AWS Private VPC Endpoint for Datadog

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture. This guide walks you through how to configure AWS private VPC endpoint for Datadog.

Datadog’s only offering PrivateLink to AWS us-east-1 region. From other regions if you want to connect through private link use inter-region Amazon VPC peering.

There are two use cases first if your workload is in AWS us-east-1 region and second if your workload is in another AWS region than us-east-1. Will walk you through both use cases in detail below.


1. IF YOUR WORKLOAD IS IN AWS US-EAST-1 REGION:


In this case we are directly going to create VPC endpoint for VPC in which our workload is running and datadog agent install on the hosts present in that VPC. Datadog Agents will send data to your VPC endpoint is then peered with the endpoint within Datadog’s VPC.



Steps to configure:


1. Connect to the AWS console to region us-east-1 and create a new VPC

endpoint.



2. Select Find service by name.

3. Fill the Service Name text box according to which service you want to establish AWS PrivateLink for:




Metrics: com.amazonaws.vpce.us-east-1.vpce-svc-09a8006e245d1e7b8
API: com.amazonaws.vpce.us-east-1.vpce-svc-064ea718f8d0ead77
Processes: com.amazonaws.vpce.us-east-1.vpce-svc-0ed1f789ac6b0bde1
Traces: com.amazonaws.vpce.us-east-1.vpce-svc-0355bb1880dfa09c2
Kubernetes: com.amazonaws.vpce.us-east-1.vpce-svc-0ad5fb9e71f85fe99
LogsForwarder :
Agent or Lambda extension : com.amazonaws.vpce.us-east-1.vpce-svc-025a56b9187ac1f63
Lambda or custom : com.amazonaws.vpce.us-east-1.vpce-svc-06394d10ccaf6fb97

4. Hit the verify button. If it does not return Service name found, reach out to the Datadog support team.

5. Choose the VPC and subnets that should be peered with the Datadog VPC service endpoint.

6. Make sure that for Enable DNS name the Enable for this endpoint is checked.

7. Choose the security group of your choice to control what can send traffic to this VPC endpoint.

Note: The security group must accept inbound traffic on TCP port 443.

8. Hit Create endpoint at the bottom of the screen.

9 Click on the VPC endpoint ID to check its status.

10. Wait for the status to move from Pending to Available. This can take up to 10 minutes.

Once it shows Available, the AWS PrivateLink is ready to be used.

11. Restart your Agent to send data to Datadog through AWS PrivateLink.


2. IF YOUR WORKLOAD IS IN ANOTHER AWS REGION THAN US-EAST-1:


Datadog’s only offering PrivateLink to AWS us-east-1 region. From other regions if you want to connect through private link use inter-region Amazon VPC peering.




Steps to configure:

1. For this type of setup we need one VPC in us-east-1 region in which we are going to create VPC endpoints for datadog same as we created in case 1 above. 2. Then we are going to peer this VPC which is created in us-east-1 and your actual workload VPC which is in different AWS region. Please see AWS VPC Peering document for reference. 3. After successful VPC peering create private hosted zone for datadoghq.com domain in AWS Route53.



Steps to create Route53 private hosted zone:

1. Connect to the AWS console and select Route53 from services. 2. After Route53 console opens click on hosted zone tab and then Create hosted zone. Please refer below screenshot.




3. Fill the required detail as per shown in below screenshot.



4. At VPC association tab please select AWS region and VPC in which your actual hosts are running



5. Last create host records to forward your traffic towards private endpoint which we created in us-east-1 VPC as per shown in below screenshot.



6. After successful creation of VPC, VPC Peering, VPC Endpoints, Private hosted zone and Host records as per above steps, please test your traffic is going through private link.

To check wether traffic is going through private link or not enable VPC flow logs and check logs of endpoint eni. Also check datadog console all functionalities are working fine.


Thank you for visiting Cloudwaale, Please like and comment your view on this post. For more Information please visit this.








870 views0 comments