Modern cloud architectures are increasingly distributed, with applications and services spanning multiple regions to improve availability, reduce latency, and support disaster recovery. Many of our customers rely on solutions like Virtual Private Cloud (VPC) peering, Network Address Translation (NAT) gateways, and AWS Transit Gateways to securely send telemetry to Datadog across regions. These methods work but can add complexity, increase costs, and create potential security risks.

We are excited to announce support cross-region connectivity for AWS PrivateLink for Datadog endpoints in the US1 and AP1 regions. This enables AWS customers to securely and cost-effectively connect to Datadog services from any AWS region without the need for complex networking configurations. With cross-region PrivateLink, your observability data never leaves the AWS network. This enhances security, improves compliance, and simplifies management—all while reducing costs compared to traditional solutions.

In this post, we describe the challenges of cross-region connectivity for Datadog customers, how AWS PrivateLink addresses them, and how to set it up.

Simplify Datadog connectivity and reduce costs

The common methods for cross-region connectivity—VPC peering, NAT gateways, and AWS Transit Gateways—come with trade-offs. VPC peering requires manual updates to route tables and DNS record management to ensure proper connectivity to Datadog’s PrivateLink endpoints, which can add significant operational overhead. NAT gateways and Transit Gateways can be expensive, especially when handling large volumes of metrics and logs.

Security is another concern. Observability data traveling over public networks or through NAT gateways can expose sensitive information to potential threats. Compliance with data residency and security regulations is also more difficult when data leaves the AWS network.

With the introduction of cross-region PrivateLink support for US1 and AP1, Datadog customers can now securely connect to Datadog endpoints from any AWS region. This expands on the existing Datadog PrivateLink integration, which previously only supported same-region connectivity.

AWS cross-region PrivateLink improves security by keeping your metrics, logs, and traces within the AWS network instead of exposing them to the public internet. It also simplifies management by removing the need for complex networking configurations. For organizations in regulated industries like healthcare and finance, this approach also makes it easier to confidently monitor multi-region workloads while adhering to data privacy standards.

The following diagram illustrates the streamlined connectivity that AWS cross-region PrivateLink provides between Datadog endpoints:

Optimize costs associated with log ingestion

Logs are one of the largest and most expensive sources of observability data—especially when generated at scale across multiple AWS regions. Using cross-region PrivateLink can help alleviate that. If you’re a streaming or media company generating hundreds of terabytes of logs daily in US-WEST-2, for example, you can now securely and cost-effectively send those logs to Datadog’s US1 or AP1 endpoints using cross-region PrivateLink.

To further enhance cost-efficiency, customers can pair cross-region PrivateLink with Flex Logs and Observability Pipelines:

• Flex Logs enable you to retain large volumes of logs at a lower cost while maintaining the ability to search them when needed. This is ideal for workloads that require long-term storage but don’t need continuous querying, such as compliance, security auditing, or forensic investigations.
• Observability Pipelines helps reduce log ingestion volume and the associated costs by enabling you to filter out unnecessary data, enrich logs with context, and route specific log streams before they reach Datadog. For example, customers can use Observability Pipelines to extract actionable insights from their AWS WAF, CloudFront, and VPC Flow Logs.

By using cross-region PrivateLink as the foundation for secure and cost-effective log transmission—and optionally layering in Flex Logs and Observability Pipelines—organizations can reduce costs across networking, storage, and ingestion while maintaining full control and visibility into their observability data.

Set up cross-region PrivateLink

To set up AWS cross-region PrivateLink for Datadog, follow these simple steps:

1. Create a PrivateLink VPC endpoint in AWS for Datadog in the desired region.
2. Configure the interface endpoint by providing the PrivateLink service name for the Datadog service you want to establish connectivity for.
3. Test the connection to ensure that your resources can securely communicate with Datadog services.

For detailed instructions, refer to our documentation and the AWS reference architecture.

Eliminate the need for elaborate and costly connectivity configurations

Support for AWS cross-region PrivateLink connectivity for Datadog US1 and AP1 region endpoints eliminates the need for complex networking configurations while providing the benefits of improved security, easier management, and lower costs compared to NAT gateways and Transit Gateways. This approach also helps you meet compliance requirements for data residency and security regulations.

Cross-region support for AWS PrivateLink expands on the existing Datadog PrivateLink integration, which previously only supported same-region connectivity. To get started, check out our documentation or visit the AWS announcement blog for more information. If you’re new to Datadog, you can sign up for a 14-day free trial.