Skip to main content

HAQM Managed Grafana

HAQM Managed Grafana FAQs

Page topics

General
21
Pricing
5
Versions and Updates
3

General

Open all

HAQM Managed Grafana is a fully managed multicloud, cross-project service with rich, interactive data visualizations to help customers analyze, monitor, and alarm on metrics, logs, and traces across multiple data sources. You can create interactive dashboards and share them with anyone in your organization with an automatically scaled, highly available, and enterprise-secure service. With HAQM Managed Grafana, you can manage user and team access to dashboards across AWS accounts, AWS regions, and data sources. HAQM Managed Grafana provides an intuitive resource discovery experience to help you easily onboard your AWS accounts across multiple regions and securely access AWS services such as HAQM CloudWatch, AWS X-Ray, HAQM OpenSearch Service, HAQM Timestream, AWS IoT SiteWise, and HAQM Managed Service for Prometheus.

Grafana is an open source data visualization and operational dashboarding solution used by hundreds of thousands of organizations and millions of users. Grafana’s rich visualization library and broad support for multiple data sources makes it simple for customers to query, visualize, and alert on a wide variety of operational data, including metrics, logs, and traces in a single console. HAQM Managed Grafana provides fully managed Grafana workspaces compatible with the open source project and developed in partnership with Grafana Labs, parent company of the open source project.

A workspace is a logically isolated Grafana server. Once you have created a workspace, you can integrate it with data sources and then query and visualize metrics from these data sources. You can create multiple workspaces per Region, per account, so that you can create isolated Grafana workspaces for monitoring your Prod and Dev workloads separately.

HAQM Managed Grafana integrates with AWS Organizations to discover the AWS accounts and resources in your Organizational Units. Using AWS CloudFormation StackSets, HAQM Managed Grafana will automatically create the IAM policies needed to grant read-only access to your AWS Services data for the accounts and Regions you choose. Using the HAQM Managed Grafana console, you can easily add or remove accounts, Organizational Units, and Regions that you want to add to each Grafana workspace.

HAQM Managed Grafana ships with core plugins to connect to commonly used data sources including HAQM Managed Service for Prometheus, HAQM CloudWatch, and also supports installation of Grafana community plugins for other cloud providers, including Azure Monitor and Google Analytics, and self-managed data sources such as Graphite, InfluxDB, and more. If you need access to Enterprise data source plugins including AppDynamics, Atlassian Jira, Datadog, Dynatrace, Gitlab, Honeycomb, MongoDB, New Relic, Oracle Database, Salesforce, SAP HANA, ServiceNow, VMware Tanzu Observability by Wavefront, and Snowflake; you can upgrade your HAQM Managed workspace with HAQM Managed Grafana Enterprise plugins.

In the HAQM Managed Grafana console, you can select the workspace you’d like to upgrade to Grafana Enterprise. You can optionally upgrade one or more workspaces; each upgraded workspace will have access to Enterprise plugins. This enables you to query and visualize data from AppDynamics, Atlassian Jira, Datadog, Dynatrace, Gitlab, Honeycomb, MongoDB, New Relic, Oracle Database, Salesforce, SAP HANA, ServiceNow, VMware Tanzu Observability by Wavefront, and Snowflake.

Yes. You can use AWS CloudFormation templates to create, update, and delete your HAQM Managed Grafana workspaces, as well as manage or update workspace SAML authentication settings. To learn more about manage HAQM Managed Grafana workspaces and configuring workspace SAML authentication with CloudFormation, see the HAQM Managed Grafana resource type reference in the CloudFormation user guide. To create HAQM Managed Grafana workspaces using AWS CloudFormation, follow the reference templates.

Yes, HAQM Managed Grafana supports Terraform for dashboard management.

There are three user types in Grafana: Administrators, Editors, and Viewers. Administrators have add, edit, and delete permissions to manage data sources, users, teams, folders, and dashboards. Editors have view, add, edit, and delete permissions to dashboards and alerts. Viewers can view dashboards to which they have been granted access, but cannot add, edit, or delete data sources, dashboards, or alerts.

HAQM Managed Grafana provides native integrations for multiple AWS Services, including HAQM Managed Service for Prometheus, HAQM CloudWatch, HAQM OpenSearch Service, AWS IoT SiteWise, HAQM Timestream, and AWS X-Ray. HAQM Managed Grafana also supports installation of Grafana community plugins for other cloud providers, including Azure Monitor and Google Analytics, and self-managed data sources such as Graphite, InfluxDB, and more. You can browse all supported data sources plugins directly from the Plugins Catalog within your workspace. Additionally, with HAQM Managed Grafana Enterprise plugins, you can access Enterprise data source plugins including AppDynamics, Atlassian Jira, Datadog, Dynatrace, Gitlab, Honeycomb, MongoDB, New Relic, Oracle Database, Salesforce, SAP HANA, ServiceNow, VMware Tanzu Observability by Wavefront, and Snowflake. Click here to learn more about Plugins in HAQM Managed Grafana.

Teams provide a grouping mechanism to organize users in HAQM Managed Grafana. You can use teams to group individual users into entities that are granted access to shared resources such as dashboards, data sources, and alerts. Teams can also be mapped to your LDAP groups. With Team Sync enabled, you can keep team membership and user identities in sync with your Identity Provider's user directories such as Azure Active Directory, Microsoft Active Directory, CyberArk, Okta, OneLogin, and Ping Identity.

Grafana alerting is an opt-in HAQM Managed Grafana feature that allows you to visualize alerts from Prometheus Alertmanager data sources in a searchable alerting interface in your Grafana workspace.

In the HAQM Managed Grafana console, you can select the workspace where you’d like to enable Grafana Alerting to visualize your Prometheus Alertmanager alerts in your Grafana workspace.

Yes, HAQM Managed Grafana can connect to OpenSearch clusters, RDS Postgres databases, or self-managed data sources directly from your VPC without using public IPs or requiring traffic to traverse the Internet. To learn more, see user guide for Connecting to HAQM VPC from HAQM Managed Grafana.

Currently, you can connect one HAQM Managed Grafana workspace to one VPC endpoint in the same region and same account. However, you can use Virtual Private Cloud peering or AWS Transit Gateway to connect the cross-region or cross-account VPCs, then connect the select the VPC endpoint that’s in the same account and same region as your HAQM Managed Grafana workspace. In this way, data sources from different accounts or different region can all be connected to a single HAQM Managed Grafana workspace. If Virtual Private Clouds peering is not an option for you, please share your use cases with your Account Manager, or email us directly at aws-grafana-feedback@haqm.com.

Yes, you can still connect to public data source after you configure the VPC connection in HAQM Managed Grafana workspace. Requests to public data sources must traverse your VPC. If your workspace was previously connected to data sources prior to configuring a VPC endpoint, ensure that the VPC is able to reach the previously connected data sources as all traffic will now route through the VPC connection.

Yes. We provide AWS PrivateLink support between HAQM VPC and HAQM Managed Grafana. You can control access to the HAQM Managed Grafana service from the virtual private cloud (VPC) endpoints by attaching an IAM resource policy for HAQM VPC endpoints. HAQM Managed Grafana supports two different kinds of VPC endpoints. You can connect to the HAQM Managed Grafana service, providing access to the HAQM Managed Grafana APIs to manage workspaces. Or you can create a VPC endpoint to a specific workspace. For information about creating a VPC endpoint for your Grafana workspaces, see Interface VPC endpoints.

Not necessarily. You have granular security controls over the rollout of HAQM Managed Grafana workspaces by defining customer-managed prefix lists and VPC endpoints to help you restrict the inbound network traffic that can reach your Grafana workspaces.  HAQM Managed Grafana supports two modes for user and host access of your Grafana workspace: open access and restricted access. The open access mode is the default access setting for Grafana workspaces when there are no VPC endpoints or managed prefix list restrictions to reach your Grafana workspace URL; however, users must still authenticate with the configured identity provider(s) in order to log in to the workspace. The restricted access mode enables you to specify the inbound network traffic that is allowed to reach your workspace. To restrict access, you can configure prefix lists to specify IP address ranges from which users and hosts can reach your Grafana workspace. You can also create an interface VPC endpoints to allow AWS resources such as HAQM EC2 instances to access the HAQM Managed Grafana API to manage resources, or you can use a VPC endpoint as part of limiting network access to your HAQM Managed Grafana workspaces.

Yes, you can install up to 50 data source, app, or visualization panel plugins, out of all pre-built plugins listed in the Plugin catalog, in addition to the core plugins that are pre-installed in your workspace. You can also update the plugin to a version that works for you. Grafana community plugins, not listed in the Plugin catalog or custom built plugins can not be installed in HAQM Managed Grafana.

Your HAQM Managed Grafana workspace includes a page that shows all of your installed plugins and a list of all plugins that are available to install in your workspace. You can access the plugin catalog here.

HAQM Managed Grafana supports API keys and Service accounts, to interact with Grafana HTTP APIs. Service accounts, introduced with Grafana version 9, replace API keys as the primary way to authenticate applications that interact with Grafana using Service Account Tokens. A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafana’s HTTP API. You can list, create and delete API keys and Service accounts from your HAQM Managed Grafana workspace or using HAQM Managed Grafana configuration APIs. 

API keys are on their deprecation path and may be fully removed in upcoming major Grafana releases.

 

Pricing

Open all

You are billed monthly for the total number of active users that have logged in to each Grafana workspace, with a minimum of one Editor user license per workspace per month. There are two tiers of users: an Editor user price that can be assigned Administrator or Editor roles, and a Viewer user price that can be assigned a Viewer role. If you upgrade your workspace with HAQM Managed Grafana Enterprise Plugins, you will be charged an additional fee per active user per month. For detailed pricing information, please reference the HAQM Managed Grafana pricing page.

An “Active user” has logged in to an HAQM Managed Grafana workspace or made an API request at least once during a monthly billing cycle. Users who are provisioned with access to Grafana workspaces but have not used the service at least once in the monthly billing cycle will not be charged. If no users log into a workspace for a month, you will be billed for one minimum Editor user license per workpsace per month. 

Yes, you can create multiple workspaces. Users are billed per workspace per month. For example, if User A belongs to both Workspace 1 and Workspace 2, User A will be billed for using Workspace 1 and separately billed for using Workspace 2.

There are three types of API requests when working with an HAQM Managed Grafana workspace. The first type are HAQM Managed Grafana APIs that are used to create, edit, and delete workspaces. These do not incur charges. The second type are Grafana HTTP API requests that are used to manage workspace resources such as dashboards, alerts, and data sources. These are billed per API user license - API key or Service accounts, and can be granted Administrator, Editor, or Viewer permissions. Charges for Grafana API user licenses will appear on your AWS bill under the HAQM Managed Grafana section. The third type are HAQM Managed Grafana data queries made to other AWS Services and third-party ISVs that may charge fees for using their APIs. These API fees are charged by the respective AWS service or third-party ISV and not charged by HAQM Managed Grafana. For example, a dashboard in HAQM Managed Grafana that contains CloudWatch metrics will make requests to HAQM CloudWatch, and this will incur API fees on your CloudWatch bill.

You will receive one bill with your HAQM Managed Grafana usage, based on active Editor, active Viewer and active Enterprise Plugins users per workspace per month. You will only see charges for Enterprise Plugins user, If you upgrade your HAQM Managed Grafana workspace(s) with Enterprise Plugins. Enterpise Plugins pricing is in addition to HAQM Managed Grafana's per Editor and per Viewer pricing.

Versions and Updates

Open all

See the HAQM Managed Grafana documentation for currently supported Grafana versions. HAQM Managed Grafana will continue to add support for additional Grafana versions in the future.

Yes. HAQM Managed Grafana supports in place update to a new Grafana version. You can update your HAQM Managed Grafana workspace to a new version from the AWS Console, SDK, or CLI. Check out the HAQM Managed Grafana user guide and HAQM Managed Grafana API Reference for detailed documentation.

New versions of Grafana introduce breaking changes, which may impact your visualizations or automation workflows. Manual control over Grafana workspace versioning lets you validate your Grafana experience against new versions of Grafana before upgrading production workspaces.