Agent Service AWS PrivateLink

About

For deployments where you prefer to connect privately to the Monte Carlo Agent Service, you can utilize VPC endpoints. This helps ensure that traffic between your network and the Monte Carlo Agent Service can connect without being exposed to the internet. For additional details, please refer to the AWS PrivateLink Overview.

Requirements

Monte Carlo Role, Subscription, and Supported Type: You must have the Account Owner role in Monte Carlo. Additionally, your account must be subscribed to either the Scale or Enterprise tier with the Advanced Networking add-on.
AWS Admin: Administrative access to AWS is necessary for the setup.

Setup

Share Your AWS Account ID
Contact us at [email protected] to request the establishment of a PrivateLink to the Agent Service. Include the following in your email:
- Monte Carlo Account ID (can be found here)
- AWS Account ID where you will create the VPC endpoint
- AWS Region where you will create the VPC endpoint
Monte Carlo will allowlist your AWS account and notify you once access has been granted.

🕒
Note: Do not proceed until you receive confirmation from Monte Carlo that your account has been allowed.
Typically, you will receive a response within 24-48 hours (US business days).
Obtain the VPC Endpoint Service Name
Navigate to the Account Information page in Monte Carlo. Under the Agent Service section, locate and take note of the values for Region and VPC endpoint service name.
Create a VPC Endpoint
In the AWS console, navigate to the VPC section and create an interface VPC endpoint in the VPC and subnet(s) where your agent is deployed. When configuring the endpoint:
- Under Service category, select Endpoint services that use NLBs and GWLBs.
- Enter the VPC endpoint service name obtained in Step 2.
- Select Enable Cross Region endpoint if your agent is deployed in a different region than the VPC endpoint, and select the region from Step 2.
- Click Verify service.
- Select the VPC and subnet(s) where your agent is deployed.
- Assign a security group that allows outbound HTTPS (port 443) traffic.
Configure DNS Resolution
After the endpoint is created, you need to configure DNS so that the Agent Service Private Link Hostname resolves to the VPC endpoint. You can find the Private link endpoint in the Account Information page, under Agent Service.

To do this, create a Route 53 Private Hosted Zone and associate it with your VPC:

For example, if the hostname is artemis.privatelink.getmontecarlo.com, the hosted zone is privatelink.getmontecarlo.com and the record name is artemis.
- In the Route 53 console, create a Private Hosted Zone with the domain portion of the hostname (e.g., privatelink.getmontecarlo.com).
- Associate the hosted zone with the VPC where your VPC endpoint resides.
- Add a CNAME record that maps the subdomain (e.g., artemis) to the VPC endpoint's DNS name. You can find this DNS name under the Details tab of the VPC endpoint in the AWS console.
Request Connection Approval
Contact us at [email protected] to request approval of the VPC endpoint connection. Include your VPC Endpoint ID in your email. Monte Carlo will approve the connection and notify you once the process is complete.

🕒
Note: Do not proceed until you receive confirmation from Monte Carlo that the connection has been approved.
Typically, you will receive a response within 24-48 hours (US business days).
Verify Connectivity
First, confirm that the VPC endpoint connection status shows as Available in the AWS console.

Then, update the Generic Agent configuration setting backendServiceUrl to use the Agent Service private link endpoint from Step 4:
```
container:
  backendServiceUrl: https://artemis.privatelink.getmontecarlo.com
```
Complete the deployment for the Generic Agent and onboard the agent on Monte Carlo to verify connectivity.

If you prefer, you can also use the AWS API, CLI, or any other tool of your choice to manage and update any configuration.

Updated about 2 hours ago