Connect to DESK using AWS PrivateLink
AWS PrivateLink lets you connect your applications directly to the Amazon VPC service, so that traffic never leaves the AWS cloud. You can use PrivateLink to connect your monitored hosts to the DESK VPC endpoint. DESK monitoring traffic is always encrypted and secure, yet PrivateLink provides even greater security, stable connectivity, and a reduction in traffic costs.
The primary use case for PrivateLink with DESK is connectivity for monitored applications running in AWS VPCs.
However, it’s also possible to use AWS VPCs for on-premise applications, provided that you use DirectConnect or VPN Gateway to connect your network to a VPC in a given region.
In both cases, the Client VPC and DESK VPC must be in the same AWS region.
Setting up PrivateLink
To connect your hosts to the DESK VPC
- Send us an email specifying the details of your use case, your DESK environment ID, and the AWS account ID you’d like to use for the connection. Once we’ve verified your information and request, we’ll whitelist your account, prepare a CloudFormation template for your case, and get in touch with you via email.
- Create an interface VPC Endpoint for one of the supported regions using either the AWS console or an API call. For more information, see Interface VPC Endpoints (AWS PrivateLink) in the AWS doc.
DESK currently supports the following AWS regions and corresponding availability zones:
| AWS Region code | Availability zone names | Availability zone Ids |
|---|---|---|
| us-east-1 | us-east-1a, us-east-1b, us-east-1c | use1-az2, use1-az4, use1-az6 |
| us-west-2 | us-west-2a, us-west-2b, us-west-2c | usw2-az1, usw2-az2, usw2-az3 |
| eu-west-1 | us-west-1a, us-west-1b, us-west-1c | euw1-az1, euw1-az2, euw1-az3 |
| ap-southeast-2 | ap-southeast-2a, ap-southeast-2b, ap-southeast-2c | apse2-az1, apse2-az2, apse2-az3 |
- In the AWS console, select one of the supported regions, go to VPC service, section Endpoint, and click Create Endpoint to create your PrivateLink endpoint.
- Select Find Service by name as the service category, enter the service name you received from DESK (for example
com.amazonaws.vpce.us-west-2.vpce-svc-0e6de648b166714ad) and click Verify. - Configure the VPC, subnets, and security group settings. The security group needs to permit incoming traffic on port 443. If you use more than one VPC for your monitored applications, repeat this step for each VPC.
Use the create-vpc-endpoint call. Replace <aws-region>, <vpc-id>, <list-of-subnets> and <list-of-security-groups> with applicable values.
For example:
aws ec2 create-vpc-endpoint --region <aws-region> --vpc-endpoint-type Interface --service-name com.amazonaws.vpce.us-west-2.vpce-svc-0e6de648b166714ad --vpc-id <vpc-id> --subnet-id <list-of-subnets> --security-group-id <list-of-security-groups>
- Use the CloudFormation template you received from us to create a private DNS so that you can transparently connect to DESK using the PrivateLink you’ve created. See Creating a Stack on the AWS CloudFormation Console in the AWS doc for more information.
Note: You may run into DNS resolution issues if you attempt to connect from your VPC in one region to DESK Server in a different region. Ensure that your VPC and all your DESK environments are in the same AWS region.
Using ActiveGate for PrivateLink connectivity
While you can connect OneAgent via PrivateLink, we recommend that you use an ActiveGate. If you download the OneAgent installer via ActiveGate, it already contains a pre-configured ActiveGate endpoint and doesn’t need connectivity to the PrivateLink endpoint. For example, if you have an environment called xyz12345.live.desk.com and ActiveGate running in a local network at https://172.31.1.5:9999, modify the OneAgent installer download URL by replacing the environment domain with the ActiveGate domain and adding environment context in the path, for example:
$ wget --no-check-certificate -O DESK-OneAgent-Linux-1.149.188.sh https://172.31.1.5:9999/e/xyz12345/api/v1/deployment/installer/agent/unix/default/latest?Api-Token=<api token>&arch=x86&flavor=default
The DESK server must be aware of the ActiveGate at the time of OneAgent installer download.
What happens next?
Once you’ve completed these steps, all instances of ActiveGate or OneAgent installed in your VPC will begin using PrivateLink. Thanks to the DNS override, using PrivateLink is transparent. No process restart is required.
To verify that your PrivateLink endpoint is really used:
- Try resolving your DESK environment domain from an instance running in your VPC. The domain should resolve to a private IP addresses in your VPC, for example:
$ nslookup xyz12345.desk.com
cluster-us-west-2-prod-us-west-2-oregon.live.ruxit.com canonical name = vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.desk.com.
Name: vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.desk.com
Address: 172.31.41.143
Name: vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.desk.com
Address: 172.31.28.144
Name: vpce-0c79a2e58780e4b62-x8vhytdj.oregon-1.vpce.desk.com
Address: 172.31.13.64
- If the domain resolves to a public IP address, double-check your DNS and VPC configurations. The private DNS region (
EndpointRegion) and VPC ID (Vpcid) must match the corresponding instance settings. The VPC must also support privately hosted zones, soenableDnsHostnamesandenableDnsSupportmust be set totrue. - If the domain name resolves as expected, but OneAgent can’t connect to the endpoint on port 443, check if incoming traffic on port 443 is permitted in the security group settings associated with your PrivateLink endpoint.
- You can also enable VPC flow logs for the network interfaces of your instances or the network interfaces associated with PrivateLink. By checking the IP addresses in the logs, you can verify if an instance is communicating with a private endpoint. If you see
REJECTentries instead ofACCEPT, then most likely the traffic is blocked by your security group settings.