Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

How do I use AWS PrivateLink to connect to an AppDynamics SaaS Controller?

Methods and considerations for connecting AWS Private link to your SaaS Controller

 

Table of Contents

 

What are the methods for configuring private connectivity using an AWS VPC and SaaS Controller?

Certain organizations have policies in place that restrict traffic from traversing the public Internet. AppDynamics provides support for AWS Private Link, which offers private connectivity between AppDynamics Agents running in an AWS Virtual Private Cloud (VPC) and an AppDynamics SaaS Controller.

 

Customers who have both a workload running in AWS and an AppDynamics SaaS Controller hosted in AWS have the option to access AppDynamics SaaS Controllers privately via AWS PrivateLink. The customer VPC and AppDynamics SaaS Controller can reside in the same AWS region or different AWS Regions (subject to regions where AWS supports Inter-Region VPC Peering).

 

There are 2 ways to do this, depending on where your agents are installed:

Virtual Private Cloud Type

Use when...

VPC

Your VPC is in the same AWS region as the target AppDynamics SaaS controller

Transit VPC

Your VPC is in a different AWS region than the target AppDynamics SaaS controller

 

Considerations

Creating a Transit VPC is not technically difficult or complex, but it does require additional work. It’s recommended that you consider how these requirements fit into your technical and business needs as part of planning your strategy.

 

One example of these considerations is the cost of data transfer between regions. Another example is, if you have agents across multiple regions and want to connect them into the transit VPC, it is strongly recommended to discuss your plans with AWS Support.

 

Pre-configuration Essentials

Things you need to have

Before you begin, make sure you have the following:

  • An AWS Account
  • An AppDynamics SaaS Controller in AWS
  • AWS permissions, whether you’re going to create an interface VPC endpoint, AWS Transit VPC, and/or VPC peering

 

Steps you need to take

You will also need to take the following steps:

  1. Before you choose a method, be sure you Contact your AWS Account Representative if you need help setting up your VPC, Transit VPC or Inter-Region VPC Peering.

  2. Contact AppDynamics Support to get the AppDynamics SaaS PrivateLink endpoint information for the target AppDynamics SaaS Controller.

    You will need: 
    • AWS Account number you want to use for this connection 
    • AppDynamics controller endpoint name (e.g.,customer.saas.appdynamics.com) you want to connect to

  3. Be prepared to change your agent configuration so that your agents can use AWS Private Link to connect to the PrivateLink VPC Endpoint created above instead of the Internet-facing endpoint.

    See
    How do I configure agents to use AWS PrivateLink below to learn more.

 

How do I connect my AWS VPC to an AppDynamics SaaS Controller?

The method for connecting an AWS VPC to a SaaS Controller depends on whether the two are in the same or different AWS regions.

 

 

Method for connecting when VPC is in the same AWS region as the target AppDynamics SaaS Controller

If your VPC is in the same AWS region as the target AppDynamics SaaS Controller, you’ll create an interface endpoint to an endpoint service. Follow the steps below or refer to the detailed steps in the AWS PrivateLink documentation.

  1. Log in to the AWS Management Console.
  2. In the Find Service search bar, enter VPC.
  3. In the VPC Dashboard left navigation pane, choose Endpoints.
  4. Click Create Endpoint.

 

Method for connecting when VPC in a different AWS region than the target AppDynamics SaaS Controller

If your VPC is in a different AWS region than the target AppDynamics SaaS Controller, you’ll need to create an AWS Transit VPC

 

For example, the VPC where your AppDynamics Agents are hosted (i.e., the Customer VPC in the Customer AWS region) may be in one region, but your Controller may be hosted in another region (i.e., the AppDynamics SaaS region).

 

 

Inter-region VPC Peering

To set up and manage the Transit VPC configuration, follow the steps below or refer to AWS Transit VPC for detailed instructions.

 

Inter-Region VPC Peering Network DiagramInter-Region VPC Peering Network Diagram

 

  1. Create an AWS Transit VPC in the same AWS region as your AppDynamics Controller.

  2. Request a VPC Endpoint from AppDynamics. You will need to provide your AWS account number to the AppDynamics representative. Then, AppDynamics will provide the Endpoint ID for your controller.

  3. From the AWS Management Console, go to Service Category, and choose Find service by name.

  4. For Service Name, enter the name of the AppDynamics endpoint service you received from AppDynamics Support in step 2, above. (For example: com.amazonaws.vpce.us-west-2.vpce-svc-00abc123)
  1. Click Verify. Upon success, you’ll see a Service name found message.

  2. For VPC, select the VPC where you want to create the endpoint.

  3. Click Create Endpoint.

 

This generates a request to the AppDynamics SaaS PrivateLink endpoint service over the AWS PrivateLink network. Once the request is accepted and processed by AppDynamics, the connection between your organization's endpoint and the AppDynamics endpoint will be live and you should see traffic flowing to the Controller.


 

How do I configure agents to use AWS PrivateLink

By default, customers and their agents connect to a custom URL, such as customer.saas.appdynamics.com. This resolves to a public endpoint in front of the Controller, which accepts connections and passes them to the proper Controller service. In order to force them to use AWS PrivateLink, agents must be configured to connect to the PrivateLink VPC Endpoint created above instead of the Internet-facing endpoint.

 

AppDynamics uses the Private DNS feature of AWS to facilitate this data path. AppDynamics assigns a DNS entry to their VPC Endpoint and clients in the customer VPC can resolve that DNS entry to the corresponding VPC Endpoint that was created in their account. See the diagram below for details:

 

Agent Connectivity Network DiagramAgent Connectivity Network Diagram

 

Agents in the customer VPC will be configured to connect to customer.pl.appdynamics.com as opposed to customer.saas.appdynamics.com. The pl.appdynamics.com domain is shared across the PrivateLink connection and any host in the customer VPC can resolve their Controller name to this endpoint as long as the following two options are configured in the customer VPC:

  1. DNS Resolution
  2. DNS Hostnames

 

You can verify these settings by viewing the Details section of your VPC in the AWS Console.

 

Note: It is imperative that agents connect to the same account name via PrivateLink that they do via the Internet.

If your Controller’s name is
customer.saas.appdynamics.com, agents must connect to customer.pl.appdynamics.com. If the “customer” value is not identical, agents will fail to connect to the Controller.

Version history
Revision #:
12 of 12
Last update:
‎10-27-2020 11:52 AM
Updated by:
 


Found this article helpful? Click the Thumbs Up button.
Have an additional comment? Post it below.