Views
Cloud Insights offers a detailed view of how your cloud native resources are connected together logically, your historical inventory, and, for AWS environments, a comprehensive end-to-end traffic flow. Events occurring within your cloud infrastructure, such as configuration changes and operational scaling events, are represented in Cloud Insights Inventory and Views screens within tables and timelines. These visualizations are available in the Cloud Insights section of the ThousandEyes platform and as the Cloud layer in Network & App Synthetics > Views.
Inventory Screen
Navigate to Cloud Insights > Inventory to view the cloud resources and services discovered through the integration with your cloud provider. The inventory screen displays the last 30 days of ingested data and it is refreshed every 5 minutes.
With the Cloud Insights inventory screen, you can see all your cloud networking, content delivery, and compute resources grouped by resource type, including for example load balancer, network gateway, and internet gateway, across all your cloud accounts and subscriptions, in one dashboard. You can see all your resources in the context of their respective public or private subnets, availability zones (AZ), virtual cloud instances (VPC, Transit Gateway, or VNET), regions, and accounts or subscriptions.
Click on a region or subnet to see its details. Filtering resources by type and by tags is also supported.
For more information about Amazon Virtual Private Cloud (VPC), see What is Amazon VPC?. For more information about Amazon Transit Gateways, see What is AWS Transit Gateway?. For more information about Microsoft Azure Virtual Network (VNET), see What is Azure Virtual Network?
Views Screen for Flow Logs Analysis
Viewing Your Log Data
For AWS environments, navigate to Cloud Insights > Views to see your flow logs activity. You can view both VPC flow logs and Transit Gateway flow logs data, separated into tabs at the top of the screen.
VPC flow logs capture traffic at the individual VPC subnet or network interface level, focusing on traffic observed within the VPC.
Transit Gateway flow logs provide a broader view by capturing traffic traversing the transit gateway itself, which aggregates traffic across multiple VPCs and connections, enabling visibility into inter-VPC and hybrid network traffic flows.
See Flow Log Types for more information about the difference between VPC and Transit Gateway flow logs and their use cases.
The default timeline shows you total throughput over the last 24 hours, including - for VPC logs - all internal cloud traffic (the gray overlay), which you can toggle on and off. You can also access more granular “stacked views” by resource depending on the metric you choose (see Stacked View), and compare up to three metrics at the same time for improved root cause analysis (see Viewing Multiple Metrics Charts).
In addition to the timeline, Cloud Insights provides a traffic table in the area below the timeline. Filtering and grouping are also available.
Log Metrics
Cloud Insights offers you two types of timeline view to enhance your flow logs traffic analysis. For an overview of all flow logs traffic, select any metric under Total View. For a segmented view of traffic from particular resources, select any metric under Stacked View. You can also select up to three metrics from either view using the checkboxes; this places the three chosen metrics’ timelines on top of each other for ease of comparison. See Viewing Multiple Metrics Charts for more information.
The following log metrics are available under Cloud Insights > Views:
Total Throughput
Total
VPC, Transit Gateway
Sum of virtual network accepted actions for traffic going to or coming from outside your cloud environment. Limited to traffic going through the test ingress point at the cloud edge.
Rejected Throughput
Total
VPC
Sum of rejected total throughput.
Throughput Inbound
Stacked
VPC, Transit Gateway
Total traffic from the remote endpoint to the local endpoint of the connection.
Throughput Outbound
Stacked
VPC, Transit Gateway
Total traffic from the local endpoint to the remote endpoint of the connection.
Rejected Throughput Inbound
Stacked
VPC
Total rejected throughput from the remote endpoint to the local endpoint of the connection.
Rejected Throughput Outbound
Stacked
VPC
Total rejected throughput from the local endpoint to the remote endpoint of the connection.
Connections per second
Stacked
VPC, Transit Gateway
Sum of new TCP (Transmission Control Protocol) connections.
Rejected connections per second
Stacked
VPC
Connections that were dropped due to policy enforcement.
Dropped Packets
Stacked
Transit Gateway
Total number of dropped packets. AWS Transit Gateway packet drops can occur due to blackhole routes (routes configured to intentionally discard traffic), no matching route in the route table, packets exceeding the Maximum Transmission Unit (MTU), or Time-To-Live (TTL) expiration. These types of drops can occur on both the inbound and outbound paths through the Transit Gateway.
Flows per second
Stacked
VPC, Transit Gateway
The rate at which network flows (sequences of packets with the same 5-tuple: source IP, destination IP, source port, destination port, protocol) are observed in the cloud environment, measured in flow logs per second.
Skipped Data
Stacked
VPC, Transit Gateway
Flows that were dropped by AWS due to performance issues, unlike “rejected” that were dropped due to policy enforcement.
Note: Throughput in Cloud Insights > Views refers to the average rate of data transferred between two endpoints or groups of endpoints (such as between two VPCs). In the Cloud layer of Network & App Synthetics > Views, when shown alongside synthetic tests, this metric reflects all traffic passing through the tested endpoint, not just that generated by test agents. In both cases, throughput is always displayed as the number of bits transferred, averaged over 5-minute (300-second) intervals.
For Outside Cloud Throughput and other outside cloud metrics, see Network & App Synthetics Cloud Layer.
Stacked View
The stacked view enables you to gain granular insights into cloud traffic patterns to better optimize performance and troubleshoot issues.
Use cases include:
Identifying resource-specific traffic bottlenecks: Pinpoint which cloud resource types (e.g., instances, load balancers) contribute disproportionately to total throughput, indicating potential bottlenecks or overutilized resources.
Optimizing cloud resource utilization and costs: Analyze traffic distribution across resources to identify underutilized or overutilized resources, reducing cloud costs and improving efficiency.
Detecting anomalous traffic patterns: Identify unexpected throughput spikes or drops for specific resources, indicating potential security issues (e.g., DDoS attacks) or misconfigurations.
Capacity planning for multi-cloud environments: Forecast resource needs across your cloud environment by analyzing historical throughput trends per resource. Grouping by resource type (e.g., all Transit Gateways) or filtering by region (e.g., us-east-1) supports multi-cloud strategies.
When you select a metric under Stacked View, the top five items in the chosen grouping by throughput are displayed on the chart, plus the total throughput. You can add or remove up to ten grouping items using the checkboxes in the table below the timeline. If you deselect an item from the comparison legend below the timeline, that item’s data is removed from the chart.
Hover over a time slice (hairline) for information about the segmented traffic at that point in time.
You can further refine your view and table data by using filtering and grouping.
Viewing Multiple Metrics Charts
You can select up to three metrics to view at the same time for enhanced analysis. Open the Metrics dropdown and select any three metrics. Charts appear in the order that you select them. Note that when you select three, all other metrics options are greyed out. You must deselect a metric to select a different one.
The three charts respond identically to timeline adjustments, so they are always in line with each other. If you hover over a point in any chart, it shows you the given metrics for each chart visible for that time instance. For example, in the image above, whether you hover on the total throughput time series or the throughput outbound time series, the hover box shows you the metrics for all three charts. Note that the stacked charts present as columns in the hover box.
Changing the Primary Chart
The data table beneath the time series charts corresponds to the “primary” metric. To update the table to show data from a different chart, click the radio button next to the chart name you want to nominate as primary. The “Primary” label switches to this new chart and the table updates to show its data. The swimlane that shows operational and configuration events also moves to sit directly below the primary chart. If viewing stacked charts, the Flows for Comparison legend always sits at the bottom of all of the charts, and also updates when you change primary charts.
Filtering and Grouping
Filters and groups enable flexible and contextual views of performance. Use filtering at the top of the timeline to narrow down the data displayed on both the timeline and table. Underneath, use grouping to view different aspects of the data displayed in the table only. Note that changes to filtering affects the timeline and table data; changes to grouping only affects the table data.
The filter and grouping options are different depending on which type of flow log you’re viewing, as described in the tables below.
Options are available for local and remote resource types. Local resource types are where the logs are captured. Remote resource types are where the logs are destined.
Filters for VPC Flow Logs
Account
Account
Availability Zone
AS
Interface
Availability Zone
IP
Interface
Protocol
IP
Region
Location
Resource
Region
Role
Resource
Service
Role
Subnet
Service
Tags
Service Provider
Traffic Path
Subnet
VPC
Tags
VPC
Flow logs display local Account, Region, and VPC filters by default across the top of the timeline. To add more filters, click Add Filter to select the resource or attribute to filter on.
Once you make a selection, the filter then gets added alongside the default filters at the top, along with a button to reset the filters.
Click any filter to open its dropdown to make a different selection of resources/attributes, or click the X to clear that filter and remove it from the header bar.
Local and Remote Groupings for VPC Flow Logs
Groupings default to: local - Region; remote - Region.
Availability Zone
Location (remote only)
IP
Protocol (local only)
Region
Role
Resource
Service Provider
Service
Traffic Path (local only)
Subnet
VPC
Filters for Transit Gateway Logs
Account
Attachment ID
Account
Account
ID
Attachment Type
Availability Zone
AS
Region
Availability Zone
Interface
Availability Zone
ENI
IP
Interface
Subnet
Protocol
IP
VPC
Region
Location
Resource
Region
Role
Resource
Service
Role
Subnet
Service
Tags
Service Provider
VPC
Subnet
Tags
VPC
The Transit Gateway Flow Logs tab displays all Transit Gateway filters (account, ID, region) as well as local attachment type and local attachment ID by default across the top of the timeline. To add more filters, click Add Filter.
Local and Remote Groupings for Transit Gateway Logs
Groupings default to: local - Transit Gateway Attachment ID; remote - No Grouping.
Transit Gateway ID
Attachment ID
Account
AS (remote only)
AWS tags selected for filtering purposes from Tags Management
No Grouping
Transit Gateway Account
Attachment Type
Availability Zone
Location (remote only)
Transit Gateway Region
Attachment AZ
IP
Protocol (local only)
Attachment Interface
Region
Role
Attachment Subnet
Resource
Service Provider (remote only)
Attachment VPC
Service
Attachment VPC Account
Subnet
VPC
Table Tab
The Table tab displays a list of resources that meet the grouping criteria specified just below the timeline. With the Table tab view you can:
Use the grouping criteria to determine what is displayed.
Click on column headers to change the sort order.
Hover over a row to display more details about the row item.
Click the ellipsis (
...) at the end of the row to filter based on the selected row item.
Events Tab
Cloud Insights tracks configuration change and operational scaling events and state changes across any element of the virtual infrastructure that serves your application. Note that you do not need a flow log integration to view events, as these are generated from your inventory integration.
In addition to problematic infrastructure elements, a common cause for application downtime is changes made by an automated process or a live human. Monitoring change events not only allows you to determine what changed at what time, but also to correlate that change with application availability and other metrics.
To view change event metrics, select the Events tab beneath the chart.
A view of change events is also available in the Cloud layer of Network & App Synthetics > Views. Configuration changes and operational changes are colored green and blue on a separate swimlane on the topology view. Note that not all changes negatively impact applications and services. Change events are also visible on the timeline in Cloud Insights > Inventory.
Viewing Configuration Changes
You can view a diff of the change, before and after the change event occurred. To view a diff, select a row containing a configuration change from the Events table located below the timeline.
You can also use the Inventory screen to show the diff. Click on any row located under the Asset Name header.
Use the Events tab to track configuration changes and operational events due to adding or removing instances.
Map Tab
The Map tab groups cloud environment resources by region and displays them using a map visualization. Use the + and - buttons in the upper right to zoom in and zoom out, respectively. Hover over any item to display more details about the resource.
Network & App Synthetics Cloud Layer
The Cloud layer is available within Network & App Synthetics > Views. Cloud Insights are integrated with the Network & App Synthetics views both as a swimlane below the timeline showing configuration change and operational events, and as a traffic topology map.
The Cloud layer shows your cloud environment behind the load balancer that is serving your application. For AWS environments, this can also be the Global Accelerator. This view pulls in your cloud native inventory for the specific service, providing a logical service map of how your application is being served. You can use the traffic timeline to visualize how your application is distributed within your cloud provider networks.
Filtering for Cloud Layer Tests
To make it easy to find your tests that have the Cloud layer visible, open the Test dropdown at the top left of the screen and select the checkbox next to Cloud Insights enriched tests in the filter column. This filters all your tests to just those that have an endpoint in your cloud environment. Note that this checkbox is only visible if you have successfully set up an inventory integration for Cloud Insights and have tests running to your cloud environment. To navigate to the Cloud layer within a particular test, click on the Cloud label to the left of the timeline. If you do not see a Cloud layer it means you have not configured a supported cloud provider inventory integration, or you are not testing to a supported test target.
Cloud Layer Metrics
Available metrics for the Cloud layer timeline are Outside Cloud Throughput, Outside Rejected Throughput, Outside Connection Rate, Outside Rejected Connection Rate, and Event Count. You can choose to display any number of metrics at the same time.
Outside Cloud Throughput is traffic throughput to remote endpoints that are outside of your monitored cloud accounts or subscriptions (could be outside of the cloud or in the cloud but not monitored). For example, for an externally facing load-balancer the timeline displays how much traffic is entering the cloud and exiting the cloud through this load balancer over the given time period. You can use Outside Cloud Throughput to analyze relevant traffic and to determine if there is degradation of traffic to that node that could be causing a delay.
In this same vein, Outside Rejected Throughput is the total rejected throughput outside of the cloud environment, and Outside Connection Rate and Outside Rejected Connection Rate are the sum of new TCP connections (or dropped connections in the case of rejection) where the remote endpoint is outside of the cloud environment.
Cloud Layer Topology Tab
When the Cloud layer view is selected, the area below the timeline displays the traffic topology under the Topology tab, grouped into either regions or accounts for additional path context (see Topology Grouping below). The Topology tab offers two views, Service Configuration and Network and Security (currently, Network and Security is only available for AWS environments).
The Service Configuration view shows resources that perform services focused on running applications, managing compute capacity, and efficiently delivering application content and traffic to end-users, such as load balancers, EC2 instances, or virtual machines. Many of these resources double as test targets. The Network and Security view, available by clicking on any shield icon, shows resources that make up the underlying connectivity and access-control infrastructure upon which resources in the Service Configuration view operate. This can include network interfaces, security groups, and routing tables. While not test targets themselves, you can use these resources to help troubleshoot test degradation.
Topology Grouping
Topology grouping allows you to view your network and application path structure in an organized and meaningful way. This helps you to understand service dependencies and traffic flows within specific geographic or organizational boundaries, making it easier to pinpoint issues and their impact on users in those groups.
By default, the nodes in your topology view are grouped by region. In the top right corner of the Topology tab, you can change the view to group by account, or to remove grouping for a more compact view.
Service Configuration View
The default view under the Topology tab is the Service Configuration view, which shows the connections between your cloud resources that perform compute and application delivery services. These services host virtual machines and containerized applications, and distribute incoming requests across various backend resources, ensuring high availability, performance, and scalability for applications. Nodes in this view include resources such as load balancers, listeners, instances, and virtual machines.
Searching in the Service Configuration View
You can use the search box to locate a specific resource by name. The Service Configuration view shows the found resource highlighted with other resources greyed out.
Network and Security View
When you see a shield icon, that indicates that the connection between two Service Configuration resources involves additional networking or security resources for their connection.
The Network and Security view encompasses the foundational networking constructs, connectivity services, and security enforcement points that define the network topology, control traffic flow, and secure communication within, to, and from cloud environments. These resources are responsible for establishing private networks, routing traffic, enforcing access policies, and enabling secure hybrid and inter-cloud connectivity. You can find the following resources in the Network and Security view.
Network and Security View Resource List
Direct Connect Gateway
Allows you to connect your AWS Direct Connect connection in different AWS regions.
Direct Connect Virtual Interface (VIF)
Establishes Layer 3 connectivity over an AWS Direct Connect connection, enabling private or transit access from on-premises networks to AWS services, including VPCs and Transit Gateways.
Elastic Network Interface
Virtual network interface that can be attached to resources in a VPC.
Network Access Control List (NACL)
Subnet-level firewall that controls inbound and outbound traffic at the subnet boundary.
Route Table
Set of rules used to determine where network traffic is directed within the cloud network.
Security Group
Virtual firewall controlling inbound and outbound traffic for resources such as EC2 instances.
Subnet
Subdivision of a network, allowing logical segmentation of cloud resources within a VPC.
Transit Gateway Route Table
Routing table that controls how traffic is routed through an AWS Transit Gateway. (Transit Gateways, Transit Gateway Attachments, and Transit Gateway Peering Attachments are inferred by this resource)
VPC Peering (inferred)
Networking connection between two VPCs that enables traffic routing between them using private IPs.
Entry points can also be prefixed with interface and security group information. This is helpful for monitoring traffic passing through an outside-facing firewall.
Click on the shield icon for the Network and Security view.
To exit the Network and Security view, click on Service Configuration on the upper left corner of the Topology tab section.
Searching in the Network and Security Layer
When you search for a resource in the Service Configuration view that can only be displayed in the Network and Security view, shield icons where the resource can be viewed are highlighted.
Click on a highlighted shield to switch to the Network and Security view to view the found resource.
Note that resources can be repeated in the Network and Security view. In the example above, multiple shield icons are highlighted for the same interface. These are repetitions of the same interface shown in different path configurations.
Dedicated Connections
Both AWS and Azure offer dedicated, private-network connections between your on-premises infrastructure and cloud environment, bypassing the public internet for improved security and performance. You can view these circuits - called AWS Direct Connect and Azure ExpressRoute - directly in the Topology tab of the Network and App Synthetics Cloud layer. See your dedicated connections in both the Service Configuration and Network and Security views. When you click on the shield icon next to a Direct Connect or ExpressRoute asset, the Network and Security view expands to show additional nodes, for example through VIFs (Virtual Interfaces). View your dedicated connections under Services within the Cloud Insights Inventory view as well.
AWS Topology
For AWS, the Topology tab shows what's behind the AWS Global Accelerator or Load Balancer that is serving your application. You can distinguish between traffic flow that originates outside AWS and is destined in AWS, originates and is destined in AWS, and originates in AWS and is destined outside AWS. This means that you can identify network blindspots in the context of where traffic originates and is destined. You can also see traffic flow size (bytes/sec) between each hierarchical AWS instance, e.g. AWS account, AWS region, VPC, AZ, Subnet, AWS instance, and AWS elastic network interface.
Cross-zone Availability
If you have cross-zone availability configured, these paths are shown in the Network and Security view under the Topology tab. The topology reflects what availability zones a load balancer is actually sending traffic across.
Even when a load balancer has two interfaces and cross-zone availability is off, the topology only shows the path configured for the same availability zone as the destination displayed in the topology. If your load balancer is not configured to cross zones, then the view will not show any traffic crossing zones.
Cloud Layer Events Tab
Viewable within both the Service Configuration and Network and Security topology views are events. Operational events are highlighted in blue while configuration change events are highlighted in green.
When any configuration change or operational events are selected in the traffic timeline, they are listed in the Events tab underneath the timeline.
Click on any row to view details of the event. Configuration changes show a diff of the change that was made. Click on the blue Explore in AWS/Azure button above the diff to access the change in the relevant environment.
Cloud Layer Traffic Tab
Use the Traffic tab to view a detailed list of servers along with specific throughput metrics. This list can be grouped and filtered using the selection menus at the top of the list. This functions in the same way as the Cloud Insights Table tab.
Last updated