Integrating Instana with AWS PrivateLink

You can use AWS PrivateLink with Instana to connect your monitored hosts to the Instana VPC (Virtual Private Cloud) endpoint. By using AWS PrivateLink with Instana, you can ensure that your application data does not leave the AWS cloud.

The AWS PrivateLink integration with Instana provides you with the following benefits:

  • Improved security by keeping the traffic within AWS and avoiding public internet exposure.
  • Stable and reliable connectivity.
  • Reduced network traffic costs.
  • Support for both in-region and cross-region integrations.

Instana supports AWS PrivateLink for the following 3 endpoints:

  • Agent endpoint (ingress-region-saas.instana.io)
  • Serverless endpoint (serverless-region-saas.instana.io)
  • OTLP endpoint (otlp-region-saas.instana.io)

Prerequisites

Before you start, make sure that the following requirements are met:

  • An active AWS account with sufficient permissions to create VPC interface endpoints.
  • Access to the AWS VPC Console or CLI tools.
  • Your AWS account information, such as account ID and the root ARN (Amazon Resource Name). The format of the ARN is arn:aws:iam::<AWS_ACCOUNT_ID>:root.
  • Your assigned SaaS instance or tenant-unit names. For example, #prod-instana or #dev-instana
  • For cross-region setup, you must be familiar with VPC peering or Amazon Route 53 private hosted zones.

Setting up AWS PrivateLink for Instana

The process to set up AWS PrivateLink for Instana includes the following steps:

  1. Requesting AWS PrivateLink setup
  2. Identifying endpoint service name
  3. Creating interface VPC endpoint
  4. Requesting for connection approval
  5. Verifying the connection

Requesting AWS PrivateLink setup

To start the AWS PrivateLink setup, raise a support request in the IBM Support portal.

Specify the following information in the ticket:

  • The ARN of your AWS account root (sample ARN: arn:aws:iam::AWS_ACCOUNT_ID:root).

  • The tenant-unit names for all ARNs for which you want to configure the AWS PrivateLink.

  • The region where you install the AWS PrivateLink. Currently, the available options are eu-west-1 (Dublin, Ireland) and ap-northeast-1 (Tokyo, Japan).

    If your workloads are in other Instana AWS regions, include that information in the ticket. This configuration might take a longer time.

  • For cross-region deployments (for example, if your workloads are in us-east-1 but AWS PrivateLink is set up in eu-west-1), make sure that you configure VPC peering or Route 53 private hosted zones to route DNS privately across regions. Also, specify the region name in the ticket so that IBM Support can guide you.

    Cross-region AWS PrivateLink might incur higher data transfer costs than in-region connections. For more information on AWS PrivateLink pricing, see AWS PrivateLink pricing.

After the request is validated and approved, proceed to identify the service name in the next step.

Identifying endpoint service name

Identify the endpoint service name by using the following tables:

For the Blue (AWS- EU: Ireland) region:

Table 1: Identifying endpoint service name for AWS- EU: Ireland region
Endpoint VPCE service name
ingress-blue-saas.instana.io com.amazonaws.vpce.eu-west-1.vpce-svc-0da65975a2a5129a6
serverless-blue-saas.instana.io com.amazonaws.vpce.eu-west-1.vpce-svc-07de0fcc6a559153d
otlp-blue-saas.instana.io com.amazonaws.vpce.eu-west-1.vpce-svc-0eeea10ffc967a01a

For the Mizu (AWS-JP: Tokyo) region:

Table 2: Identifying endpoint service name for AWS-JP: Tokyo region
Endpoint VPCE service name
ingress-mizu-saas.instana.io com.amazonaws.vpce.ap-northeast-1.vpce-svc-048b183ac07cfa103
mizu.instana.io com.amazonaws.vpce.ap-northeast-1.vpce-svc-085a8f1419bab7ae8

The VPCE service name remains constant across tenant-units. Only the VPC per region and endpoint changes.

Creating interface VPC endpoint

You can create the interface VPC endpoint either by using the AWS VPC console or by using AWS CLI.

Creating VPC endpoint by using AWS VPC console

To create an interface VPC endpoint by using the AWS VPC console, complete the following steps:

  1. Log in to the AWS VPC Console.

  2. In the navigation menu of the console, select Endpoints, and then click Create endpoint.

    Create endpoint
    Image 1: Creating endpoint in AWS VPC console

  3. In the "Create endpoint" page, under "Type", select PrivateLink Ready partner services.

  4. Under "Service settings", in the Service name field, enter the service name and click Verify service. Make sure that the service name is verified.

    Set service name
    Image 2: Setting service name and region

    If the service name is not verified, or if you notice any issues in this step, use your existing support ticket to request for support.

  5. Only for cross-region deployments, select Enable cross region endpoint and select your AWS region from the list. Leave these fields blank if you deployed your application in the same AWS region.

  6. In the Network settings section, enter the following details:

    • VPC: From the VPC list, select the virtual private cloud that you want to enable private link.
    • DNS name: To configure private DNS support, select Enable DNS name, and then select the IPv4 DNS record IP type.
    • Subnets: Select a subnet in your VPC to use the interface endpoint. If your instances spread across all Availability Zones (AZ), then select all subnets.
    • Security groups: Select the security groups to associate with the endpoint network interfaces. Because the traffic is one-way, make sure that you allow port 443 on the outbound rule.
    • (Optional) To add a tag, select Add new tag and enter the tag key and the tag value.

    Network settings
    Image 3: Setting network configuration for VPC endpoint

  7. Click Create endpoint.

Repeat these steps for each endpoint (agent, service, OTLP) as required.

Creating VPC endpoint by using AWS CLI

To create an interface VPC endpoint by using AWS CLI, use the following commands:

  1. Configure the endpoint:

    VPC_ID="vpc-xxxxxxxxxxxxxxxxx"  # Replace with your VPC ID
SUBNET_IDS="subnet-xxxxxxxxxxxxxxxxx,subnet-yyyyyyyyyyyyyyy"  # Replace with your subnet IDs (comma-separated)
SECURITY_GROUP_IDS="sg-xxxxxxxxxxxxxxxxx"  # Replace with your security group IDs (comma-separated)
SERVICE_NAME="com.amazonaws.vpce.your-region.your-service-name"  # Replace with the AWS service name
DNS_NAME_ENABLED="true" # Set to "true" to enable private DNS for the endpoint
TAGS="Service=MyPrivateLinkService" # Add tags for your endpoint
REGION="your-region" # Replace with your AWS region

  2. Create the interface endpoint:

    aws ec2 create-vpc-endpoint \
    --vpc-id "$VPC_ID" \
    --service-name "$SERVICE_NAME" \
    --subnet-ids "$SUBNET_IDS" \
    --security-group-ids "$SECURITY_GROUP_IDS" \
    --endpoint-type Interface \
    --tags "$(echo $TAGS | sed -e 's/=/=/g')" \
    --region $REGION

    The command returns a VPC endpoint ID.

  3. (Optional) Enable private DNS name:

    aws ec2 modify-vpc-endpoint \
    --vpc-endpoint-id "vpce-xxxxxxxxxxxxxxxxx" # Replace with the VPC endpoint ID (from previous step)
    --private-dns-enabled \
    --region $REGION

Repeat these steps for each endpoint (agent, service, OTLP) as required.

Requesting for connection approval

After your create the endpoint, update your support ticket to inform that the endpoint is created. The IBM support team then approves the connection by using the ARN that you provided earlier.

Verifying the connection

After the connection approval, confirm that the integration is working by verifying the data flow in your monitoring dashboard. If the connection is verified, update this information in the support ticket.

The IBM support team closes the support ticket when the connection is verified and the setup is complete.