Configure Grafana private data source connect (PDC)
Private data source connect (PDC) enables you to securely connect your Grafana Cloud stack to data sources hosted on a private network.
Private data source connect (PDC) is available in all editions of Grafana Cloud.
Set up a private data source connection
To set up a private data source connection, you will first deploy the Grafana PDC agent, then configure which hosts and ports to allow on your network, and configure your data source with those ports.
Before you begin setting up a connection
Before you begin working with private data source connect (PDC) ensure the following:
You have the tools you need to deploy the PDC agent within your network. You can deploy it directly to a Linux or Windows server, or use a container management system like Docker or Kubernetes.
The OpenSSH version is 9.2 or higher on the server the PDC agent was deployed to.
You need to know the local host name and port of the data source you would like to connect to, for example
loki:8080
.You have the proper set of credentials to access the data, for example, a username and password, or a token. Refer to the documentation for your data source to learn what credentials are needed.
You have an administrator account for your Grafana Cloud organization. To learn more about Grafana Cloud permissions, refer to Grafana Cloud user roles and permissions.
Note
To establish an SSH connection to Grafana Cloud, the PDC agent must run on a network that allows internet egress to the following endpoints:
private-datasource-connect-<cluster>.grafana.net:22
andprivate-datasource-connect-api-<cluster>.grafana.net:443
. The<cluster>
is displayed in the grafana UI (under Connections > Private data source connections > Configuration Details).The API endpoint (port 443) is used for signing the short-lived SSH certificates used for authenticating with the SSH endpoint (port 22).
PDC connection steps
To set up a private data source connection, follow these steps:
In Grafana, go to Connections > Private data source connections and click the Configuration Details tab.
Select your installation method and follow the instructions on the screen, or generate an API key and follow the remaining instructions below. You will need the following environment variables from your instance:
GCLOUD_PDC_SIGNING_TOKEN
set to the API token value generated in your Grafana Cloud instance. This is shown astoken
in the configuration instructions in the Private data source configuration page.GCLOUD_HOSTED_GRAFANA_ID
the ID of your Grafana Cloud instance. This is shown asgcloud-hosted-grafana-id
in the configuration instructions in the Private data source configuration page.GCLOUD_PDC_CLUSTER
the cluster for your Private data source connections. This is shown ascluster
in the configuration instructions in the Private data source configuration page.
Connect to Grafana Cloud using the PDC agent.
There are three installation options:
- running on Kubernetes
- running the PDC Agent Docker image
- running a PDC Agent binary
Option 1 - Using Kubernetes
Create a Kubernetes secret with the API Key, Hosted Grafana ID and PDC Cluster values (${NAMESPACE}
should be set to your desired Kubernetes namespace):
$ kubectl create secret generic grafana-pdc-agent \
--from-literal="token=${GCLOUD_PDC_SIGNING_TOKEN}" \
--from-literal="hosted-grafana-id=${GCLOUD_HOSTED_GRAFANA_ID}" \
--from-literal="cluster=${GCLOUD_PDC_CLUSTER}"
Generate a Kubernetes deployment to deploy the agent. An example deployment is provided in the pdc-agent repository:
kubectl apply -f https://raw.githubusercontent.com/grafana/pdc-agent/main/production/kubernetes/pdc-agent-deployment.yaml
Option 2 - Using the pdc-agent docker image:
docker run --name pdc-agent grafana/pdc-agent:latest -token ${GCLOUD_PDC_SIGNING_TOKEN} -cluster ${GCLOUD_PDC_CLUSTER} -gcloud-hosted-grafana-id ${GCLO UD_HOSTED_GRAFANA_ID}
Option 3 - Use a pdc-agent binary
Download and unzip the binary for your OS from the PDC Agent releases page.
Run the binary:
./pdc -token ${GCLOUD_PDC_SIGNING_TOKEN} -cluster ${GCLOUD_PDC_CLUSTER} -gcloud-hosted-grafana-id ${GCLOUD_HOSTED_GRAFANA_ID}
(Optional) For high availability, you can install additional instances of the agent on your network with the same configuration. These can be deployed to different regions, data centers, or providers as long as they are on the same network.
Note
Updating the agent requires a restart of the PDC agent (or a rolling update of the PDC deployment when running in Kubernetes).
Once the PDC Agent successfully connects to Grafana Cloud, you will see the the following message in your logs:
This is Grafana Private Data Source Connect!
Resource requirements for pdc-agent
When running pdc-agent in a containerized environment, resource requests of 100m
CPU and 512Mi
memory should be sufficient for the majority of use cases.
Configure a data source to use private data source connect (PDC)
After you have set up the PDC connection, you can set up a data source in Grafana to query your data.
Before you begin adding a data source
- Ensure the data source you want to connect to supports PDC. Refer to PDC known limitations for a list of supported data sources.
Steps to add a data source
Follow the Add a data source instructions.
Under the Private data source connection header, choose the connection to the network where your service is hosted.
In the URL field for your data source, use the same URL as if you were on your private network, instead of a public URL.
Save, test, and query your data source as usual.
Check your PDC Agent configuration
If you have trouble connecting to your data source check the list of destinations reachable by the PDC agent, which might be restricted using the PermitRemoteOpen SSH option, set with a --ssh-option
flag. You can see this list in the agent’s configuration. If your agent is running with high verbosity (-vvv
), you will be able to see attempted connections in the agent logs.
Configure PDC to connect a single Grafana stack to multiple networks
Once you have set up your first private data source connection, connect to data sources in additional networks by creating more than one PDC within your Grafana instance.
In Grafana, go to Connections > Private data source connections and click on Add New. Choose a name for your second connection and click the Add button.
Follow the instructions above to set up a private data source connection and deploy the PDC agent to the additional network.
When you configure a data source, select the new connection in the Private data source connect section.