VOOZH about

URL: https://docs.datadoghq.com/byoc-logs/configure/ingress/

⇱ BYOC Logs Ingress Configuration

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/byoc-logs/configure/ingress.md. A documentation index is available at /llms.txt.

BYOC Logs Ingress Configuration

This product is not supported for your selected Datadog site. ().

Overview

Ingress is a critical component of your BYOC (Bring Your Own Cloud) Logs deployment. The Helm chart automatically creates two ingress configurations called public ingress and internal ingress. If the AWS Load Balancer Controller is installed on the cluster, it provisions one ALB per ingress configuration. Each load balancer can be further configured using ingress annotations.

Public ingress

Only the BYOC Logs gRPC API endpoints (paths starting with /cloudprem) perform mutual TLS authentication. Exposing any other endpoints through the public ingress introduces a security risk, as those endpoints would be accessible over the internet without authentication. Always restrict non-gRPC endpoints to the internal ingress.

The public ingress is essential for enabling Datadog’s control plane and query service to manage and query BYOC Logs clusters over the public internet. It provides secure access to the BYOC Logs gRPC API through the following mechanisms:

  • Creates an internet-facing AWS Application Load Balancer (ALB) that accepts traffic from Datadog services
  • Implements TLS encryption with termination at the load balancer level
  • Uses HTTP/2 (gRPC) for communication between the ALB and BYOC Logs cluster
  • Requires mutual TLS (mTLS) authentication where Datadog services must present valid client certificates
  • Configures the ALB in TLS passthrough mode to forward client certificates to BYOC Logs pods with the X-Amzn-Mtls-Clientcert header
  • Rejects requests that are missing valid client certificates or the certificate header

This setup ensures that only authenticated Datadog services can access the BYOC Logs cluster while maintaining secure encrypted communication end-to-end.

IP Allowlisting

The Datadog control plane and query services connect to BYOC Logs clusters using a set of fixed IP ranges, which can be retrieved for each Datadog site from the Datadog IP Ranges API, specifically under the “webhooks” section. For example, to fetch the IP ranges for the datadoghq.eu site, you can run:

curl -X GET "https://ip-ranges.datadoghq.eu/" \
 -H "Accept: application/json" |
 jq '.webhooks'

Internal ingress

The internal ingress enables log ingestion from Datadog Agents and other log collectors within your environment through HTTP.

By default, the chart creates an internal AWS Application Load Balancer (ALB) to route HTTP traffic to the appropriate BYOC Logs services based on the requested API endpoint path. However, if you prefer to use your own ingress controller (such as HAProxy, NGINX, or Traefik), you can disable the default internal ALB and configure your controller with the following routing rules:

rules:
- http:
 paths:
 # Ingest (Quickwit, ES, Datadog) endpoints to indexers
 - path: /api/v1/*/ingest
 pathType: ImplementationSpecific
 backend:
 service:
 name: <RELEASE_NAME>-indexer
 port:
 name: rest
 - path: /api/v1/_elastic/bulk
 pathType: Prefix
 backend:
 service:
 name: <RELEASE_NAME>-indexer
 port:
 name: rest
 - path: /api/v1/_elastic/*/_bulk
 pathType: ImplementationSpecific
 backend:
 service:
 name: <RELEASE_NAME>-indexer
 port:
 name: rest
 - path: /api/v2/logs
 pathType: Prefix
 backend:
 service:
 name: <RELEASE_NAME>-indexer
 port:
 name: rest
 # Index management API endpoints to metastores
 - path: /api/v1/indexes
 pathType: Prefix
 backend:
 service:
 name: <RELEASE_NAME>-metastore
 port:
 name: rest
 # Everything else to searchers
 - path: /*
 pathType: ImplementationSpecific
 backend:
 service:
 name: <RELEASE_NAME>-searcher
 port:
 name: rest

Further reading

Additional helpful documentation, links, and articles: