Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Connect to data sourcesbreadcrumb arrow Private data source connect (PDC)breadcrumb arrow Configure private data source connect (PDC)
Grafana Cloud

Configure Grafana private data source connect (PDC)

Private data source connect (PDC) enables you to securely connect your Grafana Cloud stack to data sources hosted on a private network.

Private data source connect (PDC) is available in all editions of Grafana Cloud.

Set up a private data source connection

To set up a private data source connection, you will first deploy the Grafana PDC agent, then configure which hosts and ports to allow on your network, and configure your data source with those ports.

Before you begin

Before you begin working with private data source connect (PDC) ensure the following:

  • You have the tools you need to deploy the PDC agent within your network. You can deploy it directly to a Linux or Windows server, or use a container management system like Docker or Kubernetes.

  • The OpenSSH version is 9.2 or higher on the server the PDC agent was deployed to.

  • You need to know the local host name and port of the data source you would like to connect to, for example loki:8080.

  • You have the proper set of credentials to access the data, for example, a username and password, or a token. Refer to the documentation for your data source to learn what credentials are needed.

  • You have an administrator account for your Grafana Cloud organization. To learn more about Grafana Cloud permissions, refer to Grafana Cloud user roles and permissions.

Note

To establish an SSH connection to Grafana Cloud, the PDC agent must run on a network that allows internet egress to the following endpoints: private-datasource-connect-<cluster>.grafana.net:22 and private-datasource-connect-api-<cluster>.grafana.net:443. The <cluster> is displayed in the grafana UI (under Connections > Private data source connections > Configuration Details).

The API endpoint (port 443) is used for signing the short-lived SSH certificates used for authenticating with the SSH endpoint (port 22).

PDC connection steps

To set up a private data source connection, follow these steps:

  1. In Grafana, go to Connections > Private data source connections and click the Configuration Details tab.

  2. Select your installation method and follow the instructions on the screen, or generate an API key and follow the remaining instructions below. You will need the following environment variables from your instance:

    • GCLOUD_PDC_SIGNING_TOKEN set to the API token value generated in your Grafana Cloud instance. This is shown as token in the configuration instructions in the Private data source configuration page.
    • GCLOUD_HOSTED_GRAFANA_ID the ID of your Grafana Cloud instance. This is shown as gcloud-hosted-grafana-id in the configuration instructions in the Private data source configuration page.
    • GCLOUD_PDC_CLUSTER the cluster for your Private data source connections. This is shown as cluster in the configuration instructions in the Private data source configuration page.

  3. Connect to Grafana Cloud using the PDC agent.

    There are three installation options:

    • running on Kubernetes
    • running the PDC Agent Docker image
    • running a PDC Agent binary

Option 1 - Using Kubernetes

Create a Kubernetes secret with the API Key, Hosted Grafana ID and PDC Cluster values (${NAMESPACE} should be set to your desired Kubernetes namespace):

bash 
     $ kubectl create secret generic grafana-pdc-agent \
        --from-literal="token=${GCLOUD_PDC_SIGNING_TOKEN}" \
        --from-literal="hosted-grafana-id=${GCLOUD_HOSTED_GRAFANA_ID}" \
        --from-literal="cluster=${GCLOUD_PDC_CLUSTER}"

Generate a Kubernetes deployment to deploy the agent. An example deployment is provided in the pdc-agent repository:

bash 
      kubectl apply -f https://raw.githubusercontent.com/grafana/pdc-agent/main/production/kubernetes/pdc-agent-deployment.yaml

Option 2 - Using the pdc-agent docker image:

bash 
     docker run --name pdc-agent grafana/pdc-agent:latest -token ${GCLOUD_PDC_SIGNING_TOKEN} -cluster ${GCLOUD_PDC_CLUSTER} -gcloud-hosted-grafana-id ${GCLO   UD_HOSTED_GRAFANA_ID}

Option 3 - Use a pdc-agent binary

Download and unzip the binary for your OS from the PDC Agent releases page.

Run the binary:

bash 
     ./pdc -token ${GCLOUD_PDC_SIGNING_TOKEN} -cluster ${GCLOUD_PDC_CLUSTER} -gcloud-hosted-grafana-id ${GCLOUD_HOSTED_GRAFANA_ID}

High availability

(Optional) For high availability, you can install additional instances of the agent on your network with the same configuration. These can be deployed to different regions, data centers, or providers as long as they are on the same network.

Note

Updating the agent requires a restart of the PDC agent (or a rolling update of the PDC deployment when running in Kubernetes).

Once the PDC Agent successfully connects to Grafana Cloud, you will see the the following message in your logs:

This is Grafana Private Data Source Connect!

Resource requirements for pdc-agent

When running pdc-agent in a containerized environment, resource requests of 100m CPU and 512Mi memory should be sufficient for the majority of use cases.

Configure a data source to use private data source connect (PDC)

After you have set up the PDC connection, you can set up a data source in Grafana to query your data.

Before you begin adding a data source

  • Ensure the data source you want to connect to supports PDC. Refer to PDC known limitations for a list of supported data sources.

Steps to add a data source

  1. Follow the Add a data source instructions.

  2. Under the Private data source connection header, choose the connection to the network where your service is hosted.

  3. In the URL field for your data source, use the same URL as if you were on your private network, instead of a public URL.

  4. Save, test, and query your data source as usual.

Check your PDC Agent configuration

If you have trouble connecting to your data source check the list of destinations reachable by the PDC agent, which might be restricted using the PermitRemoteOpen SSH option, set with a --ssh-option flag. You can see this list in the agent’s configuration. If your agent is running with high verbosity (-vvv), you will be able to see attempted connections in the agent logs.

Configure PDC to connect a single Grafana stack to multiple networks

Once you have set up your first private data source connection, connect to data sources in additional networks by creating more than one PDC within your Grafana instance.

  1. In Grafana, go to Connections > Private data source connections and click on Add New. Choose a name for your second connection and click the Add button.

  2. Follow the instructions above to set up a private data source connection and deploy the PDC agent to the additional network.

  3. When you configure a data source, select the new connection in the Private data source connect section.

Troubleshooting

Consult the following troubleshooting topics as required.

No such file or directory

If you receive the message -bash: ./pdc: No such file or directory when deploying PDC agent, navigate to the directory that contains the binary files and run the command again.

No contents in compressed file

If you decompress any of the PDC agent binary files and you don’t see any contents, it’s likely because you aren’t using the correct command to extract the file. Double-check the command and try again.