AWS X-Ray

Home » AWS Cheat Sheets » AWS Developer Tools » AWS X-Ray

AWS X-Ray

Last updated on June 23, 2023

AWS X-Ray Cheat Sheet

  • AWS X-Ray analyzes and debugs production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can identify performance bottlenecks, edge case errors, and other hard to detect issues.

Concepts

    • A segment provides the name of the compute resources running your application logic, details about the request sent by your application, and details about the work done.
    • A segment can break down the data about the work done into subsegments. A subsegment can contain additional details about a call to an AWS service, an external HTTP API, or an SQL database.
      • For services that don’t send their own segments, like Amazon DynamoDB, X-Ray uses subsegments to generate inferred segments and downstream nodes on the service map. This lets you see all of your downstream dependencies, even if they don’t support tracing, or are external.
      • Subsegments represent your application’s view of a downstream call as a client. If the downstream service is also instrumented (like an AWS SDK client), the segment that it sends replaces the inferred segment generated from the upstream client’s subsegment.
    • X-Ray uses the data that your application sends to generate a service graph. Each AWS resource that sends data to X-Ray appears as a service in the graph.
    • A service graph is a JSON document that contains information about the services and resources that make up your application. The X-Ray console uses the service graph to generate a visualization or service map. Service graph data is retained for 30 days.
    • Edges connect the services that work together to serve requests. Edges connect clients to your application, and your application to the downstream services and resources that it uses.
    • A trace ID tracks the path of a request through your application. A trace collects all the segments generated by a single request.
      • That request is typically an HTTP GET or POST request that travels through a load balancer, hits your application code, and generates downstream calls to other AWS services or external web APIs.
    • To ensure efficient tracing and provide a representative sample of the requests that your application serves, the X-Ray SDK applies a sampling algorithm to determine which requests get traced.
      • By default, the X-Ray SDK records the first request each second, and five percent of any additional requests.
    • For advanced tracing, you can drill down to traces for individual requests, or use filter expressions to find traces related to specific paths or users.
    • Groups are a collection of traces that are defined by a filter expression. Groups are identified by their name or an Amazon Resource Name, and contain a filter expression.
    • Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces.
      • A segment can contain multiple annotations.
      • System-defined annotations include data added to the segment by AWS services, whereas user-defined annotations are metadata added to a segment by a developer.
    • Metadata are key-value pairs with values of any type, including objects and lists, but that are not indexed. Use metadata to record data you want to store in the trace but don’t need to use for searching traces.
    • When an exception, error or fault occurs while your application is serving an instrumented request, the X-Ray SDK records details about the error, including the stack trace, if available.

Features

    • AWS X-Ray can be used with applications running on Amazon EC2, Amazon ECS, AWS Lambda, AWS Elastic Beanstalk. You just integrate the X-Ray SDK with your application and install the X-Ray agent.
    • AWS X-Ray provides an end-to-end, cross-service, application-centric view of requests flowing through your application by aggregating the data gathered from individual services in your application into a single unit called a trace.
    • The X-Ray SDK captures metadata for requests made to MySQL and PostgreSQL databases (self-hosted, Amazon RDS, Amazon Aurora), and Amazon DynamoDB. It also captures metadata for requests made to Amazon SQS and Amazon SNS.
    • You can set the trace sampling rate that is best suited for your production applications or applications in development. X-Ray continually traces requests made to your application and stores a sampling of the requests for your analysis.
    • AWS X-Ray creates a map of services used by your application with trace data. This provides a view of connections between services in your application and aggregated data for each service, including average latency and failure rates. You can create dependency trees, perform cross-availability zone or region call detections, and more.
    • AWS X-Ray lets you add annotations to data emitted from specific components or services in your application.
  • Tutorials dojo strip

How X-Ray Works

    • AWS X-Ray receives data from services as segments. X-Ray then groups segments that have a common request into traces. X-Ray processes the traces to generate a service graph that provides a visual representation of your application.

AWS X-Ray Diagram

  • X-Ray SDK
    • The X-Ray SDK provides:
      • Interceptors to add to your code to trace incoming HTTP requests
      • Client handlers to instrument AWS SDK clients that your application uses to call other AWS services
      • An HTTP client to use to instrument calls to other internal and external HTTP web services
    • AWS X-Ray supports tracing for applications that are written in Node.js, Java, and .NET.
    • Instead of sending trace data directly to X-Ray, the SDK sends JSON segment documents to an X-Ray daemon process listening for UDP traffic.
    • The X-Ray daemon buffers segments in a queue and uploads them to X-Ray in batches.
  • AWS Service Integration and Service Graph
    • You can easily integrate AWS services with AWS X-Ray. Service integration can include adding tracing headers to incoming requests, sending trace data to X-Ray, or running the X-Ray daemon.
    • X-Ray uses trace data from the AWS resources that power your cloud applications to generate a detailed service graph.
    • You can use the service graph to identify bottlenecks, latency spikes, and other issues to solve to improve the performance of your applications.
    • There are four types of X-Ray integration:
      • Active instrumentation – Samples and instruments incoming requests.
      • Passive instrumentation – Instrument requests that have been sampled by another service.
      • Request tracing – Adds a tracing header to all incoming requests and propagates it downstream.
      • Tooling – Runs the X-Ray daemon to receive segments from the X-Ray SDK.
    • The following services provide X-Ray integration:
      • AWS Lambda – Active and passive instrumentation of incoming requests on all runtimes. AWS Lambda adds two nodes to your service map, one for the AWS Lambda service, and one for the function.
      • Amazon API Gateway – Active and passive instrumentation. API Gateway uses sampling rules to determine which requests to record, and adds a node for the gateway stage to your service map.
      • Elastic Load Balancing – Request tracing on application load balancers. The application load balancer adds the trace ID to the request header before sending it to a target group.
      • AWS Elastic Beanstalk – Tooling.

AWS X-Ray Pricing

    • You pay based on the number of traces recorded, retrieved, and scanned. A trace represents a request to your application and may include multiple data points, such as for calls to other services and database access.
    • The maximum size of a trace is 500 KB.
    • Trace data is retained for 30 days from the time it is recorded at no additional cost.

 

Deep Dive into AWS X-Ray: Monitor Modern Applications

AWS X-Ray-related Cheat Sheets:

 

Validate Your Knowledge

Question 1

A newly hired developer has been instructed to debug an application. She tried to access the X-Ray console to view service maps and segments but her current access is insufficient. Which of the following is the MOST appropriate managed policy that should be granted to the developer?

  1. AWSXrayReadOnlyAccess
  2. AWSXRayDaemonWriteAccess
  3. AWSXrayFullAccess
  4. AmazonS3ReadOnlyAccess

Correct Answer: 1

You can use AWS Identity and Access Management (IAM) to grant X-Ray permissions to users and compute resources in your account. IAM controls access to the X-Ray service at the API level to enforce permissions uniformly, regardless of which client (console, AWS SDK, AWS CLI) your users employ. To use the X-Ray console to view service maps and segments, you only need read permissions. To enable console access, add the AWSXrayReadOnlyAccess managed policy to your IAM user.

For local development and testing, create an IAM user with read and write permissions. Generate access keys for the user and store them in the standard AWS SDK location. You can use these credentials with the X-Ray daemon, the AWS CLI, and the AWS SDK.

To deploy your instrumented app to AWS, create an IAM role with write permissions and assign it to the resources running your application. AWSXRayDaemonWriteAccess includes permission to upload traces and some read permissions as well to support the use of sampling rules.

The read and write policies do not include permission to configure encryption key settings and sampling rules. Use AWSXrayFullAccess to access these settings or add configuration APIs in a custom policy. For encryption and decryption with a customer managed key that you create, you also need permission to use the key.

Hence, the AWSXrayReadOnlyAccess managed policy is the most appropriate one to grant to the developer in order for her to access the X-Ray console. This also abides with the standard security advice of granting least privilege, or granting only the permissions required to perform a task.

AWSXRayDaemonWriteAccess is incorrect because this policy is more suitable if you want to grant permission to upload traces to X-Ray.

AWSXrayFullAccess is incorrect. Although this can provide the required access to the developer, it does not abide with the standard security advice of granting least privilege. Hence, this is not the most appropriate policy to use.

AmazonS3ReadOnlyAccess is incorrect because this policy just provides the instance permission to download the X-Ray daemon from Amazon S3.

References:
https://docs.aws.amazon.com/xray/latest/devguide/xray-permissions.html
https://docs.aws.amazon.com/xray/latest/devguide/security.html

Note: This question was extracted from our AWS Certified Developer Associate Practice Exams.

Question 2

In the next financial year, a company has decided to develop a completely new version of its legacy application that will utilize Node.js and GraphQL. The new architecture aims to offer an end-to-end view of requests as they traverse the application and display a map of the underlying components.

To achieve this, the application will be hosted in an Auto Scaling group (ASG) of Linux EC2 instances behind an Application Load Balancer (ALB) and must be instrumented to send trace data to the AWS X-Ray.

Which of the following options is the MOST suitable way to satisfy this requirement?

  1. Enable AWS X-Ray tracing on the ASG’s launch template.
  2. Enable AWS Web Application Firewall (WAF) on the ALB to monitor web requests.
  3. Refactor your application to send segment documents directly to X-Ray by using the PutTraceSegments API.
  4. Use a user data script to install the X-Ray daemon.

Correct Answer: 4

The AWS X-Ray SDK does not send trace data directly to AWS X-Ray. To avoid calling the service every time your application serves a request, the SDK sends the trace data to a daemon, which collects segments for multiple requests and uploads them in batches. Use a script to run the daemon alongside your application.

To properly instrument your application hosted in an EC2 instance, you have to install the X-Ray daemon by using a user data script. This will install and run the daemon automatically when you launch the instance. To use the daemon on Amazon EC2, create a new instance profile role or add the managed policy to an existing one. This will grant the daemon permission to upload trace data to X-Ray.

The AWS X-Ray daemon is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API. The daemon works in conjunction with the AWS X-Ray SDKs and must be running so that data sent by the SDKs can reach the X-Ray service.

Hence, the correct answer is: Use a user data script to install the X-Ray daemon.

The option that says: Enable AWS X-Ray tracing on the ASG’s launch template is incorrect. There’s no option to enable X-Ray tracing in a launch template of an ASG.

The option that says: Enable AWS Web Application Firewall (WAF) on the ALB to monitor web requests is incorrect. Although it can help monitor and protect the application from common web exploits, it’s not capable of instrumenting the application.

The option that says: Refactor your application to send segment documents directly to X-Ray by using the PutTraceSegments API is incorrect. Although this solution will work, it entails a lot of manual effort to perform. You don’t need to do this because you can just install the X-Ray daemon on the instance to automate this process.

References:
https://docs.aws.amazon.com/xray/latest/devguide/xray-daemon-ec2.html
https://docs.aws.amazon.com/xray/latest/devguide/xray-daemon.html#xray-daemon-permissions

Note: This question was extracted from our AWS Certified Developer Associate Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

AWS X-Ray Cheat Sheet References:

https://aws.amazon.com/xray/features/
https://aws.amazon.com/xray/pricing/
https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html
https://aws.amazon.com/xray/faqs/

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?