AWS PrivateLink Setup

groundcover's inCloud comes with VPC service endpoint (PrivateLink) built in. The PrivateLink endpoint let you ingest data through private network and reduce data transfer costs.

Prerequisites

• Get the VPC service endpoint name value provided by groundcover during inCloud installation.

• Cross-region Ingestion: To keep cloud cost low as possible, PrivateLink connection is enabled only on the backend region by default. To allow cross-region endpoint send the required region to the groundcover team.

Setup PrivateLink connection

1. Make sure DNS resolution is enabled on the VPC.

2. Create Security group for the VPC endpoint that allow port 443 from your workloads ( K8s nodes / EC2s).

3. Create VPC endpoint.

   1. Choose the service endpoint name provided by groundcover.

   2. (Optional) If the endpoint created on different region then inCloud backend, click on cross region and choose the backend's region

   3. Enable DNS

4. Choose the required subnets for the VPC endpoint.

5. Choose the security group created in step 2 for the VPC endpoint

6. Create the VPC endpoint

Troubleshooting

Open shell on the monitored workload on the same VPC

Use nslookup to determine if DNS configured correctly, if the endpoint returns IPs that are not from your VPC CIDRs, double check the DNS configuration

• nslookup <groundcover backend endpoint>

Use netcat to test the security groups configured correctly, if you get timeout to the VPC endpoint double check the inboud rules on the VPC endpoint and the outbound rule on the workload security groups

• nc -vz <groundcover backend endpoint> 443