Skip to main content
Version: v4.7

Metrics Configuration


You can look at all the metrics definitions and what they mean on our metrics reference page

To configure metrics exposure, you can use the MetricsPort and MetricsInboundCIDR fields. MetricsPort determines which port will be used to aggregate the sidecar metrics, and MetricsInboundCIDR sets security group rules to allow CIDR ranges to make requests to the configured MetricsPort.


By default, the MetricsInboundCIDR is empty, which means nothing can access the metrics port. We recommend setting the CIDR to your metrics scraper's possible IPs.

Prometheus service discovery

Service discovery for EC2 instances is documented under the ec2_sd_config section of the Prometheus configuration docs.

A tag MetricsPort is added to the EC2 instances containing the metrics port based on the template parameter with the same name. It makes possible to have configurations similar to the following:

- ec2_sd_configs:
- region: us-east-1
job_name: AWS_SCRAPE
# public IP is used so that Prometheus does not have to be in the same VPC
# as the sidecar. On a production environment, you would use the
# `__meta_ec2_private_ip` label instead
- source_labels: [__meta_ec2_public_ip, __meta_ec2_tag_MetricsPort]
separator: ':'
target_label: __address__

This configuration discovers all instances on the us-east-1 region and creates a target with its public IP and the value of the MetricsPort tag separated by a colon.

Datadog service discovery

The datadog agent is injected alongside the Cyral sidecar, and its configuration is generated automatically via the Datadog integration configuration on Cyral's control plane.