Connect to Dynatrace using AWS PrivateLink

AWS PrivateLink lets you connect your applications directly to the Amazon VPC service, so that traffic never leaves the AWS cloud. You can use PrivateLink to connect your monitored hosts to the Dynatrace VPC endpoint. Dynatrace monitoring traffic is always encrypted and secure, yet PrivateLink provides even greater security, stable connectivity, and a reduction in traffic costs.

The primary use case for PrivateLink with Dynatrace is connectivity for monitored applications running in AWS VPCs.

PrivateLink connectivity overview

However, it’s also possible to use AWS VPCs for on-premise applications, provided that you use DirectConnect or VPN Gateway to connect your network to a VPC in a given region.

PrivateLink connectivity overview

In both cases, the Client VPC and Dynatrace VPC must be in the same AWS region.

To connect your hosts to the Dynatrace VPC

  1. Send us an email specifying the details of your use case, your Dynatrace environment ID, and the AWS account ID you’d like to use for the connection. Once we’ve verified your information and request, we’ll whitelist your account, prepare a CloudFormation template for your case, and get in touch with you via email.
  2. Create an interface VPC Endpoint using either the AWS console or an API call. For more information, see Interface VPC Endpoints (AWS PrivateLink) in the AWS doc.
  • In the AWS console, select one of the supported regions (us-east-1, us-west-2, ap-southeast-2, or eu-west-1), go to VPC service, section Endpoint, and click Create Endpoint to create your PrivateLink endpoint.
  • Select Find Service by name as the service category, enter the service name you received from Dynatrace (for example com.amazonaws.vpce.us-west-2.vpce-svc-0e6de648b166714ad) and click Verify.
  • Configure the VPC, subnets, and security group settings. The security group needs to permit incoming traffic on port 443. If you use more than one VPC for your monitored applications, repeat this step for each VPC. Configuring VPC, Subnets, and Security group settings
  1. Use the CloudFormation template you received from us to create a private DNS so that you can transparently connect to Dynatrace using the PrivateLink you’ve created. See Creating a Stack on the AWS CloudFormation Console in the AWS doc for more information.

CloufFormation stack

Note: You may run into DNS resolution issues if you attempt to connect from your VPC in one region to Dynatrace Server in a different region. Ensure that your VPC and all your Dynatrace environments are in the same AWS region.

While you can connect OneAgent via PrivateLink, we recommend that you use an ActiveGate. If you download the OneAgent installer via ActiveGate, it already contains a pre-configured ActiveGate endpoint and doesn’t need connectivity to the PrivateLink endpoint. For example, if you have an environment called xyz12345.live.dynatrace.com and ActiveGate running in a local network at https://172.31.1.5:9999, modify the OneAgent installer download URL by replacing the environment domain with the ActiveGate domain and adding environment context in the path, for example:

$ wget --no-check-certificate -O Dynatrace-OneAgent-Linux-1.149.188.sh https://172.31.1.5:9999/e/xyz12345/api/v1/deployment/installer/agent/unix/default/latest?Api-Token=<api token>&arch=x86&flavor=default

The Dynatrace server must be aware of the ActiveGate at the time of OneAgent installer download.

What happens next?

Once you’ve completed these steps, all instances of ActiveGate or OneAgent installed in your VPC will begin using PrivateLink. Thanks to the DNS override, using PrivateLink is transparent. No process restart is required.

To verify that your PrivateLink endpoint is really used:

  • Try resolving your Dynatrace environment domain from an instance running in your VPC. The domain should resolve to a private IP addresses in your VPC, for example:
$ nslookup xyz12345.dynatrace.com
cluster-us-west-2-prod-us-west-2-oregon.live.ruxit.com  canonical name = vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com.
Name:   vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com
Address: 172.31.41.143
Name:   vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com
Address: 172.31.28.144
Name:   vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.dynatrace.com
Address: 172.31.13.64
  • If the domain resolves to a public IP address, double-check your DNS and VPC configurations. The private DNS region (EndpointRegion) and VPC ID (Vpcid) must match the corresponding instance settings. The VPC must also support privately hosted zones, so enableDnsHostnames and enableDnsSupport must be set to true.
  • If the domain name resolves as expected, but OneAgent can’t connect to the endpoint on port 443, check if incoming traffic on port 443 is permitted in the security group settings associated with your PrivateLink endpoint.
  • You can also enable VPC flow logs for the network interfaces of your instances or the network interfaces associated with PrivateLink. By checking the IP addresses in the logs, you can verify if an instance is communicating with a private endpoint. If you see REJECT entries instead of ACCEPT, then most likely the traffic is blocked by your security group settings.