Integrating Instana with AWS PrivateLink

Edit online

You can use AWS PrivateLink with Instana to connect your monitored hosts to the Instana VPC (Virtual Private Cloud) endpoint. By using AWS PrivateLink with Instana, you can ensure that your application data does not leave the AWS cloud.

The AWS PrivateLink integration with Instana provides you with the following benefits:

  • Improved security by keeping the traffic within AWS and avoiding public internet exposure.
  • Stable and reliable connectivity.
  • Reduced network traffic costs.
  • Support for both in-region and cross-region integrations.

Instana supports AWS PrivateLink for the following 3 endpoints:

  • Agent endpoint (ingress-region-saas.instana.io)
  • Serverless endpoint (serverless-region-saas.instana.io)
  • OTLP endpoint (otlp-region-saas.instana.io)

Prerequisites

Edit online

Before you start, make sure that the following requirements are met:

  • An active AWS account with sufficient permissions to create VPC interface endpoints. You are suggested to use the Administrator account.
  • Access to the AWS VPC Console or CLI tools.
  • Your AWS account information, such as account ID and the root ARN (Amazon Resource Name). The format of the ARN is arn:aws:iam::<AWS_ACCOUNT_ID>:root.
  • Your assigned SaaS instance or tenant-unit names. For example, #prod-instana or #dev-instana
  • For cross-region setup, you must be familiar with VPC peering or Amazon Route 53 private hosted zones.

Identifying endpoint service name

Edit online

Identify the endpoint service name by using the following tables:

For the Blue (AWS- EU: Ireland) region:

Endpoint VPCE service name
ingress-blue-saas.instana.io com.amazonaws.vpce.eu-west-1.vpce-svc-0da65975a2a5129a6
serverless-blue-saas.instana.io com.amazonaws.vpce.eu-west-1.vpce-svc-07de0fcc6a559153d
otlp-blue-saas.instana.io com.amazonaws.vpce.eu-west-1.vpce-svc-0eeea10ffc967a01a

For the Mizu (AWS-JP: Tokyo) region:

Endpoint VPCE service name
ingress-mizu-saas.instana.io com.amazonaws.vpce.ap-northeast-1.vpce-svc-048b183ac07cfa103
mizu.instana.io com.amazonaws.vpce.ap-northeast-1.vpce-svc-085a8f1419bab7ae8
Note: The VPCE service name remains constant across tenant-units. Only the VPC per region and endpoint changes.

Creating interface VPC endpoint

Edit online

You can create the interface VPC endpoint either by using the AWS VPC console or by using AWS CLI.

Creating VPC endpoint by using AWS VPC console

Edit online

To create an interface VPC endpoint by using the AWS VPC console, complete the following steps:

  1. Log in to the AWS VPC Console.

  2. In the navigation menu of the console, select Endpoints, and then click Create endpoint.
    Figure 1. Create endpoint in AWS console
    Create endpoint

  3. In the "Create endpoint" page, under "Type", select PrivateLink Ready partner services.

  4. On Service settings, in the Service namefield, enter the VPCE service name that is listed in the Endpoint service name table. Then, click Verify service. Make sure that the service name is verified.
    Figure 2. Set service name and region
    Set service name

    If the service name is not verified, or if you notice any issues in this step, use your existing support ticket to request for support.

  5. Only for cross-region deployments, select Enable cross region endpoint and select your AWS region from the list. Leave these fields blank if you deployed your application in the same AWS region.

  6. In the Network settings section, enter the following details:

    • VPC: From the VPC list, select the virtual private cloud that you want to enable private link.
    • DNS name: Leave this checkbox unselected when you first create the endpoint. To configure private DNS support after the endpoint is created, see Enabling DNS name.
    • Subnets: Select a subnet in your VPC to use the interface endpoint. If your instances spread across all Availability Zones (AZ), then select all subnets.
    • Security groups: Select the security groups to associate with the endpoint network interfaces. Make sure that you allow port 443 on the outbound and inbound rules. For more information, see Setting outbound and inbound rules.
    • (Optional) To add a tag, select Add new tag and enter the tag key and the tag value.
    Figure 3. Network settings for VPC endpoint
    Network settings

  7. Click Create endpoint.

Repeat these steps for each endpoint (agent, service, OTLP) as required.

Enabling DNS name

Edit online

You can configure private DNS support after you create the interface endpoint by using the following steps:

  1. In the navigation menu of the console, select Endpoints.
  2. Select the interface endpoint that you created.
  3. Click Actions > Modify private DNS name.
  4. Select Enable private DNS name and save the changes.

Setting outbound and inbound rules

Edit online

You can set inbound and outbound rules to a security group either during its creation or later.

To create a security group, on the VPC console, go to VPC > Security groups > Create security group.

If you already have a security group set up, you can modify it to add the rules by going to Security groups on the VPC console and selecting the required security group. Then, to add inbound rules, click Edit Inbound Rules. Similarly, to add outbound rules, click Edit Outbound Rules.

Use the following configuration for the inbound and outbound rules:

  • Type: HTTPS
  • Protocol: TCP
  • Port Range: 443
  • Source: Custom, and enter either a CIDR block (suggested), or another security group ID (if you want to allow access only from specific resources).

Save your changes.

For more information, see the Create a security group for your VPC topic in the Amazon Virtual Private Cloud documentation.

Creating VPC endpoint by using AWS CLI

Edit online

To create an interface VPC endpoint by using AWS CLI, use the following commands:

  1. Configure the endpoint:

    VPC_ID="vpc-xxxxxxxxxxxxxxxxx"  # Replace with your VPC ID
SUBNET_IDS="subnet-xxxxxxxxxxxxxxxxx,subnet-yyyyyyyyyyyyyyy"  # Replace with your subnet IDs (comma-separated)
SECURITY_GROUP_IDS="sg-xxxxxxxxxxxxxxxxx"  # Replace with your security group IDs (comma-separated)
SERVICE_NAME="com.amazonaws.vpce.your-region.your-service-name"  # Replace with the AWS service name
DNS_NAME_ENABLED="true" # Set to "true" to enable private DNS for the endpoint
TAGS="Service=MyPrivateLinkService" # Add tags for your endpoint
REGION="your-region" # Replace with your AWS region

  2. Create the interface endpoint:

    aws ec2 create-vpc-endpoint \
    --vpc-id "$VPC_ID" \
    --service-name "$SERVICE_NAME" \
    --subnet-ids "$SUBNET_IDS" \
    --security-group-ids "$SECURITY_GROUP_IDS" \
    --endpoint-type Interface \
    --tags "$(echo $TAGS | sed -e 's/=/=/g')" \
    --region $REGION

    The command returns a VPC endpoint ID.

  3. (Optional) Enable private DNS name:

    aws ec2 modify-vpc-endpoint \
    --vpc-endpoint-id "vpce-xxxxxxxxxxxxxxxxx" # Replace with the VPC endpoint ID (from previous step)
    --private-dns-enabled \
    --region $REGION

Repeat these steps for each endpoint (agent, service, OTLP) as required.

Requesting for connection approval

Edit online

After your create the endpoint, update your support ticket to inform that the endpoint is created. The IBM support team then approves the connection by using the ARN that you provided earlier.

Verifying the connection

Edit online

After the connection approval, confirm that the integration is working by verifying the data flow in your monitoring dashboard. If the connection is verified, update this information in the support ticket.

The IBM support team closes the support ticket when the connection is verified and the setup is complete.