Connect to Honeycomb with AWS PrivateLink


Note
This feature is available as part of the Honeycomb Enterprise plan.

AWS PrivateLink allows you to create a private connection to Honeycomb’s API over AWS networks.

Comparison of the networking with and without PrivateLink. With PrivateLink, network traffic stays in AWS, and without, it goes over the public internet.

This has the following advantages:

  • Limits API traffic over the internet as requests to our API server are transparently handled within AWS networks
  • If your infrastructure relies on outbound firewalls, you can manage access to the Honeycomb API with security groups (or rules on your firewall appliance)
  • Reduced costs for high volume traffic with other services on PrivateLink. Contact your Honeycomb account team for details.

Before You Begin 

Honeycomb must grant access to each AWS account that requires access to the Honeycomb API via AWS PrivateLink. Contact your Honeycomb account team for details.

Honeycomb offers AWS PrivateLink to our US instance from the us-east-1 region and to our EU instance from the eu-west-1 region. VPCs within each region may access it directly, while outside VPCs can use VPC Peering.

Configuration Using the AWS Console 

Note

These instructions configure AWS PrivateLink via the AWS Console.

Configuration of AWS PrivateLink through infrastructure-as-code tools like Terraform or CloudFormation is recommended but not shown. See the Terraform example below.

  1. Visit the Amazon VPC console in the appropriate region:
    1. US instance: us-east-1
    2. EU instance: eu-west-1
  2. From the left navigation, select Endpoints and choose Create endpoint. Display of the AWS VPC console with the Endpoint section open and an arrow pointing at Create Endpoint.
  3. For Service category, choose PrivateLink Ready partner services.
  4. For the Service name, enter the name of the service:
    1. US instance: com.amazonaws.vpce.us-east-1.vpce-svc-0878e9afcbb4c4333
    2. EU instance: com.amazonaws.vpce.eu-west-1.vpce-svc-077ead63dd7ebe330
  5. Select Validate. Display of the Endpoint Configuration screen with the service category and service name filled in. If the service fails to validate, reach out to your Honeycomb account team. Endpoint validation with the message: Service name could not be verified.
  6. From the Select a VPC list, select the VPCs that contain the services sending traffic to Honeycomb.
  7. From the Additional settings dropdown, ensure that Enable DNS name is enabled. This requires that “Enable DNS hostnames” and “Enable DNS support” are enabled for this VPC.
  8. Select one subnet per Availability Zone that the PrivateLink Endpoint will be created in. This subnet must contain your services or the ability to route to all subnets where your services are run.
  9. Select a security group that allows inbound access on port 443 from your VPC’s network block, such as 10.0.0.0/8. If you do not see a security group, you may need to create one.
  10. Choose Create endpoint. The Endpoint console shows a “Pending” status until it is “Available.” Once available, your infrastructure transparently sends data through the connection.

Refer to the AWS documentation on Interface Endpoints for more details about endpoint configuration.

Example Configuration Using Terraform 

resource "aws_vpc_endpoint" "honeycomb" {
  vpc_id            = aws_vpc.main.id
  service_name      = "com.amazonaws.vpce.us-east-1.vpce-svc-0878e9afcbb4c4333"
  vpc_endpoint_type = "Interface"

  subnet_ids         = data.aws_subnets.private.ids

  security_group_ids = [
    aws_security_group.honeycomb_private_endpoint.id,
  ]

  private_dns_enabled = true
}

data "aws_subnets" "private" {
  filter {
    name   = "vpc-id"
    values = [aws_vpc.main.id]
  }
}

resource "aws_security_group" "honeycomb_private_endpoint" {
  name        = "honeycomb_private_endpoint"
  description = "Traffic to Honeycomb endpoint"
  vpc_id      = aws_vpc.main.id

  ingress {
    description      = "TLS from VPC"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = [aws_vpc.main.cidr_block]
    ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = "honeycomb_private_endpoint"
  }
}

AWS captures metrics for each VPC endpoint. These metrics are accessible through the AWS Console and published to CloudWatch. Learn how to send AWS CloudWatch metrics to Honeycomb.

From the AWS Console:

  1. Visit the Amazon VPC console in the appropriate region:
    1. US instance: us-east-1
    2. EU instance: eu-west-1
  2. From the left navigation, select Endpoints and choose the endpoint ID.
  3. Select the Monitoring tab.