Improve security and connectivity with PrivateLink & Dynatrace

Dynatrace is among the first AWS partners to support AWS PrivateLink, the newest generation of Virtual Private Cloud (VPC) Endpoints. AWS recently announced PrivateLink as a new solution that enables customers to connect to 3rd-party services via private connections. PrivateLink lets you connect your applications directly to the Amazon VPC service, so traffic never leaves the AWS network.

Advantages of PrivateLink

Dynatrace customers can leverage this capability by connecting their monitored hosts to the Dynatrace VPC endpoint. This ensures that OneAgent traffic never leaves the AWS cloud. While traffic between OneAgent and Dynatrace Server is encrypted, PrivateLink provides some other advantages:

  • Additional security
  • Better connectivity
  • Reduced traffic costs

The primary use case for PrivateLink with Dynatrace is connectivity for monitored applications running in AWS VPCs (see image below).


However, it’s also possible to use AWS VPCs for on-premise applications—provided that you use DirectConnect or VPN Gateway to connect your network to a VPC in a given region (see below).

In both cases, the Client VPC and Dynatrace VPC must be in the same AWS region. Dynatrace currently supports PrivateLink in Oregon (USA) and Sydney (Australia), with plans to expand it to other regions in the near future.

How PrivateLink works

To connect your hosts to the Dynatrace VPC

  1. Send us an email specifying the details of your use case, your Dynatrace environment ID, and the Dynatrace account ID you’d like to use for the connection. Once we’ve verified your information and request, we’ll whitelist your account and get in touch with you via email.
  2. Create the VPC Endpoint using either the AWS console or an API call (if you’re using the API approach, please skip ahead to step #5). If using the AWS console, select the supported region (currently only Oregon and Sydney) and then create your VPC service endpoint.
  3. Select the Your AWS Marketplace services option button as the service category. You should then be able to see an endpoint (for example, com.dynatrace.vpce.oregon-1).
  4. Proceed by configuring the VPC, Subnets, and Security group settings. The security group needs to permit incoming traffic on port 443. If you use more than one VPC for your monitored applications, please repeat this step for each VPC. 
    PrivateLink
  5. If you’d prefer to use the API call instead, you can use the create-vpc-endpoint call.
    For example:
    aws ec2 create-vpc-endpoint --region us-west-2 --vpc-endpoint-type Interface --service-name com.dynatrace.vpce.oregon-1 --vpc-id <vpc-id> --subnet-id <list-of-subnets> --security-group-id <list-of-security-groups>
  6. Create a private DNS so that Dynatrace OneAgent can transparently connect to Dynatrace Server using the private link you’ve created. We’ve provided you with a CloudFormation template to make this process easier.

    Note
    : You may run into DNS resolution issues if you attempt to connect from your VPC in one region to Dynatrace Server in a different region. Please ensure that your VPC and all your Dynatrace environments are in the same AWS region.
    PrivateLink

Troubleshooting

Once you’ve completed these steps, all instances of OneAgent installed in your VPC will begin using PrivateLink. Thanks to the DNS override, using PrivateLink is transparent from OneAgent’s point of view. No process restart is required.

To verify that your PrivateLink endpoint is indeed being used

Try resolving your Dynatrace environment domain from an instance running in your VPC. The domain should resolve to private IP addresses in your VPC, for example:
$ nslookup xyz12345.dynatrace.com
cluster-us-west-2-prod-us-west-2-oregon.live.ruxit.com  canonical name = vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com.
Name:   vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com
Address: 172.31.41.143
Name:   vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com
Address: 172.31.28.144
Name:   vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com
Address: 172.31.13.64

If the domain resolves to public IP addresses, double check your DNS and VPC configurations. The private DNS region (EndpointRegion) and VPC ID (Vpcid) must match the corresponding instance settings. The VPC must also support private hosted zones, so enableDnsHostnames and enableDnsSupport must be set to true.

If the domain name resolves as expected, but OneAgent can’t connect to the endpoint on port 443, double check the security group settings associated with your PrivateLink endpoint (incoming traffic on port 443 must be permitted).

You can also enable VPC flow logs for the network interfaces of your instances or the network interfaces associated with PrivateLink. By checking the IP addresses in the logs, you can verify if an instance is communicating with a private endpoint. If you see REJECT entries instead of ACCEPT, then most likely the traffic is blocked by your security group settings.

Early access program

Integration with PrivateLink is currently available via an early access program. Reach out to us if you’d like to join the program and try out PrivateLink with Dynatrace yourself. We’re working to make the use of PrivateLink with Dynatrace as easy as possible. Our primary focus at the moment is eliminating the need for private DNS configuration.

We’re eager to hear your feedback on this new feature, so please let us know what you think.

Krzysztof is a Software Architect at Dynatrace with a focus on cloud and deployment automation. He's enthusiastic about AWS, infrastructure as code, and advocating for Agile software development. Outside of work, Krzysztof enjoys cycling and is otherwise kept busy by his two daughters.