NOTE | This article should not be shared with customers from the Knowledge Base. AppDynamos should instead share the attached PDF with customers on an as-needed basis.
TIP | Want to keep up with developments about this content? Click the 3-dot options menu, and select Subscribe to get automated notification messages and email.
Methods and considerations for connecting AWS Private link to your SaaS Controller
Contents
- What do I need to know about configuring private connectivity using an AWS VPC and SaaS Controller?
- How do I connect an AWS Virtual Private Cloud to an AppDynamics SaaS Controller?
- How do I configure agents to use AWS PrivateLink?
What do I need to know about configuring private connectivity using an AWS VPC and SaaS Controller?
Certain organizations have policies in place that restrict traffic from traversing the public internet. AppDynamics provides support for AWS Private Link, which offers private connectivity between AppDynamics Agents running in an AWS Virtual Private Cloud (VPC) and an AppDynamics SaaS Controller.
Customers who have both a workload running in AWS and an AppDynamics SaaS Controller hosted in AWS have the option to access AppDynamics SaaS Controllers privately via AWS PrivateLink. The customer VPC and AppDynamics SaaS Controller can reside in the same AWS region or different AWS Regions (subject to regions where AWS supports Inter-Region VPC Peering).
There are 2 ways to do this, depending on where your agents are installed:
Considerations when planning your strategy
Creating a Transit VPC is not technically difficult or complex, but it does require additional work. It’s recommended that you consider how these requirements fit into your technical and business needs as part of planning your strategy.
One example of these considerations is the cost of data transfer between regions. Another example is that if you have agents across multiple regions and want to connect them into the transit VPC it is strongly recommended to discuss your plans with AWS Support.
Pre-configuration Essentials
Things you need to have
Before you begin, make sure you have the following:
- An AWS Account
- An AppDynamics SaaS Controller in AWS
- AWS permissions, whether you’re going to create an interface VPC endpoint, AWS Transit VPC, and/or VPC peering
Steps you need to take
You will also need to take the following steps:
- Before you choose a method, be sure you contact your AWS Account Representative if you need help setting up your VPC, Transit VPC or Inter-Region VPC Peering.
- Contact AppDynamics Support to get the AppDynamics SaaS PrivateLink endpoint information for the target AppDynamics SaaS Controller. You will need:
- AWS Account number you want to use for this connection
- AppDynamics controller endpoint name (e.g.,customer.saas.appdynamics.com) you want to connect to
- Be prepared to change your agent configuration so that your agents can use AWS Private Link to connect to the PrivateLink VPC Endpoint created above instead of the internet-facing endpoint.
See How do I configure agents to use AWS PrivateLink below to learn more.
How do I connect an AWS VPC to an AppDynamics SaaS Controller?
The method for connecting an AWS VPC to a SaaS Controller depends on whether the two are in the same or different AWS regions.
VPC's relation to the target AppDynamics SaaS Controller's AWS region:
Connection Method | VPC in a different AWS region than the target Controller
If your VPC is in a different AWS region than the target AppDynamics SaaS Controller, you’ll need to create an AWS Transit VPC.
For example, the VPC where your AppDynamics Agents are hosted (i.e., the Customer VPC in the Customer AWS region) may be in one region, but your Controller may be hosted in another region (i.e., the AppDynamics SaaS region).
Configure and manage the Transit VPC with Inter-region VPC PeeringTo set up and manage the Transit VPC configuration, follow the steps below or refer to AWS Transit VPC for detailed instructions.
- Create an AWS Transit VPC in the same AWS region as your AppDynamics Controller.
-
Request a VPC Endpoint from AppDynamics Support. You will need to provide your AWS account number and your controller’s URL to the AppDynamics representative. When the VPC Endpoint Service has been created, AppDynamics will provide the Endpoint ID for your controller.
- From the AWS Management Console, go to Service Category, and choose the Find service by name radio button.
- For Service Name, enter the name of the AppDynamics endpoint service you received from AppDynamics Support in step 2, above. (For example: com.amazonaws.vpce.us-west-2.vpce-svc-00abc123)
- Click Verify. Upon success, you’ll see a Service name found message.
- For VPC, select the VPC where you want to create the endpoint.
- Click Create Endpoint.
If you have multiple VPCs that require this connectivity, repeat this process for each.
This generates a request to the AppDynamics SaaS PrivateLink endpoint service over the AWS PrivateLink network. Once the request is accepted and processed by AppDynamics, the connection between your organization's endpoint and the AppDynamics endpoint will be live and you should see traffic flowing to the Controller.
Connection Method | VPC in the same AWS region as the target
If your VPC is in the same AWS region as the target AppDynamics SaaS Controller, you’ll create an interface endpoint to an endpoint service. Follow the steps below or refer to the detailed steps in the AWS PrivateLink documentation.
- Request a VPC Endpoint from AppDynamics Support. You will need to provide your AWS account number to the AppDynamics representative. When the VPC Endpoint Service has been created, AppDynamics will provide the Endpoint ID for your Controller.
- Click Create Endpoint.
- Log in to the AWS Management Console.
- In the Find Service search bar, enter VPC.
- In the VPC Dashboard left navigation pane, choose Endpoints.
- Click Create Endpoint.
- Select the Find service by name radio button.
- In the Service Name field, enter the service name you were provided by AppDynamics support in Step
- Click Verify. Upon success, you’ll see a “Service name found” message.
- From the VPC pulldown menu, select the VPC where your agents reside.
If you have multiple VPCs that require this connectivity, repeat this process for each one.
How do I configure agents to use AWS PrivateLink
By default, customers and their agents connect to a custom URL, such as customer.saas.appdynamics.com. This resolves to a public endpoint in front of the Controller, which accepts connections and passes them to the proper Controller service. In order to force them to use AWS PrivateLink, agents must be configured to connect to the PrivateLink VPC Endpoint created above instead of the Internet-facing endpoint.
AppDynamics uses the Private DNS feature of AWS to facilitate this data path. AppDynamics assigns a DNS entry to their VPC Endpoint and clients in the customer VPC can resolve that DNS entry to the corresponding VPC Endpoint that was created in their account. See the diagram below for details:
Agents in the customer VPC will be configured to connect to customer.pl.appdynamics.com as opposed to customer.saas.appdynamics.com. The pl.appdynamics.com domain is shared across the PrivateLink connection and any host in the customer VPC can resolve their Controller name to this endpoint as long as the following two options are configured in the customer VPC:
- DNS Resolution
- DNS Hostnames
You can verify these settings by viewing the Details section of your VPC in the AWS Console.
NOTE | It is imperative that agents connect to the same account name via PrivateLink that they do via the Internet. If your Controller’s name is customer.saas.appdynamics.com, agents must connect to customer.pl.appdynamics.com. If the “customer” value is not identical, agents will fail to connect to the Controller.
