Datadog PrivateLink does not support the Datadog for Government site.
This guide walks you through how to configure AWS PrivateLink for use with Datadog.
The overall process consists of configuring an internal endpoint in your VPC that local Datadog Agents can send data to. Your VPC endpoint is then peered with the endpoint within Datadog’s VPC.
Datadog exposes AWS PrivateLink endpoints in us-east-1.
However, to route traffic to Datadog’s PrivateLink offering in us-east-1 from other regions, use inter-region Amazon VPC peering. Inter-region VPC peering enables you to establish connections between VPCs across different AWS regions. This allows VPC resources in different regions to communicate with each other using private IP addresses. For more details, see Amazon VPC peering.
You can also find this information by interrogating the AWS API, DescribeVpcEndpointServices, or by using the following CLI command: aws ec2 describe-vpc-endpoint-services --service-names <service-name>.
For example, in the case of the Datadog metrics endpoint:
This returns metrics.agent.datadoghq.com, the private hosted zone name that you need in order to create and associate with the VPC which the Agent traffic originates in. Overriding this record grabs all existing dynamic Agent-versioned hostnames.
Within each new Route53 private hosted zone, create an A record with the same name. Toggle the Alias option, then under Route traffic to, choose Alias to VPC endpoint, us-east-1, and enter the DNS name of the VPC endpoint associated with the DNS name.
Configure VPC peering and routing between the VPC in us-east-1 that contains the Datadog PrivateLink endpoints and the VPC in the region where the Datadog Agents run.
If the VPCs are in different AWS accounts, the VPC containing the Datadog Agent must be authorized to associate with the Route53 private hosted zones before continuing. Create a VPC association authorization for each Route53 private hosted zone using the region and VPC ID of the VPC where the Datadog Agent runs. This option is not available in the AWS Console. It must be configured using the AWS CLI, SDK, or API.
Edit the Route53 hosted zone to add the non-us-east-1 VPC.
The DNS names should resolve to IP addresses contained within the CIDR block of the VPC in us-east-1, and connections to port 443 should succeed.
If DNS is resolving to public IP addresses, then the Route53 zone has not been associated with the VPC in the alternate region, or the A record does not exist.
If DNS resolves correctly, but connections to port 443 are failing, then VPC peering or routing may be misconfigured, or port 443 may not be allowed outbound to the CIDR block of the VPC in us-east-1.
The VPCs with Private Hosted Zone (PHZ) attached need to have a couple of settings toggled on. Specifically, enableDnsHostnames and enableDnsSupport need to be turned on in the VPCs that the PHZ is associated with. See Amazon VPC settings.
If you are collecting logs data, ensure your Agent is configured to send logs over HTTPS. If the data is not already there, add the following to the Agent datadog.yaml configuration file:
If you are using the container Agent, set the following environment variable instead:
This configuration is required when sending logs to Datadog with AWS PrivateLink and the Datadog Agent, and is not required for the Lambda Extension. For more details, see Agent log collection.