Configure AWS PrivateLink
You can send telemetry data from your AWS Virtual Private Cloud (VPC) to Grafana Cloud via AWS PrivateLink.
Sending your data via AWS PrivateLink can:
- Reduce your AWS egress costs
- Improve security by keeping your data within the Amazon network
To use this feature, configure an interface endpoint in your AWS VPC. Your local agents can use this to route data to Grafana Cloud via AWS PrivateLink.
Prerequisites
In order to use AWS PrivateLink, you will need:
A Grafana Cloud stack hosted on AWS. Check where your stack is hosted by navigating to it in the My Account section of grafana.com and clicking on Details for a given service, like Prometheus or Loki. If the region matches one of the AWS regions where Grafana Cloud is hosted, then your stack is hosted on AWS.
If your stack is not hosted on AWS, you can create a new stack, forward telemetry to it, and query it from your existing stack.
An AWS VPC, where you will create an interface endpoint to forward your telemetry data.
Other regions
An AWS PrivateLink connection is only possible between two VPCs in the same region.
If you would like to send metrics, logs, or traces from services running in a different region than the one where your Grafana Cloud stack is hosted (for example, the infrastructure or service you want to monitor is in us-east-1
and your Grafana Cloud stack is in us-east-2
), you must first set up VPC peering between the two regions.
To do so, follow these instructions from AWS: Create a VPC peering connection.
DNS resolution:
- When setting the VPC Peering connection, enable DNS resolution in both sides of the peering
- It is possible to resolve the private DNS name of the VPC Endpoint from the region where the endpoint is located,
us-east-2
in this example - To be able to resolve in the peered VPC in
us-east-1
, additional steps are required:- Create a Private Hosted Zone in Route53, named
<region>.vpce.grafana.net
being region where Grafana Endpoint Service is, in this exampleus-east-2.vpce.grafana.net
, and link it to the peered VPC inus-east-1
- Create a Route53 alias record with same name as the private DNS name of the VPC Endpoint. The alias record should reference the VPC Endpoint in the region where the endpoint is hosted,
us-east-2
in this example
- Create a Private Hosted Zone in Route53, named
For more information, refer to Centralize access using VPC interface endpoints to access AWS services across multiple VPC .
On-premises infrastructure
If you manage some services on your own infrastructure, you can route traffic from your on-prem network into AWS using Direct Connect, and then you can use AWS PrivateLink to send the data to Grafana Cloud.
Note that VPC Peering and Direct Connect incur some AWS fees. Check Pricing for a VPC peering connection and AWS Direct Connect Pricing for further details.
Set up a VPC Endpoint
You can create a VPC endpoint in the AWS console, or provision one using Terraform.
Using the AWS Console
Open your AWS Console and navigate to VPC -> Endpoints.
Choose Create Endpoint.
Give the endpoint a name, for example,
grafana-mimir
.Choose PrivateLink Ready partner services.
In the Service Name field, enter the service name from your Grafana Cloud stack.
Navigate to your Grafana Cloud stack at grafana.com, select your stack, and click Details for the service you would like to use; for example Prometheus, Loki, Tempo, or Graphite. Under the header “Send (Metrics, Logs, or Traces) using AWS PrivateLink,” copy the Service Name and paste it into the Service Name field in the AWS console. Service Name follows the pattern
com.amazonaws.vpce.<region>.vpce-svc-<random id>
.Click on Verify Service. A green message should be displayed:
Service name verified.
.Select your VPC.
Expand the Additional settings section and select Enable DNS name.
Select your desired Subnets and Security Groups.
Choose Create Endpoint.
The new Endpoint is created and in
Pending
Status, wait until the status isAvailable
. This can take up to 10 minutes.Send telemetry to Grafana Cloud using the given private DNS name, in place of the normal
remote_write
endpoint or forwarding URL configured for Grafana Agent, Prometheus, Promtail, or other tools you use to connect your data to Grafana Cloud.To retrieve the Private DNS Name, navigate to your Grafana Cloud stack at grafana.com, select your stack, and click Details for the service you would like to use; for example Prometheus, Loki, Tempo, or Graphite. Under the header Send (Metrics, Logs, Traces, or Profiles) using AWS PrivateLink, you will find the service’s Private DNS Name. Private DNS name follows the pattern
<cell name>.<region>.vpce.grafana.net
.Repeat this VPC Endpoint creation process for each type of telemetry you would like to send to Grafana Cloud. For example, create one VPC Endpoint each for Cloud Metrics, Logs, Traces, and Profiles.
Using Terraform
Use the following snippet to automate VPC Endpoint setup in AWS using Terraform:
locals {
vpc_id = "<your-vpc-id>"
subnet_ids = [<your subnet ids>]
security_groups_id = [<your security group ids>]
endpoint_name = "grafana-mimir"
grafana_service_name = "<Endpoint Service Name provided by Grafana>"
}
resource "aws_vpc_endpoint" "grafana_service" {
vpc_id = local.vpc_id
service_name = local.grafana_service_name
vpc_endpoint_type = "Interface"
security_group_ids = local.security_groups_id
subnet_ids = local.subnet_ids
private_dns_enabled = true
tags = {
Name = local.endpoint_name
}
}