismatch on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
This typically indicates IPsec policy misconfiguration
to: sysadmin
# --- Errors: Tunnel NAT Packet Drops ---
template: am_vpn_gateway_tunnel_nat_packet_drops
on: azure_monitor.vpn_gateway.tunnel_nat_packet_drops
class: Errors
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of total
units: packets/s
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (1) : (10))
crit: $this != nan AND $this > (($status == $CRITICAL) ? (10) : (50))
delay: down 5m multiplier 1.5 max 1h
summary: VPN Gateway NAT packet drops on ${label:resource_name}
info: NAT-related packet drops on VPN Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
May indicate NAT rule misconfiguration or address exhaustion
to: sysadmin
# --- Routing: BGP Peer Status ---
# BGP is optional; metrics return NaN when BGP is not configured
template: am_vpn_gateway_bgp_peer_status
on: azure_monitor.vpn_gateway.bgp_peer_status
class: Availability
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: status
every: 1m
crit: $this != nan AND $this < 1
delay: down 5m multiplier 1.5 max 1h
summary: VPN Gateway BGP peer down on ${label:resource_name}
info: BGP peer status on VPN Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Value below 1 indicates a BGP peer session is down
to: sysadmin
# --- Utilization: ExpressRoute Gateway CPU ---
template: am_vpn_gateway_er_gateway_cpu
on: azure_monitor.vpn_gateway.er_gateway_cpu
class: Utilization
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: percentage
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (70) : (80))
crit: $this != nan AND $this > (($status == $CRITICAL) ? (80) : (90))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW ExpressRoute CPU on ${label:resource_name}
info: CPU utilization of ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
High CPU may degrade forwarding performance
to: sysadmin
# --- Workload: ExpressRoute Gateway Active Flows ---
template: am_vpn_gateway_er_gateway_active_flows
on: azure_monitor.vpn_gateway.er_gateway_active_flows
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: flows
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (200000) : (250000))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW ExpressRoute active flows on ${label:resource_name}
info: Active flows on ExpressRoute Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
High flow counts may indicate approaching scalability limits
to: sysadmin
# --- Errors: ExpressRoute Gateway Route Changes ---
template: am_vpn_gateway_er_gateway_route_changes
on: azure_monitor.vpn_gateway.er_gateway_route_changes
class: Errors
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of total
units: changes/s
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (5) : (10))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW ExpressRoute route churn on ${label:resource_name}
info: Rate of BGP route changes on ExpressRoute Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Frequent route changes may indicate BGP instability
to: sysadmin
# --- Workload: ExpressRoute Routes Advertised ---
template: am_vpn_gateway_er_gateway_routes_advertised
on: azure_monitor.vpn_gateway.er_gateway_routes_advertised
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of maximum
units: routes
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (900) : (950))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW ExpressRoute routes advertised on ${label:resource_name}
info: Routes advertised to peer by ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Azure limits advertised routes to 1000 per peering
to: sysadmin
# --- Workload: ExpressRoute Routes Learned ---
template: am_vpn_gateway_er_gateway_routes_learned
on: azure_monitor.vpn_gateway.er_gateway_routes_learned
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of maximum
units: routes
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (3800) : (3900))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW ExpressRoute routes learned on ${label:resource_name}
info: Routes learned from peer by ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Default Azure limit is 4000 routes per peering (varies by gateway SKU)
to: sysadmin
# --- Utilization: Scalable ExpressRoute Gateway CPU ---
template: am_vpn_gateway_scalable_er_cpu
on: azure_monitor.vpn_gateway.scalable_er_cpu
class: Utilization
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: percentage
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (70) : (80))
crit: $this != nan AND $this > (($status == $CRITICAL) ? (80) : (90))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW Scalable ER CPU on ${label:resource_name}
info: CPU utilization of Scalable ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
High CPU may degrade forwarding performance
to: sysadmin
# --- Workload: Scalable ExpressRoute Gateway Active Flows ---
template: am_vpn_gateway_scalable_er_active_flows
on: azure_monitor.vpn_gateway.scalable_er_active_flows
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: flows
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (200000) : (250000))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW Scalable ER active flows on ${label:resource_name}
info: Active flows on Scalable ExpressRoute Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
High flow counts may indicate approaching scalability limits
to: sysadmin
# --- Errors: Scalable ExpressRoute Gateway Route Changes ---
template: am_vpn_gateway_scalable_er_route_changes
on: azure_monitor.vpn_gateway.scalable_er_route_changes
class: Errors
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of total
units: changes/s
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (5) : (10))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW Scalable ER route churn on ${label:resource_name}
info: Rate of BGP route changes on Scalable ExpressRoute Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Frequent route changes may indicate BGP instability
to: sysadmin
# --- Workload: Scalable ExpressRoute Routes Advertised ---
template: am_vpn_gateway_scalable_er_routes_advertised
on: azure_monitor.vpn_gateway.scalable_er_routes_advertised
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of maximum
units: routes
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (900) : (950))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW Scalable ER routes advertised on ${label:resource_name}
info: Routes advertised to peer by Scalable ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Azure limits advertised routes to 1000 per peering
to: sysadmin
# --- Workload: Scalable ExpressRoute Routes Learned ---
template: am_vpn_gateway_scalable_er_routes_learned
on: azure_monitor.vpn_gateway.scalable_er_routes_learned
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of maximum
units: routes
every: 1m
warn: $this != nan AND $this > (($status >= $WARNING) ? (3800) : (3900))
delay: down 5m multiplier 1.5 max 1h
summary: VPN GW Scalable ER routes learned on ${label:resource_name}
info: Routes learned from peer by Scalable ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region}). \
Default Azure limit is 4000 routes per peering (varies by gateway SKU)
to: sysadmin
# --- Workload: ExpressRoute Gateway Bandwidth (informational) ---
template: am_vpn_gateway_er_gateway_bandwidth
on: azure_monitor.vpn_gateway.er_gateway_bandwidth
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: bits/s
every: 1m
info: Average throughput of ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region})
to: silent
# --- Workload: Scalable ExpressRoute Gateway Bandwidth (informational) ---
template: am_vpn_gateway_scalable_er_bandwidth
on: azure_monitor.vpn_gateway.scalable_er_bandwidth
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: bits/s
every: 1m
info: Average throughput of Scalable ExpressRoute Gateway on ${label:resource_name} \
in ${label:resource_group} (${label:region})
to: silent
# --- Workload: S2S Bandwidth (informational) ---
template: am_vpn_gateway_s2s_bandwidth
on: azure_monitor.vpn_gateway.s2s_bandwidth
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: bytes/s
every: 1m
info: Average site-to-site bandwidth on VPN Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region})
to: silent
# --- Workload: Tunnel Bandwidth (informational) ---
template: am_vpn_gateway_tunnel_bandwidth
on: azure_monitor.vpn_gateway.tunnel_bandwidth
class: Workload
type: Other
component: Azure VPN Gateway
lookup: average -5m unaligned of average
units: bytes/s
every: 1m
info: Average tunnel bandwidth on VPN Gateway ${label:resource_name} \
in ${label:resource_group} (${label:region})
to: silent