How to securely send your telemetry to Grafana Cloud using AWS PrivateLink
Using Grafana Cloud to manage and monitor even your most sensitive data from your AWS services just got easier. If your organization’s workloads are hosted in AWS and you are using a Grafana Cloud instance that’s also hosted in AWS, you can now use AWS PrivateLink to establish a secure connection between your virtual private cloud (VPC) network and Grafana Cloud for all your data.
AWS PrivateLink provides secure connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Today we are happy to announce that AWS PrivateLink service endpoints are available in all regions where Grafana Cloud is hosted. You can configure an interface endpoint in your Amazon VPC that your local Grafana Agents or forwarding agents will use to route data to Grafana Cloud over AWS’ private infrastructure via AWS PrivateLink.
The following Grafana Cloud services support AWS PrivateLink:
- Metrics (powered by Mimir)
- Logs (powered by Loki)
- Traces (powered by Tempo)
- Profiles (powered by Pyroscope)
- Graphite
With the new integration between AWS PrivateLink and Grafana Cloud, data will no longer be transmitted across the public internet, which increases security for all your data; eliminates egress traffic fees charged by AWS; and reduces the total cost of using Grafana Cloud.
How does AWS PrivateLink in Grafana Cloud work?
Let’s dig in a bit more on the internals of how AWS PrivateLink works with Grafana Cloud.
AWS PrivateLink consists of two main components: a VPC endpoint on the consumer side (your side) and a VPC endpoint service on the provider side (Grafana Cloud).
As the service provider, Grafana Cloud has a load balancer in our VPC as the service frontend. This load balancer is assigned to the VPC endpoint service configuration.
As a service consumer, you create an interface VPC endpoint, which establishes connections between the subnets that you select from your VPC and our provider endpoint service. The service provider load balancer receives requests from the service consumer and routes them to the targets hosting our services.
All this is routed through internal IPs and AWS’ internal network, never hitting the public internet.
Inter-region setup for AWS PrivateLink and Grafana Cloud
An AWS PrivateLink connection is only possible between two VPCs in the same region. If you would like to send telemetry from services running in a different region other than the one where your Grafana Cloud stack is hosted (for example, the infrastructure or service you want to monitor is in us-east-1
and your Grafana Cloud stack is in us-east-2
), you must first set up VPC peering between the two regions.
On-premises setup for AWS PrivateLink and Grafana Cloud
If you manage some services on your own infrastructure, you can route traffic from your on-prem network into AWS using Direct Connect, and then you can use AWS PrivateLink to send the data to Grafana Cloud.
AWS PrivateLink vs. Private Data Source Connect in Grafana Cloud
Today we also announced general availability of Private Data Source Connect (PDC), a feature that allows you to query your network-secured data sources from Grafana Cloud.
PDC and PrivateLink are both features that connect your secure network to Grafana Cloud. But how are they different?
PrivateLink is used to send telemetry — metrics, logs, traces, and profiles — from your Amazon VPC to a Grafana Cloud stack that is also hosted on AWS.
PDC is used to query your own data sources, like SQL or MongoDB databases, Elasticsearch clusters, or self-hosted Splunk instances, from Grafana Cloud in order to visualize and alert on their data.
You can use them together to compose a truly unified observability stack in Grafana Cloud, where you can ensure the reliability of your software and infrastructure, regardless of where the data lives. To learn more about PDC, go to our recent blog post about Private Data Source Connect in Grafana Cloud.
Learn more about AWS PrivateLink in Grafana Cloud
The AWS PrivateLink integration is now generally available to all Grafana Cloud users, including those in our forever-free tier. To get started with using AWS PrivateLink to securely send metrics, logs, traces, and profiles to Grafana Cloud within the AWS private infrastructure, go to our AWS PrivateLink documentation. We also have a detailed guide for how to configure AWS PrivateLink in Grafana Cloud.
And to hear firsthand about more of the latest and greatest features coming to Grafana Cloud, join us for ObservabilityCON 2023 on November 14-15 in London!
Grafana Cloud is the easiest way to get started with metrics, logs, traces, and dashboards. We recently added new features to our generous forever-free tier, including access to all Enterprise plugins for three users. Plus there are plans for every use case. Sign up for free now!