Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Instrument and send databreadcrumb arrow Fleet Managementbreadcrumb arrow Set upbreadcrumb arrow Connectivity optionsbreadcrumb arrow AWS PrivateLink
Grafana Cloud

AWS PrivateLink and Fleet Management

With Amazon Web Services (AWS) PrivateLink, you can securely connect your virtual private clouds (VPCs) to Grafana Fleet Management to make API calls without using the public internet.

Connecting to Fleet Management with AWS PrivateLink can:

  • Reduce your AWS egress costs.
  • Improve security by keeping your data within the Amazon network.

To use this feature, configure an interface endpoint in your AWS VPC.

Before you begin

In order to use AWS PrivateLink with Fleet Management, you must have:

  • A Grafana Cloud instance hosted on AWS.
  • An AWS VPC where you can create an interface endpoint for making API calls.

Other regions

AWS PrivateLink supports native cross-region connectivity in selected AWS Regions, allowing you to connect to services hosted in other AWS Regions over interface endpoints.

This is an opt-in feature and regions are enabled for specific Grafana Cloud instances on a case-by-case basis.

If you would like to send telemetry data from services running in a different region than the one where your Grafana Cloud instance is hosted (for example, the infrastructure or service you want to monitor is in us-east-1 and your Grafana Cloud instance is in us-east-2), you first need to check if your source region is enabled for that Grafana Cloud instance:

  1. In your Grafana Cloud instance, navigate to Connections > Collector > Fleet Management.
  2. Switch to the API tab and scroll down to the AWS PrivateLink section, where supported AWS regions for that specific instance are listed.
    • If your source region is listed, you can connect right away.
    • If your source region is not listed, contact Grafana Support to request to add your source region to all your desired Grafana Cloud instances.

For more information, refer to AWS PrivateLink cross-region connectivity.

Set up a VPC endpoint

You can create a VPC interface endpoint in the AWS console.

  1. Open your AWS Console and navigate to VPC > PrivateLink and Lattice > Endpoints.

    Select Virtual Private Clouds ><br>PrivateLink and Lattice > Endpoints
    Select Virtual Private Clouds >
    PrivateLink and Lattice > Endpoints

  2. Choose Create Endpoint.

    Choose Create Endpoint
    Choose Create Endpoint

  3. Give the endpoint a name, for example, grafana-fleet-management.

  4. Choose PrivateLink Ready partner services.

  5. In the Service Name field, enter the service name from your Grafana Cloud instance:

    1. In your Grafana Cloud instance, navigate to Connections > Collector > Fleet Management.
    2. Switch to the API tab and scroll down to the AWS PrivateLink section.
    3. Copy the Service Name and paste it into the Service Name field in the AWS console. Service Name follows the pattern com.amazonaws.vpce.<region>.vpce-svc-<random id>.
    Set the endpoint and service settings
    Set the endpoint and service settings

  6. To connect to an endpoint service hosted in another region, scroll down and check Enable Cross Region endpoint. Then select the region where the Grafana service is hosted.

    Enable Cross Region endpoint
    Enable Cross Region endpoint

  7. Click on Verify Service. Verification is confirmed with a Service name verified. message.

  8. Select your VPC.

  9. Expand the Additional settings section and select Enable DNS name.

    Check Enable DNS name
    Check Enable DNS name

  10. Select your desired Subnets and Security Groups.

    Select subnets and security groups
    Select subnets and security groups

  11. Choose Create Endpoint. The new endpoint is created and held in Pending Status. Wait until the status is Available, which can take up to 10 minutes.

Secure your Fleet Management connections

Once you’ve created an interface endpoint and associated it with the Fleet Management service, use the private DNS name to secure your connection to Fleet Management.

Secure the connection of your collectors by adding the private DNS name to the remotecfg block in their local configurations.

  1. In your Grafana Cloud instance, navigate to Connections > Collector > Fleet Management.
  2. Switch to the API tab and scroll down to the AWS PrivateLink section.
  3. Locate and copy the private DNS name, which follows the pattern <cell-name>.<region>.vpce.grafana.net.
  4. Access the local configuration file of each Alloy instance and add the private DNS Name as the value of the url argument in the remotecfg block. For example:
alloy 
remotecfg {
    url = "https://fleet-management-<CELL_NAME>.<REGION>.vpce.grafana.net"
    basic_auth {
        username      = "<USERNAME>"
        password      = "<PASSWORD>"
    }

    id             = constants.hostname
    attributes     = {"cluster" = "dev", "namespace" = "otlp-dev"}
    poll_frequency = "5m"
}

To make secure calls to the Collector API, substitute the private DNS name in its base URL. For example:

shell 
https://fleet-management-<CELL_NAME>.<REGION>.vpce.grafana.net/collector.v1.CollectorService/

To make secure calls to the Pipeline API, substitute the private DNS name in its base URL. For example:

shell 
https://fleet-management-<CELL_NAME>.<REGION>.vpce.grafana.net/pipeline.v1.PipelineService/