You can configure a PSC endpoint to expose a private IP address for each Datadog intake service. This IP address routes traffic to the Datadog backend. You can then configure a Google Cloud Private DNS Zone to override the DNS names corresponding to the products for each endpoint that is consumed.
In your Google Cloud console, navigate to Network services > Private Service Connect.
Go to the Endpoints section. Click on Connect endpoint.
Under Target, select Published service.
For Target service, enter the PSC target name that corresponds to the Datadog intake service that you want to use. You can find your PSC target name in the table of published services.
For Endpoint name, enter a unique identifier to use for this endpoint. You can use datadog-<SERVICE>. For example: datadog-api.
For Network and Subnetwork, choose the network and subnetwork where you want to publish your endpoint.
For IP address, click the dropdown and select Create IP address to create an internal IP from your subnet dedicated to the endpoint. Select this IP.
Check Enable global access if you intend to connect the endpoint to virtual machines outside of the us-central1 region.
Note: Datadog exposes PSC producer endpoints from the us-central1 region. These endpoints support global access, allowing services to connect from any region. However, the forwarding rule must be created in the us-central1 region.
Click Add endpoint. Verify that your status is Accepted. Take note of the IP address, as this is used in the next section.
In your Google Cloud console, navigate to Network services > Cloud DNS.
Click on Create zone.
Under Zone type, select Private.
For Zone name, enter a descriptive name for your zone.
For DNS name, enter the private DNS name that corresponds to the Datadog intake service that you want to use. You can find your DNS name in the table of published services.
Next, create an A record that points to the endpoint IP. On the Zone details page of the zone you created, click on Add record set.
For DNS name, leave the field unmodified.
For Resource record type, select A.
Under IPv4 Address, enter the IP address that was displayed at the end of the previous section.
There are two Datadog Intake Services that are subdomains of the (agent.datadoghq.com) domain. Because of this, the Private Hosted Zone is slightly different from other intakes.
Create a Private Zone for (agent.datadoghq.com), as outlined in the Create a DNS Zone section. Then add the three records below.
DNS name
Resource record type
IPv4 address
(apex)
A
IP address for your metrics endpoint
*
A
IP address for your metrics endpoint
trace
A
IP address for your traces endpoint
Note: this zone requires a wildcard (*) record that points to the IP address for your metrics endpoint. This is because Datadog Agents submit telemetry using a versioned endpoint in the form (<version>-app.agent.datadoghq.com).
You can configure a PSC endpoint to expose a private IP address for each Datadog intake service. This IP address routes traffic to the Datadog backend. You can then configure a Google Cloud Private DNS Zone to override the DNS names corresponding to the products for each endpoint that is consumed.
In your GCP console, navigate to Network services > Private Service Connect.
Go to the Endpoints section. Click on Connect endpoint.
Under Target, select Published service.
For Target service, enter the PSC target name that corresponds to the Datadog intake service that you want to use. You can find your PSC target name in the table of published services.
For Endpoint name, enter a unique identifier to use for this endpoint. You can use datadog-<SERVICE>. For example: datadog-metrics.
For Network and Subnetwork, choose the network and subnetwork where you want to publish your endpoint.
For IP address, click the dropdown and select Create IP address to create an internal IP from your subnet dedicated to the endpoint. Select this IP.
Check Enable global access if you intend to connect the endpoint to virtual machines outside of the europe-west3 region.
Note: Datadog exposes PSC producer endpoints from the europe-west3 region. These endpoints support global access, allowing services to connect from any region. However, the forwarding rule must be created in the europe-west3 region.
Click Add endpoint. Verify that your status is Accepted. Take note of the IP address, as this is used in the next section.
In your Google Cloud console, navigate to Network services > Cloud DNS.
Click on Create zone.
Under Zone type, select Private.
For Zone name, enter a descriptive name for your zone.
For DNS name, enter the private DNS name that corresponds to the Datadog intake service that you want to use. You can find your DNS name in the table of published services.
Next, create an A record that points to the endpoint IP. On the Zone details page of the zone you created, click on Add record set.
For DNS name, leave the field unmodified.
For Resource record type, select A.
Under IPv4 Address, enter the IP address that was displayed at the end of the previous section.
There are two Datadog Intake Services that are subdomains of the (agent.datadoghq.com) domain. Because of this, the Private Hosted Zone is slightly different from other intakes.
Create a Private Zone for (agent.datadoghq.com), as outlined in the Create a DNS Zone section. Then add the three records below.
DNS name
Resource record type
IPv4 address
(apex)
A
IP address for your metrics endpoint
*
A
IP address for your metrics endpoint
trace
A
IP address for your traces endpoint
Note: this zone requires a wildcard (*) record that points to the IP address for your metrics endpoint. This is because Datadog Agents submit telemetry using a versioned endpoint in the form (<version>-app.agent.datadoghq.com).
