Using Cross-Region AWS PrivateLink to Send Telemetry to Datadog | Datadog
Back to Architecture Center
Architecture Center Using Cross-Region AWS PrivateLink to Send Telemetry to Datadog

Using Cross-Region AWS PrivateLink to Send Telemetry to Datadog

2月 3, 2025

Introduction

At re:Invent 2024, AWS announced the availability of cross-region connectivity for PrivateLink. This feature enables you to send data to PrivateLink endpoint services hosted in any AWS region from any AWS region.

For Datadog customers, this allows you to send your application and infrastructure telemetry securely (not over the internet) from any AWS region to Datadog’s PrivateLink-enabled sites—US1 and AP1—without building complex network architectures using VPC peering or Transit Gateway. This architectural post will serve as an overview of how you can build an architecture using PrivateLink to send telemetry from the AWS US-WEST-2 (Oregon) region to Datadog’s US1 site and the AWS AP-SOUTHEAST-2 (Sydney) region to Datadog’s AP1 site.

XRPL

Explanation of the architecture

  1. 1. Datadog has two sites that are PrivateLink-enabled: US1 and AP1. Previously, you either had to be in the same AWS region or build complex network architectures using VPC peering or Transit Gateway to connect other AWS regions to Datadog PrivateLink-enabled regions and services. This added management overhead for network administrators and cloud teams managing infrastructure. With the introduction of cross-region connectivity for PrivateLink by AWS, Datadog has now enabled all of our PrivateLink endpoint services to be cross-region aware. This means that you can connect to our PrivateLink endpoint services and send telemetry to Datadog from any AWS region without the complex network architectures.
  2. 2. To start, you can create VPC interfaces within your VPC in your AWS account for each of the PrivateLink endpoint services that Datadog provides in US1 and configure them as a cross-region-enabled endpoint. In the first scenario, VPC interface(s) are created in the AWS US-WEST-2 region that connects to Datadog’s PrivateLink endpoint services in US-EAST-1. This enables you to securely and easily send your telemetry from your workloads running in US-WEST-2 to Datadog’s US1 site.
  3. 3. Datadog Agents that are installed on your EC2 instances and/or containers as a sidecar in US-WEST-2 region can now send their telemetry to Datadog’s service intake endpoints in US-EAST-1 over the PrivateLink endpoints.
  4. 4. In this architecture, there are no Internet Gateways or NAT Gateways. Therefore, the telemetry will traverse through the AWS backbone using AWS PrivateLink for secure, easy, and cost-effective connectivity from your VPC to Datadog. PrivateLink is a highly available and scalable service that is fully managed by AWS. This eliminates the need for continuous management of a virtual network appliance.
  5. 5. In the second scenario, the architecture shows the connectivity between the AWS AP-SOUTHEAST-2 region and Datadog’s AP1 region. In this case, VPC interface(s) are created within your VPC in your AWS account for each of the PrivateLink endpoint services that Datadog provides in AP1 and configured as cross-region-enabled endpoints.
  6. 6. Datadog Agents that are installed on your EC2 instances and/or containers as a sidecar in AP-SOUTHEAST-2 region can now send their telemetry to Datadog’s service intake endpoints in AP-NORTHEAST-1 over the PrivateLink endpoints.
  7. 7. Same as in step 4, there are no Internet Gateways or NAT Gateways in the AP-SOUTHEAST-2 region. All traffic destined for Datadog will traverse through the AWS PrivateLink in the AWS backbone.

Authors

Lowell Abraham, Sr. Product Solutions Architect

References

Inspiration and reference documents or existing solutions: