Connect to Datadog over AWS PrivateLink

Connect to Datadog over AWS PrivateLink

Datadog exposes AWS PrivateLink endpoints in us-east-1.

Datadog PrivateLink does not support the Datadog for Government site.

This guide walks you through how to configure AWS PrivateLink for use with Datadog.

Overview

The overall process consists of configuring an internal endpoint in your VPC that local Datadog Agents can send data to. Your VPC endpoint is then peered with the endpoint within Datadog’s VPC.

Setup

Datadog Agent

Update the dd_url parameter in your datadog.yaml:

dd_url: https://agent.datadoghq.com

AWS VPC endpoint

  1. Connect to the AWS console to region us-east-1 and create a new VPC endpoint:

  2. Select Find service by name.

  3. Fill the Service Name text box according to which service you want to establish AWS PrivateLink for:

    Datadog Metric Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-09a8006e245d1e7b8
    ForwarderDatadog Logs Service Name
    Datadog Agent or Lambda Extensioncom.amazonaws.vpce.us-east-1.vpce-svc-025a56b9187ac1f63
    Lambda forwarder or custom forwardercom.amazonaws.vpce.us-east-1.vpce-svc-06394d10ccaf6fb97
    Datadog API Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-064ea718f8d0ead77
    Datadog Process Monitoring Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-0ed1f789ac6b0bde1
    Datadog Trace Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-0355bb1880dfa09c2
    Datadog Kubernetes Explorer Service Name
    com.amazonaws.vpce.us-east-1.vpce-svc-0ad5fb9e71f85fe99

  4. Hit the verify button. If it does not return Service name found, reach out to the Datadog support team.

  5. Choose the VPC and subnets that should be peered with the Datadog VPC service endpoint.

  6. Make sure that for Enable DNS name the Enable for this endpoint is checked:

  7. Choose the security group of your choice to control what can send traffic to this VPC endpoint.

    Note: The security group must accept inbound traffic on TCP port 443.

  8. Hit Create endpoint at the bottom of the screen. If successful, the following is displayed:

  9. Click on the VPC endpoint ID to check its status.

  10. Wait for the status to move from Pending to Available. This can take up to 10 minutes.

    Once it shows Available, the AWS PrivateLink is ready to be used.

  11. If you are collecting logs data, ensure your Agent is configured to send logs over HTTPS. If it’s not already there, add the following to the Agent datadog.yaml configuration file:

    logs_config:
        use_http: true
    

    If you are using the container Agent, set the following environment variable instead:

    DD_LOGS_CONFIG_USE_HTTP=true
    

    This configuration is required when sending logs to Datadog with AWS PrivateLink. See Agent log collection for more details.

  12. Restart your Agent to send data to Datadog through AWS PrivateLink.

Advanced usage

Inter-region peering

To route traffic to Datadog’s PrivateLink offering in us-east-1 from other regions, use inter-region Amazon VPC peering.

Inter-region VPC peering enables you to establish connections between VPCs across different AWS regions. This allows VPC resources in different regions to communicate with each other using private IP addresses.

See Amazon VPC peering for more details.

Further Reading