You can send telemetry data from your AWS Virtual Private Cloud (VPC) to New Relic via AWS PrivateLink.
Sending your New Relic data via AWS PrivateLink can:
- Reduce your AWS egress costs
- Improve security by keeping your data within the Amazon network
To use this feature, you'll need to configure an interface endpoint in your VPC that your local New Relic agents and integrations will use to route data to New Relic via AWS PrivateLink.
PrivateLink requires the New Relic Data Plus option. If you attempt to send data without Data Plus, traffic sent via PrivateLink will be rejected and returned with a 402 error.
New Relic exposes AWS PrivateLink endpoints for the following:
An endpoint service is available only in the region where it was created (see the Amazon docs), but it can be accessed from other regions using inter-region peering.
This means that if your VPC is in
us-east-2, the only thing you need to do is to create the necessary internal VPC endpoint, as described below. But if you're in another region, you'll need to also set up a peering connection after that step.
These are the New Relic endpoint services available via AWS PrivateLink:
Endpoint service name
Metric API (including Prometheus and other integrations)
AWS Lambda and Cloudwatch Logs monitoring
Infrastructure monitoring and on-host integrations
Endpoints are not yet available for:
- FedRAMP data
- New Relic Infinite Tracing
- Syslog TCP traffic
- CloudWatch Metric Streams
For each of the New Relic endpoint services you're using from the table above, create and attach a VPC endpoint within your VPC. When creating these endpoints, you'll need to configure the VPC subnets and security groups corresponding to the availability zones that New Relic has configured with the endpoint service.
Use the table and screenshot below as a guide to create and attach the VPC endpoint:
Select Other endpoint services.
For Service name, find the value in the table and click Verify.
Select the VPC from the dropdown.
Select the following:
By checking the Enable DNS name option for the VPC endpoint, the PrivateLink path will replace the public route within that VPC. You may also wish to control access to services using endpoint policies to limit access within your VPC.
Select the zones. For IP address type, select IPv4.
Select the Group ID.
Insert optional key/value pairs.
Here's a screenshot of some sample settings:
This is required only if you're using a region other than
Follow the instructions to create inter-region VPC peering connections, specifying the VPC ID of the endpoint connections you created.
Follow the instructions to create a Route 53 PHZ and share it between VPCs, specifying the VPC ID of the endpoint connections you created.