Menu
Grafana Cloud

Configure AWS PrivateLink

You can send telemetry data from your AWS Virtual Private Cloud (VPC) to Grafana Cloud via AWS PrivateLink.

Sending your data via AWS PrivateLink can:

  • Reduce your AWS egress costs
  • Improve security by keeping your data within the Amazon network

To use this feature, configure an interface endpoint in your AWS VPC. Your local agents can use this to route data to Grafana Cloud via AWS PrivateLink.

Prerequisites

In order to use AWS PrivateLink, you will need:

  • A Grafana Cloud stack hosted on AWS. Check where your stack is hosted by navigating to it in the My Account section of grafana.com and clicking on Details for a given service, like Prometheus or Loki. If the region matches one of the AWS regions where Grafana Cloud is hosted, then your stack is hosted on AWS.

    If your stack is not hosted on AWS, you can create a new stack, forward telemetry to it, and query it from your existing stack.

  • An AWS VPC, where you will create an interface endpoint to forward your telemetry data.

Other regions

An AWS PrivateLink connection is only possible between two VPCs in the same region.

If you would like to send metrics, logs, or traces from services running in a different region than the one where your Grafana Cloud stack is hosted (for example, the infrastructure or service you want to monitor is in us-east-1 and your Grafana Cloud stack is in us-east-2), you must first set up VPC peering between the two regions.

To do so, follow these instructions from AWS: Create a VPC peering connection.

DNS resolution:

  • When setting the VPC Peering connection, enable DNS resolution in both sides of the peering
  • It is possible to resolve the private DNS name of the VPC Endpoint from the region where the endpoint is located, us-east-2 in this example
  • To be able to resolve in the peered VPC in us-east-1, additional steps are required:
    • Create a Private Hosted Zone in Route53, named <region>.vpce.grafana.net being region where Grafana Endpoint Service is, in this example us-east-2.vpce.grafana.net, and link it to the peered VPC in us-east-1
    • Create a Route53 alias record with same name as the private DNS name of the VPC Endpoint. The alias record should reference the VPC Endpoint in the region where the endpoint is hosted, us-east-2 in this example

For more information, refer to Centralize access using VPC interface endpoints to access AWS services across multiple VPC .

On-premises infrastructure

If you manage some services on your own infrastructure, you can route traffic from your on-prem network into AWS using Direct Connect, and then you can use AWS PrivateLink to send the data to Grafana Cloud.

Note that VPC Peering and Direct Connect incur some AWS fees. Check Pricing for a VPC peering connection and AWS Direct Connect Pricing for further details.

Set up a VPC Endpoint

You can create a VPC endpoint in the AWS console, or provision one using Terraform.

Using the AWS Console

  1. Open your AWS Console and navigate to VPC -> Endpoints.

    Select Virtual Private Clouds &gt; Endpoints

  2. Choose Create Endpoint. Choose &ldquo;Create Endpoint&rdquo;

  3. Give the endpoint a name, for example, grafana-mimir.

  4. Choose PrivateLink Ready partner services.

  5. In the Service Name field, enter the service name from your Grafana Cloud stack.

    Navigate to your Grafana Cloud stack at grafana.com, select your stack, and click Details for the service you would like to use; for example Prometheus, Loki, Tempo, or Graphite. Under the header “Send (Metrics, Logs, or Traces) using AWS PrivateLink,” copy the Service Name and paste it into the Service Name field in the AWS console. Service Name follows the pattern com.amazonaws.vpce.<region>.vpce-svc-<random id>.

  6. Click on Verify Service. A green message should be displayed: Service name verified.. &ldquo;Service Name Verified&rdquo; message

  7. Select your VPC.

  8. Expand the Additional settings section and select Enable DNS name. Check &ldquo;Enable DNS name&rdquo;

  9. Select your desired Subnets and Security Groups.Select subnets and security groups

  10. Choose Create Endpoint.

  11. The new Endpoint is created and in Pending Status, wait until the status is Available. This can take up to 10 minutes. An endpoint with Status: &ldquo;Available&rdquo;

  12. Send telemetry to Grafana Cloud using the given private DNS name, in place of the normal remote_write endpoint or forwarding URL configured for Grafana Agent, Prometheus, Promtail, or other tools you use to connect your data to Grafana Cloud.

    To retrieve the Private DNS Name, navigate to your Grafana Cloud stack at grafana.com, select your stack, and click Details for the service you would like to use; for example Prometheus, Loki, Tempo, or Graphite. Under the header Send (Metrics, Logs, Traces, or Profiles) using AWS PrivateLink, you will find the service’s Private DNS Name. Private DNS name follows the pattern <cell name>.<region>.vpce.grafana.net.

  13. Repeat this VPC Endpoint creation process for each type of telemetry you would like to send to Grafana Cloud. For example, create one VPC Endpoint each for Cloud Metrics, Logs, Traces, and Profiles.

Using Terraform

Use the following snippet to automate VPC Endpoint setup in AWS using Terraform:

hcl

locals {
    vpc_id             = "<your-vpc-id>"
    subnet_ids         = [<your subnet ids>]
    security_groups_id = [<your security group ids>]

    endpoint_name        = "grafana-mimir"
    grafana_service_name = "<Endpoint Service Name provided by Grafana>"
}

resource "aws_vpc_endpoint" "grafana_service" {
  vpc_id            = local.vpc_id
  service_name      = local.grafana_service_name
  vpc_endpoint_type = "Interface"

  security_group_ids = local.security_groups_id

  subnet_ids          = local.subnet_ids
  private_dns_enabled = true

  tags = {
    Name = local.endpoint_name
  }
}