Skip to content

Cross-region Configuration

Use this guide when your AWS resources and your Coralogix domain are hosted in different AWS regions.

Native cross-region PrivateLink is the preferred and AWS-recommended approach for multi-region connectivity. It removes the need for VPC peering, manual routing, and Availability Zone (AZ) alignment.

Native cross-region PrivateLink replaces complex, manually managed networking with an AWS-managed connection between regions.

Key benefits include:

  • No VPC peering or route table configuration
  • No Availability Zone alignment required
  • IAM-based access control
  • Built-in high availability with automatic routing across healthy zones
  • Lower operational overhead with fewer networking components

Best practices

Availability Zone selection

You have full flexibility when selecting Availability Zones for your VPC endpoint. AZs do not need to match Coralogix’s deployment AZs. AWS automatically routes traffic between your selected AZs and Coralogix’s service AZs.

When selecting AZs, consider the following:

  • High availability: Choose at least 2 AZs for redundancy
  • Performance: Select AZs closest to your workloads
  • Cost optimization: Inter-AZ data transfer via PrivateLink endpoints is free according to AWS's April 2022 announcement
  • Compliance: Choose AZs that meet your regulatory requirements

Security and performance

  • Ensure your security groups allow outbound HTTPS traffic (port 443) to the VPC endpoint.
  • Use the Coralogix private DNS name for consistent routing and failover
  • Validate connectivity from workloads running in multiple AZs

Prerequisites

Before configuring a cross-region endpoint:

  • Identify the correct Coralogix PrivateLink service endpoints for your Coralogix domain using the Coralogix PrivateLink endpoints and deployment page.
  • Ensure the IAM user or role creating the endpoint has the vpce:AllowMultiRegion permission

Set up

Step 1: Grant required IAM permission

The IAM user or service creating the cross-region endpoint must be explicitly allowed to create multi-region endpoints.

Attach the following policy to the user or role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowMultiRegionPrivateLink",
      "Effect": "Allow",
      "Action": [
        "vpce:AllowMultiRegion"
      ],
      "Resource": "*"
    }
  ]
}

Step 2: Create the cross-region VPC endpoint

  1. In the AWS Console, navigate to VPC, then PrivateLink and Lattice, then Endpoints.

  2. Select Create endpoint.

    Step 2.2

  3. Enter the Coralogix service name associated with the Coralogix-hosting region.

  4. Choose PrivateLink Ready partner services as the service category.

    Step 2.4

  5. Enable the cross-region endpoint option and select the region matching the chosen Coralogix service.

    Step 2.5

  6. Choose Verify service to confirm that the service is accessible.

Step 3: Configure VPC and subnets

  1. In Network Settings, select the VPC in your local region where the endpoint will be created.
  2. Expand the Additional settings section and Enable DNS name.
  3. Under Subnets, select at least two availability zones for redundancy and high availability.

Step 4: Configure security groups

Attach a security group that allows inbound TCP traffic on port 443 to the endpoint network interfaces.

Step 5: Validate endpoint status

  1. Wait for the endpoint status to change from Pending to Available. This may take a few minutes.
  2. Once available, note the generated DNS names:
    • AZ-specific VPC endpoint DNS names
    • The Coralogix private DNS name (for example, ingress.private.<your-domain>)

Step 6: Validate connectivity

Validate connectivity using one of the following methods:

  • From a workload inside the VPC, test TCP connectivity on port 443 to the Coralogix private DNS name

    # example US region
# telnet ingress.private.us1.coralogix.com
telnet ingress.private.<region-domain> 443

  • Send a test log using the Coralogix REST API /singles endpoint

Limitations and considerations

  • Cross-region connectivity only works when both regions are in the same AWS partition. For example, connecting us-east-1 and eu-west-1 is supported, but connections between aws-us-gov (AWS GovCloud) and aws-cn (AWS China) partitions are not.
  • Cross-region connectivity is only supported for Interface type VPC endpoints.
  • Both your region and the Coralogix service region must be in the same AWS partition.
  • Cross-region endpoints count toward your Interface VPC Endpoints per VPC quota.
Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Same-region Configuration
Next VPC Peering Configuration