---
title: "AWS PrivateLink and Fleet Management | Grafana Cloud documentation"
description: "Learn how to use Grafana Fleet Management with AWS PrivateLink"
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# AWS PrivateLink and Fleet Management

With [Amazon Web Services (AWS) PrivateLink](https://aws.amazon.com/privatelink/), you can securely connect your virtual private clouds (VPCs) to Grafana Fleet Management to make [API](/docs/grafana-cloud/send-data/fleet-management/api-reference/) calls without using the public internet.

Connecting to Fleet Management with AWS PrivateLink can:

- Reduce your AWS egress costs.
- Improve security by keeping your data within the Amazon network.

To use this feature, configure an interface endpoint in your AWS VPC.

## Before you begin

In order to use AWS PrivateLink with Fleet Management, you must have:

- A Grafana Cloud instance hosted on AWS.
- An AWS VPC where you can create an interface endpoint for making API calls.

### Other regions

AWS PrivateLink supports native cross-region connectivity in selected AWS Regions, allowing you to connect to services hosted in other AWS Regions over interface endpoints.

This is an opt-in feature and regions are enabled for specific Grafana Cloud instances on a case-by-case basis.

If you would like to send telemetry data from services running in a different region than the one where your Grafana Cloud instance is hosted (for example, the infrastructure or service you want to monitor is in `us-east-1` and your Grafana Cloud instance is in `us-east-2`), you first need to check if your source region is enabled for that Grafana Cloud instance:

1. In your Grafana Cloud instance, navigate to **Connections** &gt; **Fleet Management**.
2. Switch to the **API** tab and scroll down to the **AWS PrivateLink** section, where supported AWS regions for that specific instance are listed.
   
   - If your source region is listed, you can connect right away.
   - If your source region is not listed, contact Grafana Support to request to add your source region to all your desired Grafana Cloud instances.

For more information, refer to [AWS PrivateLink cross-region connectivity](https://aws.amazon.com/about-aws/whats-new/2024/11/aws-privatelink-across-region-connectivity/).

## Set up a VPC endpoint

You can create a VPC interface endpoint in the AWS console.

> Note
> 
> To send your telemetry over a private connection, you need to set up PrivateLink endpoints for all Grafana Cloud services where you send data, not just Fleet Management. Repeat these steps to set up an endpoint for each service you plan to use.

01. Open your AWS Console and navigate to **VPC** &gt; **PrivateLink and Lattice** &gt; **Endpoints**.
    
    [Select Virtual Private Clouds &gt;  
    PrivateLink and Lattice &gt; Endpoints](/media/docs/fleet-management/screenshot-fleet-management-aws-privatelink-menu-2.png)
02. Choose **Create Endpoint**.
    
    [Choose Create Endpoint](/media/docs/grafana-cloud/aws-privatelink/pl-ui-2.png)
03. Give the endpoint a name, for example, `grafana-fleet-management`.
04. Choose **PrivateLink Ready partner services**.
05. In the **Service Name** field, enter the service name from your Grafana Cloud instance:
    
    1. In your Grafana Cloud instance, navigate to **Connections** &gt; **Fleet Management**.
    2. Switch to the **API** tab and scroll down to the **AWS PrivateLink** section.
    3. Copy the Service Name and paste it into the Service Name field in the AWS console. Service Name follows the pattern `com.amazonaws.vpce.<region>.vpce-svc-<random id>`.
    
    [Set the endpoint and service settings](/media/docs/fleet-management/screenshot-fleet-management-aws-privatelink-settings.png)
    
    > Note
    > 
    > You can find the Service Name for other Grafana Cloud services in your Grafana Cloud portal:
    > 
    > 1. In your portal, click Details for the stack you want to privately connect.
    > 2. Click Details on the card for a service, for example, Prometheus.
    > 3. Scroll down until you see instructions for sending data with AWS PrivateLink.
    > 4. Locate and copy the **Service Name**.
06. To connect to an endpoint service hosted in another region, scroll down and check **Enable Cross Region endpoint**. Then select the region where the Grafana service is hosted.
    
    [Enable Cross Region endpoint](/media/docs/fleet-management/screenshot-fleet-management-aws-privatelink-cross-region.png)
07. Click on **Verify Service**. Verification is confirmed with a `Service name verified.` message.
08. Select your VPC.
09. Expand the **Additional settings** section and select **Enable DNS name**.
    
    [Check Enable DNS name](/media/docs/grafana-cloud/aws-privatelink/pl-ui-4.png)
10. Select your desired Subnets and Security Groups.
    
    [Select subnets and security groups](/media/docs/grafana-cloud/aws-privatelink/pl-ui-5.png)
11. Choose **Create Endpoint**. The new endpoint is created and held in `Pending` Status. Wait until the status is `Available`, which can take up to 10 minutes.

## Secure your Fleet Management connections

Once you’ve created an interface endpoint and associated it with each service, use the private DNS names to secure your connections to Fleet Management and other Grafana Cloud services.

### Enroll collectors with PrivateLink

Secure the connection of your collectors by adding the private DNS name to the [`remotecfg`](/docs/grafana-cloud/send-data/fleet-management/set-up/onboard-collectors/standalone-installations/#add-remotecfg-to-local-configurations) block in their local configurations.

1. In your Grafana Cloud instance, navigate to **Connections** &gt; **Fleet Management**.
2. Switch to the **API** tab and scroll down to the **AWS PrivateLink** section.
3. Locate and copy the private DNS name, which follows the pattern `<cell-name>.<region>.vpce.grafana.net`.
4. Access the [local configuration file](/docs/grafana-cloud/send-data/alloy/configure/) of each Alloy instance and add the private DNS Name as the value of the `url` argument in the `remotecfg` block. For example:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
remotecfg {
    url = "https://fleet-management-<CELL_NAME>.<REGION>.vpce.grafana.net"
    basic_auth {
        username      = "<USERNAME>"
        password      = "<PASSWORD>"
    }

    id             = constants.hostname
    attributes     = {"cluster" = "dev", "namespace" = "otlp-dev"}
    poll_frequency = "5m"
}
```

### Make direct API calls with PrivateLink

To make secure calls to the [Collector API](/docs/grafana-cloud/send-data/fleet-management/api-reference/collector-api/), substitute the private DNS name in its base URL. For example:

shell ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```shell
https://fleet-management-<CELL_NAME>.<REGION>.vpce.grafana.net/collector.v1.CollectorService/
```

To make secure calls to the [Pipeline API](/docs/grafana-cloud/send-data/fleet-management/api-reference/pipeline-api/), substitute the private DNS name in its base URL. For example:

shell ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```shell
https://fleet-management-<CELL_NAME>.<REGION>.vpce.grafana.net/pipeline.v1.PipelineService/
```

### Update configuration pipeline destination URLs

[Self-monitoring pipelines](/docs/grafana-cloud/send-data/fleet-management/set-up/configuration-pipelines/self-monitoring-pipelines/) and [integration pipelines](/docs/grafana-cloud/send-data/fleet-management/set-up/configuration-pipelines/integrations/) contain hardcoded destination URLs to Grafana Cloud services such as Prometheus and Loki. By default, these pipelines send data over the public internet. To route this data through your AWS PrivateLink connection, you need to update the destination URLs in each configuration pipeline.

To update pipeline URLs, first find the private DNS names for each service:

1. In your Grafana Cloud portal, click Details for the stack you want to privately connect.
2. Click Details on the card for a service, for example, Prometheus.
3. Scroll down until you see instructions for sending data with AWS PrivateLink.
4. Copy the Private DNS Name.
5. Repeat for each service you want to connect.

Next, replace the hardcoded URLs with the private DNS names:

1. In your Grafana Cloud instance, navigate to **Connections** &gt; **Fleet Management**.
2. Switch to the **Remote configuration** tab.
3. For each self-monitoring pipeline, such as `self_monitoring_metrics`, and any integration pipelines you have:
   
   1. Click the Edit icon in a pipeline row.
   2. Look for URL references to Grafana Cloud services (for example, `prometheus-*.grafana.net` or `logs-*.grafana.net`).
   3. Update these URLs to use the private DNS names for your Grafana Cloud services.
   4. Save the configuration pipeline.
   5. Repeat for each pipeline with hardcoded URLs.