Connect to Dynatrace using AWS PrivateLink

AWS PrivateLink lets you connect your applications directly to the Amazon VPC service, so that traffic never leaves the AWS cloud. You can use PrivateLink to connect your monitored hosts to the Dynatrace VPC (Virtual Private Cloud) endpoint. Dynatrace monitoring traffic is always encrypted and secure, yet PrivateLink provides even greater security, stable connectivity, and a reduction in traffic costs.

The primary use case for PrivateLink with Dynatrace is connectivity for monitored applications running in AWS VPCs.

PrivateLink connectivity overview

However, it’s also possible to use AWS VPCs for on-premises applications, provided that you use DirectConnect or VPN Gateway to connect your network to a VPC in a given region.

PrivateLink connectivity overview

In both cases, the Client VPC and Dynatrace VPC must be in the same AWS region.

To connect your hosts to the Dynatrace VPC

  1. Send us an email specifying the details of your use case, your Dynatrace environment ID, and the AWS account ID you’d like to use for the connection. Once we’ve verified your information and request, we’ll set up access for your account, prepare a CloudFormation template for your use case, and get in touch with you via email.
  2. Create an interface VPC Endpoint for one of the supported regions using either the AWS console or an API call. For more information, see Interface VPC Endpoints (AWS PrivateLink) in the AWS doc.

Dynatrace currently supports the following AWS regions and corresponding availability zones:

AWS Region code Availability zone names Availability zone Ids
us-east-1 us-east-1a, us-east-1b, us-east-1c use1-az2, use1-az4, use1-az6
us-west-2 us-west-2a, us-west-2b, us-west-2c usw2-az1, usw2-az2, usw2-az3
eu-west-1 us-west-1a, us-west-1b, us-west-1c euw1-az1, euw1-az2, euw1-az3
ap-southeast-2 ap-southeast-2a, ap-southeast-2b, ap-southeast-2c apse2-az1, apse2-az2, apse2-az3
  • In the AWS console, select one of the supported regions, go to VPC service, section Endpoint, and click Create Endpoint to create your PrivateLink endpoint.
  • Select Find Service by name as the service category, enter the service name you received from Dynatrace (for example and click Verify.
  • Configure the VPC, subnets, and security group settings. The security group needs to permit incoming traffic on port 443. If you use more than one VPC for your monitored applications, repeat this step for each VPC. Configuring VPC, Subnets, and Security group settings
  1. Create a private DNS so that you can transparently connect to Dynatrace using the PrivateLink you’ve created.
    • Create a stack using the CloudFormation template you received from us. See Creating a Stack on the AWS CloudFormation Console in the AWS doc for more information.
    • Determine the correct DNS name to be used as a stack parameter. In the Management console, go to Networking & Content Delivery section > VPC > Endpoints where you should find the endpoint associated with a given service name. Select this endpoint and the details section will display DNS Names. AWS DNS Names
    • In the Specify stack details page, paste the first address in the VpcEndpointDns field. CloudFormation stack
    • CLick Next to go to Options, click Next step to review your stack, click Create stack to launch the stack running your private DNS.

VPCs in different AWS regions

The interface VPC Endpoint (PrivateLink) must be created in the VPC that's located in the same region as the Dynatrace environment. However, you can still monitor hosts running in a different VPC, including a VPC located in a different region. Such a VPC must be connected using VPC peering. Note that the DNS override must be present in every VPC that has hosts monitored by Dynatrace.

Create a Private Route 53 Hosted Zone in each VPC, or associate all the VPCs with a single private hosted zone.

VPC in a different region

For example, you have a Dynatrace environment in Sydney, that is the ap-southeast-2 region, but the monitored hosts are running in a VPC in Tokyo, ap-northeast-1 region. In order to connect Dynatrace OneAgents via PrivateLink you need to perform the following steps:

  1. Make sure he you have a VPC configured in Sydney.
  2. Create an interface VPC Endpoint in the Sydney VPC.
  3. Establish an inter-region VPC peering between the Tokyo and Sydney VPCs.
  4. Create the CloudFormation stack based on a template obtained from Dynatrace with the DNS override for the Tokyo VPC.

You can use a single endpoint for multiple VPCs, but each VPC needs to be connected using the VPC-peering and needs a DNS override.

While you can connect OneAgent via PrivateLink, we recommend that you use an ActiveGate. If you download the OneAgent installer via ActiveGate, it already contains a pre-configured ActiveGate endpoint and doesn’t need connectivity to the PrivateLink endpoint. For example, if you have an environment called and ActiveGate running in a local network at, modify the OneAgent installer download URL by replacing the environment domain with the ActiveGate domain and adding environment context in the path, for example:

$ wget --no-check-certificate -O<api token>&arch=x86&flavor=default

The Dynatrace server must be aware of the ActiveGate at the time of OneAgent installer download.

Multi-environment ActiveGates

PrivateLink connectivity isn't supported by ActiveGates that are configured for multi-environment support. To use PrivateLink for multiple environments, each environment needs a dedicated Environment ActiveGate.

What happens next?

Once you’ve completed these steps, all instances of ActiveGate or OneAgent installed in your VPC will begin using PrivateLink. Thanks to the DNS override, using PrivateLink is transparent. No process restart is required.

To verify that your PrivateLink endpoint is really used:

  • Try resolving your Dynatrace environment domain from an instance running in your VPC. The domain should resolve to a private IP addresses in your VPC, for example:
$ nslookup  canonical name =
  • If the domain resolves to a public IP address, double-check your DNS and VPC configurations. The private DNS region (EndpointRegion) and VPC ID (Vpcid) must match the corresponding instance settings. The VPC must also support privately hosted zones, so enableDnsHostnames and enableDnsSupport must be set to true.
  • If the domain name resolves as expected, but OneAgent can’t connect to the endpoint on port 443, check if incoming traffic on port 443 is permitted in the security group settings associated with your PrivateLink endpoint.
  • You can also enable VPC flow logs for the network interfaces of your instances or the network interfaces associated with PrivateLink. By checking the IP addresses in the logs, you can verify if an instance is communicating with a private endpoint. If you see REJECT entries instead of ACCEPT, then most likely the traffic is blocked by your security group settings.