Overview

Ingress is a critical component of your CloudPrem deployment. The Helm chart automatically creates two ingress configurations called public ingress and internal ingress. If the AWS Load Balancer Controller is installed on the cluster, it provisions one ALB per ingress configuration. Each load balancer can be further configured using ingress annotations.

Public ingress

The public ingress is essential for enabling Datadog’s control plane and query service to manage and query CloudPrem clusters over the public internet. It provides secure access to the CloudPrem gRPC API through the following mechanisms:

• Creates an internet-facing AWS Application Load Balancer (ALB) that accepts traffic from Datadog services
• Implements TLS encryption with termination at the load balancer level
• Uses HTTP/2 (gRPC) for communication between the ALB and CloudPrem cluster
• Requires mutual TLS (mTLS) authentication where Datadog services must present valid client certificates
• Configures the ALB in TLS passthrough mode to forward client certificates to CloudPrem pods with the X-Amzn-Mtls-Clientcert header
• Rejects requests that are missing valid client certificates or the certificate header

This setup ensures that only authenticated Datadog services can access the CloudPrem cluster while maintaining secure encrypted communication end-to-end.

IP Allowlisting

The Datadog control plane and query services connect to CloudPrem clusters using a set of fixed IP ranges, which can be retrieved for each Datadog site from the Datadog IP Ranges API, specifically under the “webhooks” section. For example, to fetch the IP ranges for the datadoghq.eu site, you can run:

curl -X GET "https://ip-ranges.datadoghq.eu/" \
      -H "Accept: application/json" |
      jq '.webhooks'

Internal ingress

The internal ingress enables log ingestion from Datadog Agents and other log collectors within your environment through HTTP.

By default, the chart creates an internal AWS Application Load Balancer (ALB) to route HTTP traffic to the appropriate CloudPrem services based on the requested API endpoint path. However, if you prefer to use your own ingress controller (such as HAProxy, NGINX, or Traefik), you can disable the default internal ALB and configure your controller with the following routing rules:

rules:
- http:
    paths:
      # Ingest (Quickwit, ES, Datadog) endpoints to indexers
      - path: /api/v1/*/ingest
        pathType: ImplementationSpecific
        backend:
          service:
            name: <RELEASE_NAME>-indexer
            port:
              name: rest
      - path: /api/v1/_elastic/bulk
        pathType: Prefix
        backend:
          service:
            name: <RELEASE_NAME>-indexer
            port:
              name: rest
      - path: /api/v1/_elastic/*/_bulk
        pathType: ImplementationSpecific
        backend:
          service:
            name: <RELEASE_NAME>-indexer
            port:
              name: rest
      - path: /api/v2/logs
        pathType: Prefix
        backend:
          service:
            name: <RELEASE_NAME>-indexer
            port:
              name: rest
      # Index management API endpoints to metastores
      - path: /api/v1/indexes
        pathType: Prefix
        backend:
          service:
            name: <RELEASE_NAME>-metastore
            port:
              name: rest
      # Everything else to searchers
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: <RELEASE_NAME>-searcher
            port:
              name: rest

Further reading

추가 유용한 문서, 링크 및 기사:

CloudPrem OverviewDOCUMENTATION Install CloudPrem and Send Logs with the AgentDOCUMENTATION Configure AWSDOCUMENTATION Configure CloudPrem Log ProcessingDOCUMENTATION Learn more about Cluster Sizing and OperationsDOCUMENTATION Learn more about CloudPrem ArchitectureDOCUMENTATION TroubleshootingDOCUMENTATION