--- title: "Configure Azure Private Link | Grafana Cloud documentation" description: "This document outlines the steps to configure Azure Private Link" --- # Configure Azure Private Link Send telemetry data from your Azure Virtual Network to Grafana Cloud via [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview/) in order to: - Reduce your Azure egress costs. - Improve security by keeping your data within the Azure network. To use this feature, configure a Private Endpoint in your Azure Virtual Network. Your local agents can use this endpoint to route data to Grafana Cloud via Azure Private Link. ## Prerequisites To use Azure Private Link, you need a Grafana Cloud stack hosted on Azure and an Azure Virtual Network. ### Grafana Cloud stack on Azure 1. To check where your stack is hosted, navigate to your [account in Grafana Cloud](/docs/grafana-cloud/account-management/cloud-portal/), and click **Details** for a given service, such as Prometheus or Loki. 2. If the region matches one of the [Azure regions where Grafana Cloud is hosted](/docs/grafana-cloud/account-management/regional-availability/), then your stack is hosted on Azure. 3. If your stack is not hosted on Azure, [create a new stack](/docs/grafana-cloud/account-management/cloud-portal/#create-a-new-stack), forward telemetry to it, and query it from your existing stack. ### Azure Virtual Network On the Azure Virtual Network, create a private endpoint to forward your telemetry data. ### Other regions Azure Private Link supports cross-regional connections. If your infrastructure is hosted in a different Azure region than the one where Grafana is hosted, you can still benefit from Private Link. ## Set up a Private Endpoint Create a Private Endpoint in the Azure console, or provision one using Terraform. ### Use the Azure Console 01. Open your Azure Console and navigate to **Private Endpoints**. 02. Choose **Create**. 03. Select the subscription and resource group where your virtual network is. 04. Give the endpoint a name, for example, `grafana-pl`. 05. Continue to the **Resource** tab and select **Connect to an Azure resource by resource ID or alias**. 06. In the **Resource ID or alias** field, enter the service alias from your Grafana Cloud stack. Expand table | Azure Region | Grafana Cluster | Service Alias | |--------------|-------------------|-------------------------------------------------------------------------------------------------| | Central US | prod-us-central-7 | internal-ingress-nginx.91f3d2ee-7913-4e66-81f0-9e0d38e2e36c.centralus.azure.privatelinkservice | | West Europe | prod-eu-west-3 | internal-ingress-nginx.837de879-b929-40fe-a7e5-673072f4b71e.westeurope.azure.privatelinkservice | 07. In the **Request Message** field, add some text for future reference, like your Grafana organization name. 08. Continue to **Virtual Network**. Select your Virtual Network and Subnet. 09. Choose **Review + Create** and proceed to create the resource. The Private Endpoint is created with `Awaiting Approval` status. After a maximum of 10 minutes, connection is automatically approved and status should transition to `Approved`. If status stays as `Awaiting Approval`, contact Grafana Support to request the manual approval of the connection. 10. Under **DNS Configuration**, copy the local IP address of the private endpoint. You will need this IP later. 11. Navigate now to **Private DNS zones** and click on Create. 12. Select the subscription and resource group. 13. In **Instance Details > Name**, enter `grafana.net` and then proceed to create. 14. Return to Private DNS Zone overview and add a **Record Set**. 15. In **Name** , introduce the DNS name of the endpoint, for example `logs-prod-us-central2`. Repeat this for every other endpoint you want to connect via Private Link. 16. In **IP Address**, enter the local IP Address of the Private Endpoint.. 17. Navigate to **Virtual network links**, then click on **Add**. 18. Name the network link, for example `grafana-pl`. 19. Select your subscription and Virtual Network. . 20. After you create this link, all endpoints you created a DNS entry resolve to the Private Endpoint IP, so their data is sent to Grafana Cloud via Private Link. ### Use Terraform Use the following snippet to automate Private Endpoint setup in Azure using Terraform: hcl ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```hcl locals { region = "" resource_group_name = "" vnet_id = "" subnet_id = "" privatelink_service_alias = "" } resource "azurerm_private_endpoint" "privatelink_grafana" { name = "grafana-pl" location = local.region resource_group_name = local.resource_group_name subnet_id = local.subnet_id private_service_connection { name = "grafana-pl" is_manual_connection = true request_message = "connection request from " private_connection_resource_alias = local.privatelink_service_alias } } resource "azurerm_private_dns_zone" "privatelink_grafana" { name = "grafana.net" resource_group_name = local.resource_group_name } resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_grafana" { name = "grafana-pl" resource_group_name = local.resource_group_name private_dns_zone_name = azurerm_private_dns_zone.privatelink_grafana.name virtual_network_id = local.vnet_id } resource "azurerm_private_dns_a_record" "privatelink_grafana_logs" { name = "logs-prod-us-central2" zone_name = azurerm_private_dns_zone.privatelink_grafana.name resource_group_name = local.resource_group_name ttl = 300 records = [azurerm_private_endpoint.privatelink_grafana.private_service_connection[0].private_ip_address] } resource "azurerm_private_dns_a_record" "privatelink_grafana_metrics" { name = "prometheus-us-central2" zone_name = azurerm_private_dns_zone.privatelink_grafana.name resource_group_name = local.resource_group_name ttl = 300 records = [azurerm_private_endpoint.privatelink_grafana.private_service_connection[0].private_ip_address] } ```