IBM & Red Hat on AWS
Reducing Network Costs and Enhancing Observability Security with IBM Instana and AWS PrivateLink
Enterprise customers need cost-effective ways and additional security controls to monitor modern applications at scale. For example, organizations need to keep sensitive telemetry data private and manage network egress costs. IBM Instana Observability (Instana), a full-stack application performance monitoring solution, now supports AWS PrivateLink to address these requirements.
With AWS PrivateLink integration, customers can monitor their AWS environments with improved security controls without exposing telemetry data to the public internet, even across AWS Regions. In addition, customers can reduce network traffic costs by keeping traffic within the AWS network.
In this post, we show how Instana integrates with AWS PrivateLink, provide a cost breakdown example, and walk through implementation steps for both In-Region and Cross-Region workloads.
Why AWS PrivateLink + Instana?
AWS PrivateLink enables private connectivity between Amazon Virtual Private Cloud (Amazon VPC) and services like Instana SaaS on AWS. AWS PrivateLink uses Elastic Network Interfaces (ENIs) to create endpoints in your VPC. These endpoints serve as private entry points to access supported AWS services and third-party services like Instana. Traffic routed through AWS PrivateLink stays within the AWS network, which can provide lower latency, help improve security posture, and potential cost savings.
Key Benefits
- End-to-end private observability: Keep telemetry data private without public IP exposure or internet transit.
- Cross-Region and In-Region support: Monitor workloads from any AWS Region with consistent security controls.
- High-performance data ingestion: Optimize latency and reliability by using the AWS network backbone.
Architecture Overview
Instana supports the following AWS PrivateLink configurations:
- In-Region: The Instana backend and your monitored workloads are in the same AWS Region. For this configuration, you use a standard AWS PrivateLink interface endpoint within your Amazon VPC.
- Cross-Region: The Instana backend is in a different AWS Region than your workloads. For this configuration, you set up a Cross-Region VPC endpoint and DNS configuration to route traffic privately across regions.
The following diagram (Figure 1) shows both In-Region and Cross-Region architectures for AWS PrivateLink integration with Instana, illustrating how telemetry data flows privately through the AWS network from your workloads to the Instana backend.
Figure 1. AWS PrivateLink and Instana Architecture for in-region and cross-region support.
Prerequisites for AWS PrivateLink implementation
Before setting up AWS PrivateLink integration with Instana, make sure you have the following:
- An AWS account with permissions to create VPC Interface Endpoints.
- Instana agent already deployed in your AWS account.
- Instana PrivateLink endpoint service name (provided by IBM).
- Understanding of private DNS resolution requirements for your configuration.
These prerequisites are necessary to complete the setup steps detailed in the following sections
Cost considerations: With and without AWS PrivateLink
To illustrate the potential cost savings of using AWS PrivateLink with Instana, let’s compare the costs of two different approaches for sending telemetry data from your workloads to Instana SaaS.
Scenario assumptions
For this comparison, we use the following assumptions:
- AWS Region: eu-west-1 (Ireland)
- Configuration: Both Instana SaaS and customer workloads are in eu-west-1
- Monthly usage: Approximately 720 hours (1 month)
- Data volume: 10 TB (10,240 GB) of telemetry data processed per month
- Connectivity options: Standard NAT Gateway (without AWS PrivateLink) vs. AWS PrivateLink
Cost breakdown: Without AWS PrivateLink (using NAT Gateway)
When sending telemetry data through a NAT Gateway to the public internet:
- Data transfer out to the internet: 10,240 GB × $0.09 per GB = $921.60
- NAT Gateway hourly charge: 720 hours × $0.048 per hour = $34.56
- NAT Gateway data processing: 10,240 GB × $0.048 per GB = $491.52
Total monthly cost without AWS PrivateLink: $921.60 + $34.56 + $491.52 = $1,448
Internet data transfer costs vary between $0.01-0.09 per GB depending on location and volume. Refer to the Data Transfer pricing documentation for more details. For more information on NAT Gateway costs, refer to the Amazon VPC pricing page.
Cost breakdown: With AWS PrivateLink (In-Region)
When using AWS PrivateLink to send telemetry data within the AWS network:
- Data transfer: Typically, free for data transfer within AWS
- AWS PrivateLink data processing: 10,240 GB × $0.01 per GB = $102.40
- AWS PrivateLink hourly endpoint charge: 720 hours × $0.01 per hour = $7.20
Total monthly cost with AWS PrivateLink: $102.40 + $7.20 = $110
Refer to the AWS PrivateLink pricing page for more information on costs.
Savings analysis
- Monthly savings: $1,448 – $110 = $1,338
- Percentage savings: ($1,338 / $1,448) × 100 = 92%
Based on this analysis, using AWS PrivateLink for Instana in this scenario results in approximately 92% cost reduction compared to using a NAT Gateway and internet data transfer.
Setting up AWS PrivateLink for Instana
To establish private connectivity between your Amazon VPC and Instana using AWS PrivateLink, follow the steps described in this section. Additional information for this process can be found in the Instana’s official documentation.
Step 1: Request AWS PrivateLink setup from IBM
- Submit a support request through the IBM CSP portal with the following information:
- Your AWS account ARN in the format – arn:aws:iam::<AWS_ACCOUNT_ID>:root
- Your IBM Instana SaaS tenant-unit name (the unique URL of your Instana SaaS environment)
- Your desired AWS Region for AWS PrivateLink (currently available in eu-west-1 and ap-northeast-1)
- Configure AWS Transit Gateway for cross-region deployments, or Amazon Route 53 private hosted zones to route DNS privately across regions. Also, specify your workload region so IBM Support can provide appropriate guidance.
- Once your request is received by IBM Support, you will receive an update on your submitted ticket via email. Afterwards, you can continue with setting your VPC endpoint on the Amazon VPC console.
Note: Cross-Region AWS PrivateLink typically incurs higher data transfer costs than In-Region connections. For pricing details, refer to the AWS PrivateLink documentation.
Step 2: Identify the Endpoint Service Name
Instana has enabled AWS PrivateLink for specific endpoints. Identify the appropriate endpoint and VPC Endpoint (VPCE) service name from the following table. You will need this service name when creating an endpoint in the Amazon VPC console in step 3:
| Endpoint | VPCE service name | AWS Region | Instana Region |
|---|---|---|---|
| ingress-blue-saas.instana.io | com.amazonaws.vpce.eu-west-1.vpce-svc-0da65975a2a5129a6 | eu-west-1 | Blue |
| serverless-blue-saas.instana.io | com.amazonaws.vpce.eu-west-1.vpce-svc-07de0fcc6a559153d | eu-west-1 | Blue |
| otlp-blue-saas.instana.io | com.amazonaws.vpce.eu-west-1.vpce-svc-0eeea10ffc967a01a | eu-west-1 | Blue |
| ingress-mizu-saas.instana.io | com.amazonaws.vpce.ap-northeast-1.vpce-svc-048b183ac07cfa103 | ap-northeast-1 | Mizu |
| mizu.instana.io | com.amazonaws.vpce.ap-northeast-1.vpce-svc-085a8f1419bab7ae8 | ap-northeast-1 | Mizu |
Step 3: Create an Amazon VPC Endpoint
Follow the steps below to create the VPC endpoint for AWS PrivateLink, from the Amazon VPC console:
- Open the Amazon VPC Console.
- In the navigation pane, choose Endpoints.
- Choose Create endpoint.
- In the Create endpoint panel (Figure 2), under Type, select PrivateLink Ready partner services.
Figure 2. Choose the PrivateLink Ready partner services type to setup AWS PrivateLink for Instana.
- For Service Name, paste the service name identified in Step 1, and choose Verify service (Figure 3).
- Ensure the Service name is marked as Service name verified before proceeding.
- If you encounter issues with verification, reference your existing IBM support ticket for assistance.
Figure 3. Service Settings and Service Name Verification.
- In Network settings (Figure 4), configure the following:
- Region: Leave blank if your application is in the same region. Otherwise, specify the required region.
- VPC: Select your Amazon VPC from the dropdown list.
- DNS name: Select Enable DNS name and for record type, choose IPv4.
- Subnet: Choose the subnets in your Amazon VPC to use for the interface endpoint.
- Security Group: Since this is one-way traffic, ensure you allow port 443 on the outbound rule.
Figure 4. Endpoint Network Settings.
- Optionally, add tags by choosing Add new tag and entering key-value pairs.
- Choose Create endpoint.
Repeat this process for each required endpoint (Agent, Service, OTLP).
Step 4: Request Connection Approval
After creating the endpoint(s), update your IBM CSP support ticket to inform the IBM Instana support team that your endpoints have been created. The connection request ticket will be approved using the ARN provided in Step 1.
Step 5: Verify the Connection
To confirm successful integration:
- Open the Amazon VPC Console.
- In the navigation pane, choose Endpoints.
- Select your newly created endpoint.
- Choose the Monitoring.
- Verify metrics such as connection attempts, data flow, and packet counts to ensure traffic is correctly routed through the AWS PrivateLink connection (Figure 5).
Figure 5. Endpoints Monitoring Dashboard.
Once setup is complete, the IBM Instana support team will close the support ticket.
Summary
In this post, we showed how IBM Instana Observability’s support for AWS PrivateLink provides scalable, and cost-effective monitoring with additional security controls for modern applications running on AWS. By using both In-Region and Cross-Region AWS PrivateLink configurations, you can transmit telemetry data (traces, metrics, and logs) from your Amazon VPCs to the Instana SaaS backend over the AWS private network.
This integration delivers significant benefits for enterprises operating in regulated environments or with distributed architectures:
- Private connectivity that eliminates public internet exposure for observability traffic
- Support for compliance with industry-specific data security requirements
- Enhanced performance with lower latency and improved reliability
- Cost optimization—early access testing with customers shows network egress costs reduced by 70–90% compared to NAT gateways
Setting up AWS PrivateLink for Instana involves coordinating with the IBM support team to provision access, then creating interface VPC endpoints for each required Instana service. Once configured, you can monitor your applications with enterprise-grade privacy and performance through the Instana observability platform.
Additional Content:
- Monitor and Optimize Amazon EKS Costs with Instana and Kubecost
- Monitoring Amazon Bedrock Large Language Models with Instana
- Automate Observability for AWS with Instana self-hosted
- Realtime monitoring of microservices and cloud-native applications with Instana SaaS on AWS
- Automatically Visualize and Monitor Applications on Amazon EKS with Instana
- What is Instana
- Using Instana for full stack observability on AWS
- AWS Partner IBM