Connect to Dynatrace using AWS PrivateLink

AWS PrivateLink lets you connect your applications directly to the Amazon VPC service, so that traffic never leaves the AWS cloud. You can use PrivateLink to connect your monitored hosts to the Dynatrace VPC endpoint. Dynatrace monitoring traffic is always encrypted and secure, yet PrivateLink provides even greater security, stable connectivity, and a reduction in traffic costs.

The primary use case for PrivateLink with Dynatrace is connectivity for monitored applications running in AWS VPCs.

PrivateLink connectivity overview

However, it’s also possible to use AWS VPCs for on-premise applications, provided that you use DirectConnect or VPN Gateway to connect your network to a VPC in a given region.

PrivateLink connectivity overview

In both cases, the Client VPC and Dynatrace VPC must be in the same AWS region.

To connect your hosts to the Dynatrace VPC

  1. Send us an email specifying the details of your use case, your Dynatrace environment ID, and the AWS account ID you’d like to use for the connection. Once we’ve verified your information and request, we’ll whitelist your account, prepare a CloudFormation template for your case, and get in touch with you via email.
  2. Create an interface VPC Endpoint for one of the supported regions using either the AWS console or an API call. For more information, see Interface VPC Endpoints (AWS PrivateLink) in the AWS doc.

Dynatrace currently supports the following AWS regions and corresponding availability zones:

AWS Region code Availability zone names Availability zone Ids
us-east-1 us-east-1a, us-east-1b, us-east-1c use1-az2, use1-az4, use1-az6
us-west-2 us-west-2a, us-west-2b, us-west-2c usw2-az1, usw2-az2, usw2-az3
eu-west-1 us-west-1a, us-west-1b, us-west-1c euw1-az1, euw1-az2, euw1-az3
ap-southeast-2 ap-southeast-2a, ap-southeast-2b, ap-southeast-2c apse2-az1, apse2-az2, apse2-az3
  • In the AWS console, select one of the supported regions, go to VPC service, section Endpoint, and click Create Endpoint to create your PrivateLink endpoint.
  • Select Find Service by name as the service category, enter the service name you received from Dynatrace (for example and click Verify.
  • Configure the VPC, subnets, and security group settings. The security group needs to permit incoming traffic on port 443. If you use more than one VPC for your monitored applications, repeat this step for each VPC. Configuring VPC, Subnets, and Security group settings
  1. Create a private DNS so that you can transparently connect to Dynatrace using the PrivateLink you’ve created.
    • Create a stack using the CloudFormation template you received from us. See Creating a Stack on the AWS CloudFormation Console in the AWS doc for more information.
    • Determine the correct DNS name to be used as a stack parameter. In the Management console, go to Networking & Content Delivery section > VPC > Endpoints where you should find the endpoint associated with a given service name. Select this endpoint and the details section will display DNS Names. AWS DNS Names
    • In the Specify stack details page, paste the first address in the VpcEndpointDns field. CloudFormation stack
    • CLick Next to go to Options, click Next step to review your stack, click Create stack to launch the stack running your private DNS.

Note: You may run into DNS resolution issues if you attempt to connect from your VPC in one region to Dynatrace Server in a different region. Ensure that your VPC and all your Dynatrace environments are in the same AWS region.

While you can connect OneAgent via PrivateLink, we recommend that you use an ActiveGate. If you download the OneAgent installer via ActiveGate, it already contains a pre-configured ActiveGate endpoint and doesn’t need connectivity to the PrivateLink endpoint. For example, if you have an environment called and ActiveGate running in a local network at, modify the OneAgent installer download URL by replacing the environment domain with the ActiveGate domain and adding environment context in the path, for example:

$ wget --no-check-certificate -O<api token>&arch=x86&flavor=default

The Dynatrace server must be aware of the ActiveGate at the time of OneAgent installer download.

What happens next?

Once you’ve completed these steps, all instances of ActiveGate or OneAgent installed in your VPC will begin using PrivateLink. Thanks to the DNS override, using PrivateLink is transparent. No process restart is required.

To verify that your PrivateLink endpoint is really used:

  • Try resolving your Dynatrace environment domain from an instance running in your VPC. The domain should resolve to a private IP addresses in your VPC, for example:
$ nslookup  canonical name =
  • If the domain resolves to a public IP address, double-check your DNS and VPC configurations. The private DNS region (EndpointRegion) and VPC ID (Vpcid) must match the corresponding instance settings. The VPC must also support privately hosted zones, so enableDnsHostnames and enableDnsSupport must be set to true.
  • If the domain name resolves as expected, but OneAgent can’t connect to the endpoint on port 443, check if incoming traffic on port 443 is permitted in the security group settings associated with your PrivateLink endpoint.
  • You can also enable VPC flow logs for the network interfaces of your instances or the network interfaces associated with PrivateLink. By checking the IP addresses in the logs, you can verify if an instance is communicating with a private endpoint. If you see REJECT entries instead of ACCEPT, then most likely the traffic is blocked by your security group settings.