Using tenant and cluster query federation

Grafana Enterprise Traces (GET) can perform cross-tenant and cross-cluster queries using the optional federation-frontend service. This service aggregates the data from multiple GET clusters and from multiple tenants in a single trace lookup or search query. It works by reverse proxying the read path of GET clusters and merging the results into a single response.


The federation-frontend target itself requires a configured GET installation. No other GET components are required. You can run the federation-frontend service on its own.

Tenant federation

To read more about tenant federation, see the Cross-tenant querying page.

Cluster federation

The diagram below shows the cluster federation architecture.

Cluster federation architecture

Set up the federation frontend

To start the federation frontend, configure the target option to be federation-frontend.

A minimal configuration of the federation-frontend target has authentication disabled, because it forwards the HTTP authentication header (Authorization: Basic ...) that is supplied by its clients to the target clusters.

You need to configure a list of target clusters within the federation.proxy_targets block; currently, there are no equivalent CLI flags available. Each entry requires a url that points to a Tempo compatible API. For Grafana Enterprise Traces clusters, use the URL http://<get-host>:<get-port>/<http_api_prefix>.

Optionally, you can configure each proxy_target to have Basic auth credentials, which override the user-supplied ones.

When you configure Basic auth via the proxy_target configuration, these credentials take precedence over the ones supplied by the client. Without enabling authentication on the federation frontend, any client that can reach the federation frontend can perform queries on the target clusters by using those credentials.

In the following example, two clusters in two different regions are queried via the federation frontend:

auth_enabled: false         # The federation frontend does not do any authentication itself
target: federation-frontend # Run the federation frontend only

    - url: http://get-us-west/tempo
    - url: http://get-us-east/tempo

Aggregate traces from a local GET cluster and Grafana Cloud Traces instance

The federation frontend provides an aggregated view of traces stored in a local GET cluster and a hosted Grafana Cloud Traces instance. With the following configuration, you can query both of the clusters as though they were one:

    - name: own-data-center
      url: http://get/tempo
    - name: grafana-cloud
        username: <instance-id>
        password: <token>

Warning: This gives any client that can reach the federation frontend access to your traces data in Grafana Cloud Traces without further authentication.

By using the authentication credentials of the local GET cluster in your query request, you can execute a query against both clusters. To do so, set the access policy’s token as a variable for subsequent commands:

export API_TOKEN="the long token string you copied"
curl -s -u "<tenant-id>:$API_TOKEN" http://federation-frontend/tempo/api/traces/4d65822107fcfd52 | jq

The federation frontend passes the credentials from your query command to cluster="own-data-center". Because the basic_auth block has been configured to include credentials for the grafana-cloud cluster, the credentials supplied in the query command are overridden with those from the configuration file. The credentials in the configuration file will be used to authenticate with the grafana-cloud cluster.

Limitations of the federation frontend

This feature has one known limitation:

  • No result caching in the federation frontend

If your use-case is blocked by one of those limitations, please reach out through our support channels with a feature request.