Send New Relic data via AWS PrivateLink

You can send telemetry data from your AWS Virtual Private Cloud (VPC) to New Relic via AWS PrivateLink.

Overview

Sending your New Relic data via AWS PrivateLink can:

Reduce your AWS egress costs
Improve security by keeping your data within the Amazon network

PrivateLink works for sending telemetry data to a variety of New Relic endpoints. It can't be used for our NerdGraph API or other non-ingest APIs.

To use this feature, you'll need to configure an interface endpoint in your VPC that your local New Relic agents and integrations will use to route data to New Relic via AWS PrivateLink.

Requirements

PrivateLink requires the New Relic Data Plus option. If you attempt to send data without Data Plus, traffic sent via PrivateLink will be rejected and returned with a 402 error.

Supported regions and zones

New Relic exposes AWS PrivateLink endpoints for the following:

Region	Zone
us-east-2 (Ohio)	`use2-az1` `use2-az2` `use2-az3`
eu-central-1	`euc1-az1` `euc1-az2` `euc1-az3`

An endpoint service is available only in the region where it was created (see the Amazon docs), but it can be accessed from other regions using inter-region peering.

This means that if your VPC is in us-east-2, the only thing you need to do is to create the necessary internal VPC endpoint, as described below. But if you're in another region, you'll need to also set up a peering connection after that step.

The endpoints

These are the New Relic endpoint services available via AWS PrivateLink:

Data source	Hostname(s)	Endpoint service name
APM	`collector.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-00e75af63239fbdc8`
Event API	`insights-collector.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-030074dde03e5f7f1`
Metric API (including Prometheus and other integrations)	`metric-api.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-0b48963952181a468`
Logging	`log-api.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-070f8190492d268ec`
Distributed tracing	`trace-api.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-0cc5a5c85730683db`
AWS Lambda and Cloudwatch Logs monitoring	`cloud-collector.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-0c4032e13941b3e9d`
Infrastructure monitoring and on-host integrations	`infra-api.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-0df10112dc8c0f0b0`
	`identity-api.newrelic.com` `infrastructure-command-api.newrelic.com`	`com.amazonaws.vpce.us-east-2.vpce-svc-09230bb8d16a9171e`
OpenTelemetry	`otlp.nr-data.net`	`com.amazonaws.vpce.us-east-2.vpce-svc-0bf91fb637cf37b4f`
Synthetics job manager	`synthetics-horde.nr-data.net`	`com.amazonaws.vpce.us-east-2.vpce-svc-09230bb8d16a9171e`

Important

Review the following constraints when configuring the identity-api.newrelic.com, infrastructure-command-api.newrelic.com or synthetics-horde.nr-data.net hostnames:

These are only exposed in the us-east-2 (Ohio) region.
The endpoint service does not have an associated DNS private name. Create a PrivateLink connected to this service endpoint, and create the Private Hosted Zone (PHZ) for each hostname.

Data source	Hostname(s)	Endpoint service name
APM	`collector.eu.newrelic.com` and `collector.eu01.nr-data.net`	`com.amazonaws.vpce.eu-central-1.vpce-svc-080da8c256534bc15` and `com.amazonaws.vpce.eu-central-1.vpce-svc-09677bc6c976d9d9e`, respectively
Event API	`insights-collector.eu01.nr-data.net`	`com.amazonaws.vpce.eu-central-1.vpce-svc-02a22c14c11af33eb`
Metric API (including Prometheus and other integrations)	`metric-api.eu.newrelic.com`	`com.amazonaws.vpce.eu-central-1.vpce-svc-046613de75b465eb5`
Logging	`log-api.eu.newrelic.com`	`com.amazonaws.vpce.eu-central-1.vpce-svc-042ba37fec695fcde`
Distributed tracing	`trace-api.eu.newrelic.com`	`com.amazonaws.vpce.eu-central-1.vpce-svc-07ae0a14716c59a2d`
AWS Lambda and Cloudwatch Logs monitoring	`cloud-collector.eu01.nr-data.net`	`com.amazonaws.vpce.eu-central-1.vpce-svc-0cf7eae9d784a86a8`
Infrastructure monitoring and on-host integrations	`infra-api.eu01.nr-data.net`	`com.amazonaws.vpce.eu-central-1.vpce-svc-06d5b2d7e79ddd78e`
OpenTelemetry	`otlp.eu01.nr-data.net`	`com.amazonaws.vpce.eu-central-1.vpce-svc-04308d96cf1012913`

Tip

Endpoints are not yet available for:

FedRAMP data
New Relic Infinite Tracing
Syslog TCP traffic
CloudWatch Metric Streams

Create VPC endpoints

For each of the New Relic endpoint services you're using from the table above, create and attach a VPC endpoint within your VPC. When creating these endpoints, you'll need to configure the VPC subnets and security groups corresponding to the availability zones that New Relic has configured with the endpoint service.

Use the table and screenshot below as a guide to create and attach the VPC endpoint:

Field	Description
Name tag	Optional.
Service category	Select Other endpoint services.
Service settings	For Service name, find the value in the table and click Verify.
VPC	Select the VPC from the dropdown.
Additional settings	Select the following: Enable DNS name IPv4 By checking the Enable DNS name option for the VPC endpoint, the PrivateLink path will replace the public route within that VPC. You may also wish to control access to services using endpoint policies to limit access within your VPC.
Subnets	Select the zones. For IP address type, select IPv4.
Security groups	Select the Group ID.
Tags	Insert optional key/value pairs.

Here's a screenshot of some sample settings:

Set up a peering connection

This is required only if you're using a region other than us-east-2 (Ohio).

VPC peering

Follow the instructions to create inter-region VPC peering connections, specifying the VPC ID of the endpoint connections you created.

Transit Gateway peering

Follow the instructions to create a Route 53 PHZ and share it between VPCs, specifying the VPC ID of the endpoint connections you created.