Amazon Managed Services for Grafana and Prometheus

The data sources for the AMG can be CloudWatch, Amazon OpenSearch service, and AWS X-ray. AWS IoT SiteWise, Amazon TimeStream, and Amazon Managed Service for Prometheus.

Grafana workspace

Grafana workspace is a logical server that manages the tasks. We can have up to five workspaces in supported Regions in an AWS account. We can assign users and user groups to the workspace, and with the default permissions, they can only access the server in view mode. AMGprovides a secure way to use the workspace using Security Assertion Markup Language (SAML) or AWS IAM Identity Center. Once the workspace is active, we must make at least one user as an admin for a workspace. 

Note: Using the IAM Identity Center requires enabling it on our AWS account. If not, we’ll be asked to create an IAM Identity Center user. It handles the user management of the AWS Managed Grafana workspace. 

Managing network access

AMG workspace is open to all the network traffic, but the users must be authenticated and authorized to access the workspace. Still, we can configure network access control for a workspace to filter network traffic. We can configure network access control by defining IP addresses or VPC endpoints. AMG supports only public IPv4 addresses for network access control.

The illustration above shows that “Client 1” is allowed by the network access control while “Client 2” is not allowed.

Note: If network access control is configured, we must give at least one IP address or a VPC endpoint. Otherwise, we won’t be able to access the workspace from anywhere.

Amazon Managed Service for Prometheus

Amazon Managed Service for Prometheus (AMP) is a fully managed monitoring service that scales on demand and makes it easy to collect and query metrics from container (EKS or self-managed Kubernetes) environments using the flexible Prometheus query language. AMP workspace lets us isolate access control for the ingestion, storage, and querying of our protecting metrics. AMP uses Multi-AZ deployment; hence, it is highly available by design. Data is replicated across three AZs in the same region. It automatically scales up and down as the workload grows or shrinks.

Prometheus workspace

This logical space has fine-grained access control to manage storage and queries. It’s a dedicated space to manage operations like updating, describing, listing, deleting, ingestion, and querying the Prometheus metrics. AMP allows us to have multiple workspaces in each region of our AWS account. The Prometheus metrics are ingested into the workspace for storage and monitoring. The workspace keeps the metrics for 150 days and then deletes them. 

Ingest Prometheus metrics

There are two main methods to ingest metrics to our Prometheus workspace. These methods can have multiple ways, but the most common and easy one is to set up a new standalone Prometheus agent that scraps our data from the cluster and stores it in the workspace. The following two metrics collectors are used for this purpose:

• AWS managed collector: A fully managed and agentless scrapper that automatically scraps the metrics from the EKS cluster. It pulls the metrics from the Prometheus-compatible endpoint.

• Customer-managed collector: We have the option to create and manage our collector by either creating a standalone instance of Prometheus or using AWS Distro for OpenTelemetry. 

Querying Prometheus metrics

After ingesting them into the workspace, there are two ways to query the metrics. One is to use the Grafana service, which enables metrics visualization more flexibly and easily. The other option is to use AMP APIs.

AMG vs. AMP

Amazon Managed Service for Prometheus is a metrics collection and monitoring solution, while the Amazon Managed Service for Grafana is a full package that collects metrics, logs, and traces and visualizes them. Both AMG and AMP are fully managed services.

Let’s have a brief look at their comparison for some useful metrics in the table below: