private-connectivity

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Grafana Cloud Private Connectivity

Grafana Cloud 私有网络连接

Docs: https://grafana.com/docs/grafana-cloud/send-data/

Send metrics, logs, traces, and profiles to Grafana Cloud entirely over your cloud provider's private backbone — no public internet exposure, no egress fees.

文档: https://grafana.com/docs/grafana-cloud/send-data/

完全通过云服务商的私有骨干网络将指标、日志、链路追踪和性能剖析数据发送至 Grafana Cloud —— 无需暴露在公网中，无出口费用。

Prerequisites

前提条件

All providers:

Grafana Cloud stack must be hosted on the same cloud provider (check: My Account → Stack → Details)
Create separate private endpoints for each signal type (Metrics, Logs, Traces, Profiles)

所有服务商通用：

Grafana Cloud 集群必须托管在同一云服务商下（查看方式：我的账户 → 集群 → 详情）
为每种信号类型（指标、日志、链路追踪、性能剖析）创建独立的私有端点

AWS PrivateLink

Setup

设置步骤

Get Service Names from Grafana Cloud → Stack Details → "Send using AWS PrivateLink"
Create Interface VPC Endpoints in AWS Console for each service:

bash

undefined

从 Grafana Cloud → 集群详情 → "使用 AWS PrivateLink 发送数据" 获取服务名称
在 AWS 控制台中为每个服务创建接口型 VPC 端点：

bash

undefined

Via AWS CLI

aws ec2 create-vpc-endpoint
--vpc-id vpc-12345
--service-name com.amazonaws.vpce.us-east-1.vpce-svc-0abc123
--vpc-endpoint-type Interface
--subnet-ids subnet-12345
--security-group-ids sg-12345
--private-dns-enabled


3. **Update Alloy config** to use private DNS names from Grafana Cloud console:

```alloy
prometheus.remote_write "cloud_private" {
  endpoint {
    // Use private DNS name instead of public endpoint
    url = "https://prometheus-private.us-east-0.grafana.net/api/prom/push"
    basic_auth {
      username = sys.env("PROM_USER")
      password = sys.env("GRAFANA_CLOUD_API_KEY")
    }
  }
}

loki.write "cloud_private" {
  endpoint {
    url = "https://logs-private.us-east-0.grafana.net/loki/api/v1/push"
    basic_auth {
      username = sys.env("LOKI_USER")
      password = sys.env("GRAFANA_CLOUD_API_KEY")
    }
  }
}


3. 更新 Alloy 配置，使用 Grafana Cloud 控制台提供的私有 DNS 名称：

```alloy
prometheus.remote_write "cloud_private" {
  endpoint {
    // Use private DNS name instead of public endpoint
    url = "https://prometheus-private.us-east-0.grafana.net/api/prom/push"
    basic_auth {
      username = sys.env("PROM_USER")
      password = sys.env("GRAFANA_CLOUD_API_KEY")
    }
  }
}

loki.write "cloud_private" {
  endpoint {
    url = "https://logs-private.us-east-0.grafana.net/loki/api/v1/push"
    basic_auth {
      username = sys.env("LOKI_USER")
      password = sys.env("GRAFANA_CLOUD_API_KEY")
    }
  }
}

Terraform

Terraform 配置

hcl

resource "aws_vpc_endpoint" "grafana_metrics" {
  vpc_id              = var.vpc_id
  service_name        = var.grafana_metrics_service_name  # from Grafana Cloud console
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.subnet_ids
  security_group_ids  = [aws_security_group.grafana_endpoint.id]
  private_dns_enabled = true

  tags = { Name = "grafana-metrics-privatelink" }
}

resource "aws_vpc_endpoint" "grafana_logs" {
  vpc_id              = var.vpc_id
  service_name        = var.grafana_logs_service_name
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.subnet_ids
  security_group_ids  = [aws_security_group.grafana_endpoint.id]
  private_dns_enabled = true

  tags = { Name = "grafana-logs-privatelink" }
}

Limitation: PrivateLink only works within the same AWS region. For cross-region, set up VPC peering first.

hcl

resource "aws_vpc_endpoint" "grafana_metrics" {
  vpc_id              = var.vpc_id
  service_name        = var.grafana_metrics_service_name  # from Grafana Cloud console
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.subnet_ids
  security_group_ids  = [aws_security_group.grafana_endpoint.id]
  private_dns_enabled = true

  tags = { Name = "grafana-metrics-privatelink" }
}

resource "aws_vpc_endpoint" "grafana_logs" {
  vpc_id              = var.vpc_id
  service_name        = var.grafana_logs_service_name
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.subnet_ids
  security_group_ids  = [aws_security_group.grafana_endpoint.id]
  private_dns_enabled = true

  tags = { Name = "grafana-logs-privatelink" }
}

限制： PrivateLink 仅在同一 AWS 区域内生效。跨区域场景需先建立 VPC 对等连接。

Azure Private Link

Setup

设置步骤

Get Service Alias from Grafana Cloud → Stack Details (one per signal type)
Create Private Endpoint in Azure Portal:
- Private Endpoints → Create
- Resource tab → "Connect to Azure resource by resource ID or alias"
- Paste Service Alias from Grafana Cloud
- Select your VNet and subnet
Wait for automatic approval (~10 minutes)

bash

undefined

从 Grafana Cloud → 集群详情获取服务别名（每种信号类型对应一个）
在 Azure 门户中创建私有端点：
- 私有端点 → 创建
- 资源标签页 → "通过资源 ID 或别名连接到 Azure 资源"
- 粘贴 Grafana Cloud 提供的服务别名
- 选择你的虚拟网络和子网
等待自动审批（约10分钟）

bash

undefined

Via Azure CLI

az network private-endpoint create
--name grafana-metrics-endpoint
--resource-group myRG
--vnet-name myVNet
--subnet mySubnet
--connection-name grafana-metrics
--private-connection-resource-id "<service-alias-from-grafana-cloud>"
--group-ids grafana-metrics


**Note:** Azure Private Link requires pre-registering your Subscription IDs with Grafana Support before setup.


**注意：** 在设置 Azure Private Link 之前，需要先将你的订阅 ID 注册到 Grafana 支持团队。

GCP Private Service Connect

Get service attachment URI from Grafana Cloud console
Create Private Service Connect endpoint in GCP:

bash

gcloud compute forwarding-rules create grafana-metrics-psc \
  --region=us-east1 \
  --network=my-vpc \
  --subnet=my-subnet \
  --address=grafana-metrics-ip \
  --target-service-attachment=projects/grafana-cloud/regions/us-east1/serviceAttachments/metrics

从 Grafana Cloud 控制台获取服务附加 URI
在 GCP 中创建 Private Service Connect 端点：

bash

gcloud compute forwarding-rules create grafana-metrics-psc \
  --region=us-east1 \
  --network=my-vpc \
  --subnet=my-subnet \
  --address=grafana-metrics-ip \
  --target-service-attachment=projects/grafana-cloud/regions/us-east1/serviceAttachments/metrics

Private Data Source Connect (PDC)

私有数据源连接（PDC）

For connecting to data sources (databases, Prometheus, etc.) hosted in private networks, use PDC — a separate product from private telemetry ingestion:

bash

undefined

若要连接托管在私有网络中的数据源（数据库、Prometheus 等），请使用 PDC —— 这是与私有遥测数据导入独立的产品：

bash

undefined

Install PDC agent

helm install pdc grafana/grafana-agent
--set pdcConfig.hostedGrafanaId=<your-stack-id>
--set pdcConfig.token=<pdc-token>


PDC creates an encrypted tunnel from Grafana Cloud back into your private network for data source queries. It's the reverse direction of PrivateLink (pull vs push).

helm install pdc grafana/grafana-agent
--set pdcConfig.hostedGrafanaId=<your-stack-id>
--set pdcConfig.token=<pdc-token>


PDC 会创建一条从 Grafana Cloud 反向连接到你的私有网络的加密隧道，用于数据源查询。它与 PrivateLink 的方向相反（拉取 vs 推送）。

Choosing the Right Option

选择合适的方案

Scenario	Solution
Push metrics/logs/traces from AWS	AWS PrivateLink
Push metrics/logs/traces from Azure	Azure Private Link
Push metrics/logs/traces from GCP	GCP Private Service Connect
Query private DB/Prometheus from Grafana	Private Data Source Connect (PDC)
On-premises with no cloud provider	Grafana Agent with TLS over internet

场景	解决方案
从 AWS 推送指标/日志/链路追踪	AWS PrivateLink
从 Azure 推送指标/日志/链路追踪	Azure Private Link
从 GCP 推送指标/日志/链路追踪	GCP Private Service Connect
从 Grafana 查询私有数据库/Prometheus	私有数据源连接（PDC）
无云服务商的本地环境	启用 TLS 的 Grafana Agent（通过公网）

Cost Savings

成本节省

AWS PrivateLink eliminates:

$0.09/GB cross-region data transfer (typical Grafana Cloud endpoint is in same region)
$0.09/GB internet data transfer fees
Potential NAT Gateway costs

At 100GB/month of telemetry: ~$9-18/month savings per endpoint type.

AWS PrivateLink 可消除：

0.09美元/GB 的跨区域数据传输费用（Grafana Cloud 端点通常位于同一区域）
0.09美元/GB 的公网数据传输费用
潜在的 NAT 网关成本

若每月遥测数据量为100GB：每种端点类型每月可节省约9-18美元。