AWS Cloud Operations Blog
Announcing inbound network access control in Amazon Managed Grafana
Many customers that use Amazon Managed Grafana have a need to restrict the Grafana workspace public access and enable fine-grained control to allow which traffic sources can reach the Grafana workspace. Today, we are announcing Amazon Managed Grafana’s new feature that supports inbound network access control. This enables you to secure Grafana workspaces using VPC Endpoints and customer-managed prefix lists that restricts the inbound network traffic reaching your workspaces.
Amazon Virtual Private Cloud (Amazon VPC) endpoints for Amazon Managed Grafana simplify access to the Grafana workspace from within a VPC by providing configurable and highly reliable secure connections to workspace URL. This allows you to securely connect to the Grafana workspace URL within the AWS network, with all network traffic staying on the global AWS backbone and never traversing the public internet.
Managed prefix list is a set of one or more CIDR (classless inter-domain routing) blocks. A customer-managed prefix list simplifies security by enabling you to configure a set of CIDR blocks that can access your Amazon Managed Grafana workspace URL.
VPC endpoint
VPC Interface endpoint allows you to connect to Amazon Managed Grafana privately, as if it is running in your own VPC. A VPC endpoint enables customers to privately connect to supported AWS services via AWS PrivateLink. AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Amazon VPC instances do not require public ip-addresses to communicate with resources of the service. Traffic between an Amazon VPC and a service does not leave the Amazon network.
- VPC endpoint — The entry point in your VPC that enables you to connect privately to a service.
- AWS PrivateLink — A technology that provides private connectivity between VPCs and services.
Customer-managed prefix list
With this release, you can configure Amazon Managed Grafana workspace URL to be accessible only from specific IPv4 address ranges. This provides an additional layer of security for your Amazon Managed Grafana and acts as a firewall by preventing public and or unauthorized inbound access to your Amazon Managed Grafana workspace URL. Consider this as a network firewall `allow-list` where a list of ip-addresses that are configured on a firewall or router explicitly allow inbound traffic with no restrictions but every other inbound traffic is blocked.
Architecture
By default, the Grafana workspace URL is publicly reachable. The following diagram illustrates how you will restrict the workspace public access and enable network access control using VPC interface endpoints and customer-managed prefix list.
VPC interface endpoints:
- User / private client connects to Grafana workspace via VPC interface endpoint.
- AWS PrivateLink provides connectivity to Amazon Managed Grafana and traffic does not leave the Amazon network.
Customer-manager prefix list:
- Grafana workspace URL is accessible only from the ip-address ranges that are configured in the customer-managed prefix list.
- Every other inbound access is denied.
Configure Grafana workspace with network access control
You can add network access control to an existing workspace or configure it as part of the initial creation of the workspace. Grafana workspace network access can be controlled by either through a VPC interface endpoint or a customer managed prefix list or a combination of both. Details are given in the following sections.
Create a VPC interface endpoint
While creating the VPC interface endpoint, select the service category AWS services and choose Amazon Managed Grafana service name com.amazonaws.region.grafana and the VPC in which to create the endpoint. For more information about interface endpoints, see create a VPC endpoint. Check out this blog and the self-paced workshop to learn about the benefits of using Amazon VPC endpoints.
Create a customer-managed prefix list
To allow ip-addresses, you must create one or more prefix lists in Amazon VPC with the list of IP ranges to allow. Amazon Managed Grafana only supports IPv4 addresses in prefix lists, not IPv6. Private ip-address ranges such as 10.0.0.0/16 are ignored. To allow those hosts to reach the workspace, create a VPC endpoint for your workspaces and give them access. For more information about prefix lists, see create a prefix list and prefix lists concepts and rules.
Configure network access control for a Grafana workspace
- In your Amazon Managed Grafana console, select the name of the workspace that you want to configure network access control.
- In the Network access control tab, under Network access control, click Edit.
- Choose Restricted access.
- Select Prefix list option and enter a Prefix list ID of your choice and/or select VPC endpoint option and enter your preferred VPC endpoint ID. You can add up to 5 prefix lists and 5 VPC endpoints.
- Choose Save changes to complete the setup.
Conclusion
With this launch, you will be able to restrict inbound network access to Grafana workspace providing you that extra layer of security without any performance impact or operational overhead. To learn more about this launch, see What’s New post and Amazon Managed Grafana user guide for network access control.
- Check out One Observability Workshop aimed at providing a hands-on experience for you on the wide variety of toolsets AWS offers to setup monitoring and observability on your applications.
- Refer best practices for AWS Observability to learn more about prescriptive guidance and recommendations with implementation examples.
- If you are a Terraform shop, check out AWS Observability accelerator for Terraform which is a set of Terraform modules to help you configure Observability for your workloads with AWS Observability services.
We are here to help and if you need further assistance, reach out to AWS Support and your AWS account team.