diff --git a/pkg/ccl/sqlproxyccl/admitter/service.go b/pkg/ccl/sqlproxyccl/admitter/service.go
index 8173eb02190e..eb1e32c7038d 100644
--- a/pkg/ccl/sqlproxyccl/admitter/service.go
+++ b/pkg/ccl/sqlproxyccl/admitter/service.go
@@ -16,4 +16,7 @@ type Service interface {
 	// AllowRequest determines whether a request should be allowed to proceed. It
 	// rate limits requests from IP addresses regardless of tenant id.
 	AllowRequest(ipAddress string, now time.Time) error
+
+	// RequestSuccess records the result of a successful request.
+	RequestSuccess(ipAddress string)
 }
diff --git a/pkg/ccl/sqlproxyccl/metrics.go b/pkg/ccl/sqlproxyccl/metrics.go
index 7f7c87c72ea0..e68b6d70c7ec 100644
--- a/pkg/ccl/sqlproxyccl/metrics.go
+++ b/pkg/ccl/sqlproxyccl/metrics.go
@@ -18,6 +18,7 @@ type Metrics struct {
 	ClientDisconnectCount  *metric.Counter
 	CurConnCount           *metric.Gauge
 	RoutingErrCount        *metric.Counter
+	RefusedConnCount       *metric.Counter
 }
 
 // MetricStruct implements the metrics.Struct interface.
@@ -56,6 +57,12 @@ var (
 		Measurement: "Disconnects",
 		Unit:        metric.Unit_COUNT,
 	}
+	metaRefusedConnCount = metric.Metadata{
+		Name:        "proxy.err.refused_conn",
+		Help:        "Number of refused connections initiated by a given IP",
+		Measurement: "Refused",
+		Unit:        metric.Unit_COUNT,
+	}
 )
 
 // MakeProxyMetrics instantiates the metrics holder for proxy monitoring.
@@ -66,5 +73,6 @@ func MakeProxyMetrics() Metrics {
 		ClientDisconnectCount:  metric.NewCounter(metaClientDisconnectCount),
 		CurConnCount:           metric.NewGauge(metaCurConnCount),
 		RoutingErrCount:        metric.NewCounter(metaRoutingErrCount),
+		RefusedConnCount:       metric.NewCounter(metaBackendDisconnectCount),
 	}
 }
diff --git a/pkg/ccl/sqlproxyccl/proxy.go b/pkg/ccl/sqlproxyccl/proxy.go
index ad6fc3f6090e..5d95366ba849 100644
--- a/pkg/ccl/sqlproxyccl/proxy.go
+++ b/pkg/ccl/sqlproxyccl/proxy.go
@@ -59,6 +59,7 @@ func (s *Server) Proxy(conn net.Conn) error {
 		// TODO(spaskob): check for previous successful connection from the same IP
 		// in which case allow connection.
 		if err := s.admitter.AllowRequest(conn.RemoteAddr().String(), timeutil.Now()); err != nil {
+			s.metrics.RefusedConnCount.Inc(1)
 			return newErrorf(CodeProxyRefusedConnection, "too many connection attempts")
 		}
 	}
@@ -137,6 +138,10 @@ func (s *Server) Proxy(conn net.Conn) error {
 		return newErrorf(CodeBackendDown, "sending SSLRequest to target server: %v", err)
 	}
 
+	if s.admitter != nil {
+		s.admitter.RequestSuccess(conn.RemoteAddr().String())
+	}
+
 	response := make([]byte, 1)
 	if _, err = io.ReadFull(crdbConn, response); err != nil {
 		s.metrics.BackendDownCount.Inc(1)