Connect to Datadog over Azure Private Link
This feature is not supported for the selected Datadog site.
Azure Private Link allows you to send telemetry to Datadog without using the public internet.
Datadog exposes some of its data intake services as Azure Private Link services.
You can configure Azure Private Link to expose a private IP address for each Datadog intake service; this IP address routes traffic to the Datadog backend. You can then configure an Azure Private DNS Zone to override the DNS names corresponding to the products for each endpoint that is consumed.
Setup
Connect an endpoint
In the Azure portal, go to Private Link.
On the left navigation menu, select Private endpoints.
Select Create.
On the Create a private endpoint > Basics page, configure the following:
- Under Project details, select the Subscription and Resource group from which production resources should access Private Link.
- Under Instance details, enter a Name (for example,
datadog-api-private-link
) and select your Region.
Select Next: Resource to continue.
On the Create a private endpoint > Resource page, configure the following:
- For Connection method, select Connect to an Azure resource by resource ID or alias.
- For Resource ID or alias, enter the Private Link service name that corresponds to the Datadog intake service that you want to use. You can find this service name in the table of published services.
- Optionally, for Request message, you can enter your email address (associated with a Datadog account). This helps Datadog identify your request and reach out to you if necessary.
Select Next: Virtual Network to continue.
On the Create a private endpoint > Virtual Network page, configure the following:
- Under Networking, select the Virtual network and Subnet where the endpoint should live. Typically, this is located in the same network as the compute resources that need to access the private endpoint.
- Under Private DNS integration, select No.
Select Next: Tags to continue.
On the Create a private endpoint > Tags page, you can optionally set tags. Select Next.
On the Review + create page, review your configuration settings. Then, select Create.
After your private endpoint is created, find it in the list. Take note of this endpoint’s Private IP, as this is used in the next section.
Create a Private DNS zone
In the Azure portal, go to Private DNS zones.
Select Create.
On the Create Private DNS zone > Basics page, configure the following:
- Under Project details, select the Subscription and Resource group from which production resources should access the private endpoint.
- Under Instance details, for Name, enter the private DNS name that corresponds to the Datadog intake service that you want to use. You can find this service name in the table of published services.
Select Review create.
Review your configuration settings. Then, select Create.
After the Private DNS zone is created, select it from the list.
In the panel that opens, select + Record set.
In the Add record set panel, configure the following:
- For Name, enter
*
. - For Type, select A - Address record.
- For IP address, enter the IP address you noted at the end of the previous section.
Select OK to finish.
Additional required steps for metrics and traces
Two Datadog Intake Services are subdomains of the agent.
domain. Because of this, the Private DNS zone is slightly different from other intakes.
Create a Private DNS Zone for agent.
, as outlined in the section above. Then add the three records below.
DNS name | Resource record type | IPv4 address |
---|
(apex) | A | IP address for your metrics endpoint |
* | A | IP address for your metrics endpoint |
trace | A | IP address for your traces endpoint |
Note: This zone requires a wildcard (*
) record that points to the IP address for your metrics endpoint. This is because Datadog Agents submit telemetry using a versioned endpoint in the form (<version>-app.agent.
).
Published services
Datadog intake service | Private Link service name | Private DNS name |
---|
Logs (Agent) | logs-pl-1.9941bd04-f840-4e6d-9449-368592d2f7da.westus2.azure.privatelinkservice | agent-http-intake.logs.us3.datadoghq.com |
Logs (OTel Collector with Datadog Exporter) | logs-pl-1.9941bd04-f840-4e6d-9449-368592d2f7da.westus2.azure.privatelinkservice | http-intake.logs.us3.datadoghq.com |
Logs (User HTTP Intake) | logs-pl-1.9941bd04-f840-4e6d-9449-368592d2f7da.westus2.azure.privatelinkservice | http-intake.logs.us3.datadoghq.com |
API | api-pl-1.0962d6fc-b0c4-40f5-9f38-4e9b59ea1ba5.westus2.azure.privatelinkservice | api.us3.datadoghq.com |
Metrics | metrics-agent-pl-1.77764c37-633a-4c24-ac9b-0069ce5cd344.westus2.azure.privatelinkservice | agent.us3.datadoghq.com |
Containers | orchestrator-pl-1.8ca24d19-b403-4c46-8400-14fde6b50565.westus2.azure.privatelinkservice | orchestrator.us3.datadoghq.com |
Process | process-pl-1.972de3e9-3b00-4215-8200-e1bfed7f05bd.westus2.azure.privatelinkservice | process.us3.datadoghq.com |
Profiling | profile-pl-1.3302682b-5bc9-4c76-a80a-0f2659e1ffe7.westus2.azure.privatelinkservice | intake.profile.us3.datadoghq.com |
Traces | trace-edge-pl-1.d668729c-d53a-419c-b208-9d09a21b0d54.westus2.azure.privatelinkservice | agent.us3.datadoghq.com |
Remote Configuration | fleet-pl-1.37765ebe-d056-432f-8d43-fa91393eaa07.westus2.azure.privatelinkservice | config.us3.datadoghq.com |
Database Monitoring | dbm-metrics-pl-1.e391d059-0e8f-4bd3-9f21-708e97a708a9.westus2.azure.privatelinkservice | dbm-metrics-intake.us3.datadoghq.com |