Azure BYOA Metrics | How to view EDB Cloud Service metrics on Grafana

Background

EDB Cloud Service provides a Prometheus-compatible endpoint to connect to your monitoring infrastructure and Postgres logs via blob storage.

You can get the PROMETHEUS URL from Monitoring & Logging tab, but it's not accessible until we configure the private connection for it. This document will introduce how to configure the services.

The steps are similar to those in the documentation Connecting from Azure. The only difference is that the IP address of the Metrics host is used instead of the Clusters. The Metrics URL is per region. 

Example

Metrics information

Region: WestUS2
Account ID: KJS1ac8Czj9EBUwb
URL: https://m-azurewestus2-6.kjs1ac8czj9ebuwb.s.edbcloud.io:10902
Host: m-azurewestus2-6.kjs1ac8czj9ebuwb.s.edbcloud.io

Steps to Access Metrics Using Azure Private Link

Step 1 Create an Azure Private Link service for the Metrics endpoint

Step 2 Create an Azure Private Endpoint in each client virtual network / Step 2 Create a Managed Private Endpoint in Azure Managed Grafana

Step 3 Create an Azure Private DNS Zone for the private endpoint

Step 4 Access the Metrics

Step 1 Create an Azure Private Link service for the Metrics endpoint

1. Get the IP address of the PROMETHEUS URL (In the Monitoring & Logging tab)

❯ dig +short m-azurewestus2-6.kjs1ac8czj9ebuwb.s.edbcloud.io
10.240.0.123

2. On the upper-left page of the Azure portal, select Create a resource.
3. In the Search the Marketplace box, search for Private Link.
4. Select Create.
5. Create a private link service from Resource Group starting with <prj_id>-rg-<region>-management. You can also get the resource group name by running the Azure CLI command

az network vnet list --query "[?name==\`vnet-westus2\`].resourceGroup" -o json

6. Enter the details for the Azure Private Link. Use a unique name for the Azure Private Link.

7. In the Outbound settings page, select the kubernetes-internal load balancer and the IP address of the PROMETHEUS URL (IP address in step 1).

8. On the Access security page, configure the level of access for the private link service.

After the private link service is created, please be sure to note its alias. The alias is the unique ID for your private service, which you can share with the service consumers. Obtain the alias either from the Azure portal

or by using the following CLI command:

az network private-link-service list --query "[?name=='customer-monitoring-private-service'].alias" -o tsv

Step 2 Create an Azure Private Endpoint in each client virtual network

This step is for the Grafana local only. If you are using Azure Managed Grafana service, then you can go to the next Step 2. 

This part is exactly the same as the document Create an Azure Private Endpoint in each client virtual network. Please kindly follow the steps to create a Private Endpoint accordingly.

My output in Step 2.11 is below. 

NICID=$(az network private-endpoint show -n customer-monitoring-ep -g sszhao-vm --query "networkInterfaces[0].id" -o tsv)
az network nic show -n ${NICID##*/} -g sszhao-vm --query "ipConfigurations[0].privateIpAddress" -o tsv

The private endpoint's private IP address is 10.8.0.6. 

Step 2 Create a Managed Private Endpoint in Azure Managed Grafana

This step is for the Azure Managed Grafana service only. If you are using Grafana local, then you can skip this step and go to Step 3.

https://learn.microsoft.com/en-us/azure/managed-grafana/how-to-connect-to-data-source-privately. 

Once you've set up the private link service, you can create a managed private endpoint in your Grafana workspace that connects to the new private link.

1. In the Azure portal, navigate to your Grafana resource and then select Networking.
2. Select Managed Private Endpoint, and then select Create.
3. In the New managed private endpoint pane, fill out required information for resource to connect to.
4. Select Create to add the managed private endpoint resource.
5. Contact the owner of target private link service to approve the connection request.
6. After the connection request is approved, select Refresh to ensure the connection status is Approved and private IP address is shown.

Step 3 Create an Azure Private DNS Zone for the private endpoint

Follow the step -> Create an Azure Private DNS Zone for the private endpoint

Virtual Network Link

Record set

Step 4 Access the Metrics

You can access the PROMETHEUS URL in your browser directly.

You can also configure Data sources in Grafana server.

1.  Go to your Grafana Server GUI and click Configuration - Data Sources

2. Type: Prometheus and fill in the URL with https://<host>:10902 

or https://<IP address>:10902 and Skip TLS Verify

3. Configure the other settings with your preferences

4. Then Save & Test (Connection will be tested automatically)

5. Now you can explore your data in Grafana.

Grafana|Error reading Prometheus: An error occurred within the plugin

or 

Unable to communicate securely with peer: requested domain name does not match the server's certificate.

This usually happens when the hostname in URL is different from m-azurewestus2-6.kjs1ac8czj9ebuwb.s.edbcloud.io. For example, we use https://10.8.0.6:10902 here in the Datasource.

Solutions

1. use the hostname: m-azurewestus2-6.kjs1ac8czj9ebuwb.s.edbcloud.io in the URL.

Or

2. 'Skip TLS Verify'