Infrastructure monitoring

Forge provides baseline infrastructure monitoring for every deployed platform stack using CloudWatch dashboards, CloudWatch alarms, and a central SNS alerts topic. This answers a different operational question than application observability: is the platform itself healthy?

This guide is for architecture review, procurement, and technical diligence. It explains how Forge thinks about infrastructure monitoring — not how to deploy alarms or wire on-call routing. The four-concern operational model is in Observability architecture; application telemetry depth is in Application telemetry.

What problem this solves

Application observability tells you how software behaves. It does not, by itself, tell you:

  1. Whether the load balancer is marking targets unhealthy — ECS tasks may still be running while the target group removes them from service.
  2. Whether the database or cache is under pressure.
  3. Whether edge protection is firing — WAF blocks and CloudFront errors need infrastructure-level signals, not JVM metrics.
  4. Whether email reputation is degrading — bounce and complaint rates are infrastructure concerns, not HTTP request counters.

Forge provisions baseline CloudWatch dashboards and alarms so operators inherit sensible monitoring from the first deployment.

Architectural model

Forge deliberately separates infrastructure monitoring from application observability:

  AWS resources (ECS, ALB, RDS, CloudFront, …)
        │
        ▼
  CloudWatch metrics
        ├────────► CloudWatch dashboards   (per-stack operational view)
        │
        └────────► CloudWatch alarms         (threshold breaches)
                      │
                      ▼
               SNS alerts topic
                      │
                      ▼
         operator routing (PagerDuty, email, chat, …)
DimensionInfrastructure monitoring (this guide)Application observability
QuestionIs the infrastructure healthy?How is my software behaving?
Primary backendCloudWatch metricsAMP, X-Ray, CloudWatch Logs, AMG
Typical signalsCPU, memory, 5xx, target health, WAFRequest latency, domain counters
Alert deliverySNSOperator-defined (often AMG + SNS)
Deploys with stageYes — including INTTEST / PROD when observability on

Each monitored stack receives its own dashboard so operators can narrow investigations to the layer that changed — runtime, datastore, edge, identity, or domain — without a single monolithic “everything” board.

Monitoring is defined alongside the stacks that own each resource. Each stack contributes dashboards and alarms for the infrastructure it provisions, so monitoring evolves with the platform rather than living in a separate, hand-maintained configuration.

How the pieces fit together

Three operational layers complement each other during an incident:

  Health checks (readiness)        →  "Should this task receive traffic?"
  Infrastructure monitoring        →  "Is the surrounding infrastructure failing?"
  Application observability        →  "Which requests, traces, or domain operations broke?"

An operator might see a target-health alarm first, confirm readiness failures in ECS, then use traces and structured logs to find the root cause. None of these replaces the others.

Monitoring coverage

Forge aligns CloudWatch alarms with the CDK stacks that own the resources. The table below describes what classes of infrastructure receive dashboards and alarms, not an exhaustive metric catalogue.

DomainResources monitored (high level)Typical alarm themes
RuntimeECS Fargate services, public and internal application load balancersTarget health, 5xx rates, CPU and memory utilisation
DatastoreRDS, DynamoDB, S3, ElastiCache Redis replication groupConnection pressure, storage, throttling, cache health
EdgeCloudFront distribution, static delivery buckets; global WAF Web ACLOrigin errors, cache behaviour, blocked request spikes
IdentityCognito-related Lambda functionsError rates and throttling on identity custom resources
DomainSES configuration-set reputationBounce and complaint rate thresholds

Runtime monitoring covers each deployed Fargate service and its associated load-balancer target group — the same services described in Health checks, but from the infrastructure perspective (target health counts, not dependency probe logic).

Runtime stack CloudWatch dashboard (INT)

Intentionally out of scope

Forge focuses monitoring on Forge-provisioned, operator-actionable resources. The following are deliberately not covered by CloudWatch dashboards and alarms — either because AWS already manages availability, because another concern owns the signal, or because operators typically provide org-wide equivalents:

Omitted areaRationale
ECS control planeAWS-managed service; runtime health is monitored through deployed services rather than ECS regional availability
VPC, NAT, and interface endpointsAWS-managed HA boundary; low signal-to-noise for a product baseline
Observability stack (AMP / AMG)Application observability backend — not infrastructure health
Governance evidence stackDurable proof for investigations — not operational dashboards (Observability architecture)
Shared IAM and security groupsNo standalone infra metrics; changes surface via governance evidence
Generic EC2 and account billingNot part of the Fargate-first runtime model
Route 53 and ACMCertificate renewal and DNS governance are typically handled through organisational operational processes rather than application-level CloudWatch alarms

This is a baseline, not a landing zone. Mature operators extend coverage with AWS Config, GuardDuty, synthetic canaries, composite alarms, and org-wide observability — documented as common operator extensions in Observability architecture.

Infrastructure monitoring deploys with every cloud environment. Managed application observability has different defaults because it introduces additional infrastructure and cost. See Operations for deployment defaults.

Common operator extensions

Forge provisions CloudWatch alarms to SNS; routing and escalation are operator-owned:

ExtensionComplements
On-call integrationSNS → PagerDuty, Opsgenie, Slack, email
Alarm tuningThreshold and evaluation-period adjustments
Composite and anomaly alarmsReduce noise; detect subtle drift
Synthetic canariesEnd-to-end probes beyond load-balancer health
Central ops accountCross-account SNS fan-out for multi-env estates

Governance evidence (CloudTrail, load-balancer access logs) answers attribution and proof questions — not “page me because CPU is high.” Keep alarm routing separate from evidence archives.

Further reading


Did this page help you?