Documentationbreadcrumb arrow Learning pathsbreadcrumb arrow Create a private connection
Create a private connection
13 min
Milestone 1
The case for observability
2 min
Milestone 2
Advantages of PDC
2 min
Milestone 3
Select installation method
1 min
Milestone 4
Generate token
1 min
Milestone 5
Install PDC binaries
2 min
Milestone 6
Deploy PDC agent
1 min
Milestone 7
Destination reached!
1 min

Open in Grafana Cloud

Complete this learning path directly in your Grafana Cloud stack, or in the Grafana Play stack, with an interactive learning experience.

Open in Grafana Cloud Try in Grafana Play

Create a private connection to a data source

Welcome to the private data source connect learning journey.

Private data source connect, or PDC, is a way for you to establish a private, secured connection between a Grafana Cloud instance, or stack, and data sources secured within a private network.

Observability data is often located within private networks such as on-premise networks and Virtual Private Clouds (VPCs) hosted by AWS, Azure, Google Cloud Platform, or other public cloud providers. For example, you might host your Splunk or Elasticsearch service on your private network, or you might want to visualize data from Amazon RDS hosted in a VPC. PDC also allows you to connect to any network-secured data source regardless of what cloud provider you use, or if you host your own data in an on-premises network.

Here’s what to expect

When you complete this journey, you’ll be able to:

  • Describe why you should use PDC when connecting Grafana Cloud to an external data source
  • Install the PDC binaries on a Linux or Windows machine
  • Learn how to deploy the PDC agent on Kubernetes or Docker

Troubleshooting

If you get stuck, we’ve got your back! Where appropriate, troubleshooting information is just a click away.

More to explore

We understand you might want to explore other capabilities not strictly on this path. We’ll provide you opportunities where it makes sense.

Before you begin

Before you begin working with private data source connect (PDC), ensure the following:

  • You have the tools you need to deploy the PDC agent within your network. You can deploy it directly to a Linux or Windows server, or use a container management system like Docker or Kubernetes.

  • If you run the PDC agent binary directly on a host, the server must have OpenSSH version 9.2 or higher. The PDC agent Docker image includes a compatible OpenSSH version, so Docker and Kubernetes users can skip this requirement. For more details, refer to the PDC scalability and security page.

  • You know the local host name and port of the data source you want to connect to, for example loki:8080.

  • You have the proper credentials to access the data, for example, a username and password, or a token. Refer to the documentation for your data source to learn what credentials you need.

  • You have an administrator account for your Grafana Cloud organization. To learn more about Grafana Cloud permissions, refer to Grafana Cloud user roles and permissions.

Network requirements

To establish an SSH connection to Grafana Cloud, the PDC agent must run on a network that allows internet egress to the following endpoints:

  • private-datasource-connect-<cluster>.grafana.net:22 (SSH tunnel)
  • private-datasource-connect-api-<cluster>.grafana.net:443 (certificate signing)

You can find the <cluster> value in the Grafana UI under Connections > Private data source connections > Configuration Details.

The PDC agent uses the API endpoint (port 443) to sign short-lived SSH certificates for authentication with the SSH endpoint (port 22).

Note

If your data source uses AWS SigV4 (AWS Signature Version 4 Authentication), the network where the PDC agent runs must also allow internet egress to sts.<region>.amazonaws.com:443. Replace <region> with the AWS region you are querying. For more details, refer to the AWS documentation.

Are you ready?
Let's go!