Connect to Datadog over AWS PrivateLink
Security Monitoring is now available Security Monitoring is now available

Connect to Datadog over AWS PrivateLink

Datadog exposes AWS PrivateLink endpoints in us-east-1.

This guide walks you through how to configure AWS PrivateLink for use with Datadog.

Overview

The overall process consists of configuring an internal endpoint in your VPC that local Datadog Agents can send data to. Your VPC endpoint is then peered with the endpoint within Datadog’s VPC.

Create your VPC endpoint

  1. Connect to the AWS console and create a new VPC endpoint:
  2. Select Find service by name.
  3. Fill the Service Name text box according to which service you want to establish AWS PrivateLink for:

    Datadog Metric Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-056576c12b36056ca
    ForwarderDatadog Logs Service Name
    Datadog Agentcom.amazonaws.vpce.us-east-1.vpce-svc-0a2aef8496ee043bf
    Lambda or custom forwardercom.amazonaws.vpce.us-east-1.vpce-svc-06394d10ccaf6fb97
    Datadog API Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-02a4a57bc703929a0
    Datadog Process Monitoring Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-05316fe237f6d8ddd
    Datadog Trace Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-07672d13af0033c24

  4. Hit the verify button. If it does not return Service name found, reach out to the Datadog support team.

  5. Choose the VPC and subnets that should be peered with the Datadog VPC service endpoint.

  6. Make sure that for Enable DNS name the Enable for this endpoint is checked:

  7. Choose the security group of your choice to control what can send traffic to this VPC endpoint.

    Note: If you want to forward logs to Datadog through this VPC endpoint, the security group must accept inbound and outbound traffic on port 443.

  8. Hit Create endpoint at the bottom of the screen. If successful, you will see this:

  9. Click on the VPC endpoint ID to check its status.

  10. Wait for the status to move from Pending to Available. This can take up to 10 minutes.

Once it shows Available, the AWS PrivateLink is ready to be used. The next step is to update your Agent configurations with the new target endpoint for your Datadog Agents, Lambda forwarder, and/or other clients shipping data to Datadog.

Client configuration

Select the tab below to see how to send your metrics and logs to Datadog using this new VPC endpoint, or which new host URL you would need to use for Datadog API:

Available for Agent 6.0+

To forward your metrics to Datadog using this new VPC endpoint, configure pvtlink.agent.datadoghq.com as your new metric destination:

  1. Update the dd_url parameter in the Agent datadog.yaml configuration file:

    dd_url: https://pvtlink.agent.datadoghq.com
  2. Restart your Agent to send metrics to Datadog through AWS PrivateLink.

Note: If you are using the container Agent, set the environment variable instead: DD_DD_URL="https://pvtlink.agent.datadoghq.com". Configure this environment variable on both the Cluster Agent & Node Agent if using the Cluster Agent to monitor a Kubernetes environment.

Available for Agent 6.14+

To forward your logs to Datadog using this new VPC endpoint, configure pvtlink.logs.datadoghq.com as your new log destination:

Using the Datadog Agent:

  1. Add the following to the Agent datadog.yaml configuration file:

    logs_config:
        use_http: true
        logs_dd_url: pvtlink.logs.datadoghq.com:443
    • The use_http variable forces the Datadog Agent to send logs over HTTPS. This configuration is required when sending logs to Datadog via AWS PrivateLink. More information about this is available in the Agent log collection documentation.
    • The logs_dd_url variable is used to send logs to the VPC endpoint.
  2. Restart your Agent to send logs to Datadog through AWS PrivateLink.

Note: if you are using the container Agent, set the following environment variables instead:

  • DD_LOGS_CONFIG_USE_HTTP=true
  • DD_LOGS_CONFIG_LOGS_DD_URL="pvtlink.logs.datadoghq.com:443"

Using the Lambda or a custom forwarder:

Add DD_URL: api-pvtlink.logs.datadoghq.com in your Datadog Lambda function environment variable to use the private link when forwarding AWS Service Logs to Datadog.

By default, the forwarder’s API key is stored in Secrets Manager. The Secrets Manager endpoint needs to be added to the VPC. You can follow the instructions here for adding AWS services to a VPC.

When installing the forwarder with the CloudFormation template, enable ‘DdUsePrivateLink’ and set at least one subnet ID and security group.

To send data to the Datadog API or consume data from it through this new endpoint, replace your API call host signature api.datadoghq.com/api/ with pvtlink.api.datadoghq.com/api/.

To forward your processes metrics to Datadog using this new VPC endpoint, configure pvtlink.process.datadoghq.com as your new processes data destination:

  1. Update the process_dd_url in the process_config: section of the Agent datadog.yaml configuration file:

    process_dd_url: https://pvtlink.process.datadoghq.com
  2. Restart your Agent to send processes data to Datadog through AWS PrivateLink.

Note: If you are using the container Agent, set the environment variable instead: DD_PROCESS_AGENT_URL="https://pvtlink.process.datadoghq.com". Configure this environment variable on both the Cluster Agent & Node Agent if using the Cluster Agent to monitor a Kubernetes environment.

To forward your trace metrics to Datadog using this new VPC endpoint, configure trace-pvtlink.agent.datadoghq.com as your new trace destination:

  1. Update the apm_dd_url parameter in the apm_config section of the Agent datadog.yaml configuration file:

    apm_dd_url: https://trace-pvtlink.agent.datadoghq.com
  2. Restart your Agent to send traces to Datadog through AWS PrivateLink.

Note: If you are using the container Agent, set the environment variable instead: DD_APM_DD_URL="https://trace-pvtlink.agent.datadoghq.com". Configure this environment variable on both the Cluster Agent & Node Agent if using the Cluster Agent to monitor a Kubernetes environment.

Advanced Usage

Inter-region peering

To route traffic to Datadog’s PrivateLink offering in us-east-1 from other regions, use inter-region Amazon VPC peering.

Inter-region VPC peering enables you to establish connections between VPCs across different AWS regions. This allows VPC resources in different regions to communicate with each other using private IP addresses.

For more information, see the Amazon VPC peering documentation.

Further Reading