How to unexpose /metrics to public internet

[jasonlimantoro]

How does one hide the /metrics from the public internet? And once it's hidden, what's the usual practice for Grafana/Grafana Cloud to scrape this hidden/protected endpoint?

I'm asking because I figured out that exposing /metrics to the world is unacceptable (unless I'm missing something obvious).

[porkloin]

@jasonlimantoro I know it's been a while since you commented, but for posterity's sake I'll include an answer (not maintainer, so take this with a grain of salt).

As far as I can tell, the instance of express() that you pass to createPrometheusExporterPlugin({ yourExpressInstance }) doesn't have to be the same express serving your Apollo Server. I initially thought there would be some configuration allowing me to decide which port to expose, but ended up just instantiating a new Express server specifically for serving prometheus metrics, bound it to a non-internet facing port, and then configured that port's access according to the restrictions I had. Beyond that I can't specify how you'd configure your particular stack.

A basic example might look like this:

const metricsApp = express();
metricsApp.listen('6666',  () => {
  console.log('Apollo Prometheus Exporter server running on :6666');
}
const prometheusExporterPlugin = createPrometheusExporterPlugin({ metricsApp });

const server = new ApolloServer({ 
  typeDefs,
  resolvers,
  plugins: [prometheusExporterPlugin], 
});
const apolloApp = express();
server.applyMiddleware({ apolloApp });
apolloApp.listen('4000', () => {
  console.log('Apollo Express running at :4000');
});

In this case, localhost:4000/graphql would serve your apollo server, and localhost:6666/metrics would serve your prometheus metrics.