Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Connect to data sourcesbreadcrumb arrow Private data source connect (PDC)breadcrumb arrow Connect the PDC agent via AWS PrivateLink
Beta

Connect the PDC agent via AWS PrivateLink

Note

Connecting PDC Agents via AWS PrivateLink is currently in public preview. Grafana Labs offers limited support, and breaking changes might occur prior to the feature being made generally available.

AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet.

With AWS PrivateLink for Private data source connect, you can connect your PDC agents running in your AWS Virtual Private Cloud (VPC) to Grafana Cloud while staying on the Amazon network.

By connecting your PDC agents via AWS PrivateLink, you avoid traversing the public internet. This has security benefits and helps lower your network egress costs.

Before you begin

To use AWS PrivateLink, you need the following:

  • A Grafana Cloud stack hosted on AWS. Check where your stack is hosted by navigating to it in the My Account section of Grafana.com and clicking on Details for your Grafana service. If the region matches one of the AWS regions where Grafana Cloud is hosted, your stack is hosted on AWS.

Note

If your stack is not hosted on AWS, you must create a new stack hosted on AWS.
  • An AWS VPC in which to create the interface endpoints for your PDC agent.

Other regions

An AWS PrivateLink connection is only possible between two VPCs in the same region.

If you would like to connect a PDC agent running in a different region than the one where your Grafana Cloud stack is hosted, you must first set up VPC peering between the two regions.

For additional notes on DNS resolution for connecting via peered VPCs, refer to Configure AWS PrivateLink

Set up VPC Endpoints

You can create a VPC endpoint in the AWS console, or provision one using Terraform.

PDC requires the creation of two VPC endpoints: one for the API and another for the SSH gateway.

Using the AWS Console

  1. Open your AWS Console and navigate to VPC -> PrivateLink and Lattice -> Endpoints.
  2. Select Create Endpoint.
  3. Give the endpoint a name. Example: grafana-pdc-api.
  4. Choose PrivateLink Ready partner services.
  5. In the Service Name field, enter the service name from your Grafana Cloud stack.

Navigate to your Grafana Cloud stack at Grafana.com, select your stack, and click Details for the Grafana service. Under the header “Connect PDC Agents using AWS PrivateLink,” copy the API Service Name and paste it into the Service Name field in the AWS console. The Service Name follows the pattern com.amazonaws.vpce.<region>.vpce-svc-<random id>.

  1. Click on Verify Service. A green message should be displayed: Service name verified.. &ldquo;Service Name Verified&rdquo; message

  2. Select your VPC.

  3. Expand the Additional settings section and select Enable DNS name. Check &ldquo;Enable DNS name&rdquo;

  4. Select your desired Subnets and Security Groups.Select subnets and security groups

  5. Choose Create Endpoint.

  6. The new endpoint is created with a status of Pending. Wait until the status changes to Available, which may take up to 10 minutes. An endpoint with Status: &ldquo;Available&rdquo;

  7. Repeat the previous steps for the PDC SSH Gateway. For example, you can name the endpoint grafana-pdc-ssh. When selecting the service name in Grafana.com, be sure to use the SSH Service Name

  8. Configure your PDC agent to use the DNS names for the VPC Endpoints. The DNS names for the PDC API and SSH gateway are provided alongside the Service Name values in Grafana.com. Use these values for the -api.fqdn and -gateway.fqdn flags respectively. You can remove the -cluster flag. Following is an example configuration:

    ./pdc \
-api-fqdn private-datasource-connect-api.<region>.vpce.grafana.net \
-gateway-fqdn private-datasource-connect.<region>.vpce.grafana.net \
-token <token> \
-gcloud-hosted-grafana-id <id>

Using Terraform

Use the following snippet to automate VPC Endpoint setup for both PDC Endpoints in AWS using Terraform:

hcl 

locals {
    vpc_id             = "<your-vpc-id>"
    subnet_ids         = [<your subnet ids>]
    security_groups_id = [<your security group ids>]

    api_endpoint_name        = "grafana-pdc-api"
    api_grafana_service_name = "<API Endpoint Service Name provided by Grafana>"

    ssh_endpoint_name        = "grafana-pdc-ssh"
    ssh_grafana_service_name = "<SSH Endpoint Service Name provided by Grafana>"

}

resource "aws_vpc_endpoint" "grafana_service_pdc_api" {
  vpc_id            = local.vpc_id
  service_name      = local.api_grafana_service_name
  vpc_endpoint_type = "Interface"

  security_group_ids = local.security_groups_id

  subnet_ids          = local.subnet_ids
  private_dns_enabled = true

  tags = {
    Name = local.api_endpoint_name
  }
}

resource "aws_vpc_endpoint" "grafana_service_pdc_ssh" {
  vpc_id            = local.vpc_id
  service_name      = local.ssh_grafana_service_name
  vpc_endpoint_type = "Interface"

  security_group_ids = local.security_groups_id

  subnet_ids          = local.subnet_ids
  private_dns_enabled = true

  tags = {
    Name = local.ssh_endpoint_name
  }
}