Skip to main content

Overview

Connect Prometheus to give TierZero access to your metrics during investigations. TierZero queries the Prometheus HTTP API to analyze metric behavior, correlate incidents, and support root-cause analysis.

Prerequisites

  • Access to a Prometheus endpoint that exposes the HTTP API
  • A reachable endpoint URL for TierZero (public endpoint or AWS PrivateLink)
  • Authentication details, if your deployment requires auth

Setup Instructions

Step 1: Navigate to Integration Settings

  1. Log into your TierZero dashboard
  2. Go to Settings → Integrations
  3. Click Connect next to Prometheus

Step 2: Choose Network Access Type

In the Prometheus integration form, choose one of the following:
  • Public: Use a publicly reachable endpoint URL (for example, http://prometheus.example.com:9090)
  • Private (PrivateLink): Use AWS PrivateLink when Prometheus is only reachable inside your private network/VPC

Step 3: Configure Connection Details

Public Connection

  1. Enter the full Endpoint URL
  2. Keep the endpoint accessible to TierZero
  3. Continue to authentication setup
If Prometheus is private, first create a PrivateLink connection:
  1. Go to Settings → Network
  2. Under Private Connections, click Add Connection
  3. Add TierZero’s AWS account principal to your VPC Endpoint Service’s Allowed principals
  4. Enter your VPC Endpoint Service name (format: com.amazonaws.vpce.<region>.vpce-svc-...)
  5. Select the AWS region and create the connection
  6. If your endpoint service requires acceptance, approve the connection request in AWS
  7. Return to Settings → Integrations → Prometheus, choose Private (PrivateLink), and select the connection
After selecting a private connection, TierZero uses the PrivateLink DNS endpoint and Prometheus port (typically 9090).

Step 4: Configure Authentication

Select the authentication mode used by your Prometheus endpoint:
  • No Authentication: For endpoints without auth
  • Basic Auth: Provide Base64-encoded username:password
  • Bearer Token: Provide the token value
  • mTLS (Client Certificate): Provide client certificate and client private key in PEM format

Step 5: Test and Connect

  1. Click Test Connection
  2. Resolve any validation errors shown in the form
  3. Click Connect

Network Requirements

  • Prometheus HTTP API must be reachable from TierZero
  • Default Prometheus port is 9090 (or your custom port)
  • Protocol can be HTTP or HTTPS (HTTPS is recommended)
  • For private VPC deployments, use AWS PrivateLink through Settings → Network
If your Prometheus endpoint is only accessible on internal networks, direct public connectivity will fail. Use AWS PrivateLink (or equivalent secure network routing) before connecting the integration.

What TierZero Accesses

  • Prometheus metrics via API queries
  • Time-series data for investigations and comparisons
  • Metadata needed to evaluate metric behavior during incidents

Security

  • Credentials are encrypted at rest
  • TierZero uses provided credentials only for Prometheus queries
  • Access can be revoked by rotating credentials, disabling the endpoint, or removing the integration

Troubleshooting

Connection Timeout

  • Verify the endpoint URL/port is correct
  • Confirm TierZero can reach the endpoint (public network or PrivateLink path)
  • Check security groups, NACLs, firewalls, and endpoint service policies

Authentication Errors

  • Confirm the selected auth type matches your Prometheus deployment
  • For Basic Auth, ensure you provide Base64-encoded username:password
  • For mTLS, verify certificate/key pair validity and formatting

TLS or Certificate Errors

  • Verify TLS certificate chain and hostname
  • If using private/internal certificates over PrivateLink, enable Allow self-signed certificates in Advanced Settings