Grafana should be in a private subnet with an optional public Load Balancer

truemark / overwatch

Deploys resources in an AWS monitoring account to support the TrueMark observability pattern

BSD 3-Clause "New" or "Revised" License

0 stars 0 forks source link

Grafana should be in a private subnet with an optional public Load Balancer #16

Open tvc123 opened 4 weeks ago

tvc123 commented 4 weeks ago

"We would like to change AWS Managed Grafana to run in private subnets inside a VPC with an optional public ALB. The current setup does not use VPCs."

Accept the private subnet to launch the grafana instance into as a parameter
Spin up a public ALB for access optionally this should be passed in via parameter
Validate that SSO works as it currently does including clicking on the application page from the AWS SSO login
This should be tested inside of your personal account before being moved to the Truemark blue account as a whole
Before replacing the current Grafana in the Truemark account we should make sure we can export and import data sources and dashboards

froumieh commented 3 weeks ago

To this point

We would like to change AWS Managed Grafana to run in private subnets inside a VPC

AWS managed Grafana operates outside VPC and we don't have control over that. The VPC config is for accessing private data sources in a vpc: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-vpc-faq.html#vpc-faq-when-to-configure-vpc that won't make it run inside a vpc. If the purpose is to restrict access we need to look at this https://aws.amazon.com/about-aws/whats-new/2023/02/amazon-managed-grafana-network-access-control/