Connect to Datadog over AWS PrivateLink
June 3, 2024
Introduction
AWS PrivateLink is a technology that enables you to privately and securely connect your services within the AWS cloud environment. It provides enhanced security by privately traversing your traffic which removes the exposure of data to the public internet and ensures that sensitive data is not exposed to potential interception. Using PrivateLink, you can simplify the network architecture by eliminating the need for Internet Gateways, NAT devices, and firewall rules. You can also reduce data transfer costs because traffic stays within the AWS network and is not transferred over the internet. While providing scalability and elasticity, AWS PrivateLink also integrates natively with Datadog so that you can send your infrastructure and application telemetry directly to Datadog over the AWS backbone using the Datadog Agent.
This architecture demonstrates the overall process consisting of the deployment and configuration of the Interface Endpoint(s) in your VPC so that the Datadog Agents running in your compute instances can send data to Datadog privately.
Explanation of the architecture
- 1. From your AWS Management Console, Create a VPC Interface Endpoint with the desired PrivateLink Service Name.
- 1.1. Click Verify to ensure that the service is found.
- 1.2. Select the VPC and Subnets in your VPC to use with the interface endpoint.
- 1.3. Make sure to select Enable DNS name under Additional settings.
- 1.4. Choose the appropriate Security Group. This security group must accept inbound traffic on TCP port 443.
- 1.5. Click Create Endpoint. When this endpoint is created, an endpoint network interface is assigned a private IP address from the IP address range of your subnet.
2. If you are sending logs to Datadog with AWS PrivateLink and Datadog Agent, it is required to configure your Datadog Agent to send logs over HTTPS. You can do this by modifying the Agent’s datadog.yaml configuration file with:
logs_config: use_http: true
If you are using the container Agent, set the following environment variable instead:DD_LOGS_CONFIG_USE_HTTP=true
3. Restart your Datadog Agent if required.
4. Your Datadog Agents can now send telemetry to Datadog over the AWS PrivateLink.
Authors
Lowell Abraham, Sr. Product Solutions Architect
References
Inspiration and reference documents or existing solutions: