Certain organizations have policies in place that restrict traffic from traversing the public Internet. AppDynamics provides support for AWS Private Link, which offers private connectivity between AppDynamics Agents running in an AWS Virtual Private Cloud (VPC) and an AppDynamics SaaS Controller.
Customers who have both a workload running in AWS and an AppDynamics SaaS Controller hosted in AWS have the option to access AppDynamics SaaS Controllers privately via AWS PrivateLink. The customer VPC and AppDynamics SaaS Controller can reside in the same AWS region or different AWS Regions (subject to regions where AWS supports Inter-Region VPC Peering).
There are 2 ways to do this, depending on where your agents are installed:
Virtual Private Cloud Type
Your VPC is in the same AWS region as the target AppDynamics SaaS controller
Your VPC is in a different AWS region than the target AppDynamics SaaS controller
Creating a Transit VPC is not technically difficult or complex, but it does require additional work. It’s recommended that you consider how these requirements fit into your technical and business needs as part of planning your strategy.
One example of these considerations is the cost of data transfer between regions. Another example is, if you have agents across multiple regions and want to connect them into the transit VPC, it is strongly recommended to discuss your plans with AWS Support.
Before you begin, make sure you have the following:
You will also need to take the following steps:
customer.saas.appdynamics.com) you want to connect to
The method for connecting an AWS VPC to a SaaS Controller depends on whether the two are in the same or different AWS regions.
If your VPC is in the same AWS region as the target AppDynamics SaaS Controller, you’ll create an interface endpoint to an endpoint service. Follow the steps below or refer to the detailed steps in the AWS PrivateLink documentation.
If your VPC is in a different AWS region than the target AppDynamics SaaS Controller, you’ll need to create an AWS Transit VPC.
For example, the VPC where your AppDynamics Agents are hosted (i.e., the Customer VPC in the Customer AWS region) may be in one region, but your Controller may be hosted in another region (i.e., the AppDynamics SaaS region).
To set up and manage the Transit VPC configuration, follow the steps below or refer to AWS Transit VPC for detailed instructions.
This generates a request to the AppDynamics SaaS PrivateLink endpoint service over the AWS PrivateLink network. Once the request is accepted and processed by AppDynamics, the connection between your organization's endpoint and the AppDynamics endpoint will be live and you should see traffic flowing to the Controller.
By default, customers and their agents connect to a custom URL, such as
customer.saas.appdynamics.com. This resolves to a public endpoint in front of the Controller, which accepts connections and passes them to the proper Controller service. In order to force them to use AWS PrivateLink, agents must be configured to connect to the PrivateLink VPC Endpoint created above instead of the Internet-facing endpoint.
AppDynamics uses the Private DNS feature of AWS to facilitate this data path. AppDynamics assigns a DNS entry to their VPC Endpoint and clients in the customer VPC can resolve that DNS entry to the corresponding VPC Endpoint that was created in their account. See the diagram below for details:
Agents in the customer VPC will be configured to connect to
customer.pl.appdynamics.com as opposed to
pl.appdynamics.com domain is shared across the PrivateLink connection and any host in the customer VPC can resolve their Controller name to this endpoint as long as the following two options are configured in the customer VPC:
You can verify these settings by viewing the Details section of your VPC in the AWS Console.
Note: It is imperative that agents connect to the same account name via PrivateLink that they do via the Internet.
If your Controller’s name is
customer.saas.appdynamics.com, agents must connect to
customer.pl.appdynamics.com. If the “customer” value is not identical, agents will fail to connect to the Controller.