Connect to Datadog over AWS PrivateLink using AWS VPC peering | Datadog
Back to Architecture Center
Architecture Center Connect to Datadog over AWS PrivateLink using AWS VPC peering

Connect to Datadog over AWS PrivateLink using AWS VPC peering

6月 3, 2024

Introduction

AWS VPC peering is a network connection that enables you to connect two Virtual Private Clouds (VPCs) to each other in AWS so that resources in those VPCs can communicate with each other. Peering connections provide connectivity while maintaining network isolation for a layer of security to your workloads. VPC peering also eliminates the need for using VPNs, virtual appliances, and complex routing, thus simplifying your network architecture and reducing data transfer costs when VPCs in two different regions are required to be connected to each other. In the Connect to Datadog over AWS PrivateLink reference architecture, we demonstrate the usage of AWS PrivateLink which allows you to use the AWS backbone to connect to services within the AWS cloud privately from a single VPC without traversing the internet. Using AWS VPC peering and AWS PrivateLink you can connect to Datadog from multiple VPCs that are running in another AWS region.

This architecture represents the overall deployment and configuration of AWS VPC peering and AWS PrivateLink integrated with Datadog so that the Datadog Agents running in your EC2 instances can send data to Datadog privately from peered VPCs in a single AWS region or another region.

connect to datadog over aws privatelink using aws vpc peering

Explanation of the architecture

  1. 1. From your AWS Management Console (N.Virginia), create a VPC Interface Endpoint with the desired PrivateLink Service Name.
    1. 1.1. Click Verify to ensure that the service is found.
    2. 1.2. Select the VPC (in this case, VPC 2 in the us-east-1) and Subnets in your VPC 2 to be used with the interface endpoint and peered with the Datadog VPC Endpoint Service(s).
    3. 1.3. Since DNS needs to be manually configured for VPC peering, do not select Enable DNS name under Additional settings.
    4. 1.4. Choose the appropriate Security Group. This security group must accept inbound traffic on TCP port 443.
    5. 1.5. Click Create Endpoint. When this endpoint is created, an endpoint network interface is assigned a private IP address from the IP address range of your subnet.
  1. 2. After creating the Interface Endpoint, create a VPC peering between the VPC 2 and VPC 1. See Work with VPC peering connection documentation from AWS.
  2. 3. Once you have peered the two VPCs together, the next step is to configure the DNS so that the PrivateLink Endpoints can be made accessible to them.
    1. 3.1 Create a Route53 private hosted zone for each service you have created a PrivateLink Endpoint for from Step 1 (e.g., metrics.agent.datadoghq.com).
    2. 3.2 Associate the private hosted zone to the VPC 2 in us-east-1.
    3. 3.3 Within each private hosted zone, create an A record with the same name (e.g., metrics.agent.datadoghq.com).
    1. 3.3.1. Toggle the Alias option.
    2. 3.3.2. Route traffic to: Select Alias to VPC Endpoint.
    3. 3.3.3. Region: US East (N.Virginia).
    4. 3.3.4. Choose endpoint: < the endpoint you created in Step 1 >.
    5. 3.3.5. Click Create records.
  3. 4. Configure routing by updating the route tables of VPC 1 and VPC 2 to enable traffic between the peered VPCs.
  4. 5. Your Datadog Agents can now send telemetry to Datadog over the AWS PrivateLink from peered VPCs in the us-east-1. Restart your Datadog Agent if required.
  5. 6. VPC peering with another region:
    1. 6.1 Since VPC peering does not support transitive routing, you must peer every VPC where Datadog Agents are running with VPC 2 in the us-east-1 in which the Datadog PrivateLink Endpoints are hosted.
    2. 6.2 Configure routing by updating the route tables of additional VPCs.
    3. 6.3 Associate the Route53 private hosted zone with the VPCs in the us-west-2 region.
  6. 7. Your Datadog Agents can now send telemetry to Datadog over the AWS PrivateLink from peered VPCs in us-west-2. Restart your Datadog Agent if required.

Authors

Lowell Abraham, Sr. Product Solutions Architect

References

Inspiration and reference documents or existing solutions: