Interface VPC endpoints - Amazon Managed Grafana

Interface VPC endpoints

We provide AWS PrivateLink support between Amazon VPC and the Amazon Managed Grafana API. You can control access to the Amazon Managed Grafana service from the virtual private cloud (VPC) endpoints by attaching an IAM resource policy for Amazon VPC endpoints.

Note

The VPC endpoints connection allows users to reach the AWS console. The connection to the data sources configured in Amazon Managed Grafana console is not supported with the current Amazon Managed Grafana VPC endpoints.

Using Amazon Managed Grafana API with interface VPC endpoints

If you are using Amazon VPC to host your AWS resources, you can establish a private connection between your VPC and the Amazon Managed Grafana API. The private link is not accessible for the HTTP API operations in Grafana API.

Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways. To connect your VPC to your AWS service API, you define an interface VPC endpoint to connect your VPC to AWS services. The endpoint provides reliable, scalable connectivity to Amazon Managed Grafana without requiring an internet gateway, a network address translation (NAT) instance, or a VPN connection. For more information, see What is Amazon VPC? in the Amazon VPC User Guide.

Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that enables private communication between AWS services using an elastic network interface with private IP addresses. For more information, see New – AWS PrivateLink for AWS Services.

For information about how to get started with Amazon VPC, see Get started in the Amazon VPC User Guide.

Creating a VPC endpoint to make an AWS PrivateLink connection to Amazon Managed Grafana

Create an interface VPC endpoint to begin using the Amazon Managed Grafana API. Choose the following service name endpoint:

  • com.amazonaws.region.grafana

Choose Amazon Managed Grafana to perform workspace management tasks. For more information, see Amazon Managed Grafana APIs in the Amazon Managed Grafana API Reference.

For more information about how to create an interface VPC endpoint, see Create an interface endpoint in the Amazon VPC User Guide.

Controlling access to your Amazon Managed Grafana VPC endpoint with an endpoint policy

A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you don't attach a policy when you create an endpoint, Amazon VPC attaches a default policy for you that allows full access to the service. An endpoint policy doesn't override or replace IAM user policies or service-specific policies. It's a separate policy for controlling access from the endpoint to the specified service.

Endpoint policies must be written in JSON format.

For more information, see Control access to service with VPC endpoints in the Amazon VPC User Guide.

The following is an example of an endpoint policy for Amazon Managed Grafana. This policy allows users connecting to Amazon Managed Grafana through the VPC to send data to the Amazon Managed Grafana service. It also prevents them from performing other Amazon Managed Grafana actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSGrafanaPermissions", "Effect": "Allow", "Action": [ "grafana:DescribeWorkspace", "grafana:UpdatePermissions", "grafana:ListPermissions", "grafana:ListWorkspaces" ], "Resource": "arn:aws:grafana:*:*:/workspaces*", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root" ] } } ] }

To edit the VPC endpoint policy for Grafana

  1. Open the Amazon VPC console at VPC console.

  2. In the navigation pane, choose Endpoints.

  3. If you have not already created endpoints, choose Create Endpoint.

  4. Select the com.amazonaws.region.grafana endpoint, and then choose the Policy tab.

  5. Choose Edit Policy, and then make your changes.