Grafana Enterprise Traces Cluster query federation

Cluster query federation

The optional federation-frontend service provides the ability to aggregate trace data from multiple Grafana Enterprise Traces clusters in a single trace lookup.

The federation-frontend target itself does not require any other components of GET, therefore you can run it on its own. A common use case for query federation is aggregating the data from two or more GET clusters that are running in different regions or data centers.

Cluster federation architecture


To start the federation frontend, configure the target option to be federation-frontend.

A minimal configuration of the federation-frontend target has authentication disabled , because it forwards the HTTP authentication header (Authorization: Basic ...) that is supplied by its clients to the target clusters.

You need to configure a list of target clusters within the federation.proxy_targets block; currently, there are no equivalent CLI flags available. Each entry requires a url that points to a Tempo compatible API. For Grafana Enterprise Traces clusters, use the URL http://<get-host>:<get-port>/<http_api_prefix>.

Optionally, you can configure each proxy_target to have Basic auth credentials, which override the user-supplied ones.

When you configure Basic auth via the proxy_target configuration, these credentials take precedence over the ones supplied by the client. Without enabling authentication on the federation frontend, any client that can reach the federation frontend can perform queries on the target clusters by using those credentials.

In the following example, two clusters in two different regions are queried via the federation frontend:

auth_enabled: false         # The federation frontend does not do any authentication itself
target: federation-frontend # Run the federation frontend only

    - url: http://gem-us-west/tempo
    - url: http://gem-us-east/tempo

Aggregate traces from a local GET cluster and Grafana Cloud Traces instance

The federation frontend allows you to get an aggregated view of traces stored in a local GET cluster and a hosted Grafana Cloud Traces instance. With the following configuration, you can query both of the clusters as though they were one:

    - name: own-data-center
      url: http://gem/tempo
    - name: grafana-cloud
        username: <instance-id>
        password: <token>

Warning: This gives any client that can reach the federation frontend access to your traces data in Grafana Cloud Traces without further authentication.

By using the authentication credentials of the local GET cluster in your query request, you can execute a query against both clusters. To do so, set the access policy’s token as a variable for subsequent commands:

export API_TOKEN="the long token string you copied"
curl -s -u "<tenant-id>:$API_TOKEN" http://federation-frontend/tempo/api/traces/4d65822107fcfd52 | jq

The federation frontend will pass the credentials from your query command to cluster=“own-data-center”. Because the basic_auth block has been configured to include credentials for the “grafana-cloud” cluster, the credentials supplied in the query command will be overridden with those from the configuration file. The credentials in the configuration file will be used to authenticate with the “grafana-cloud” cluster.

Limitations of cluster query federation

This feature comes with several limitations:

  • No result caching in the federation frontend
  • No support for traces search

If your use-case is blocked by one of those limitations, please reach out through our support channels with a feature request.