OmniRetail — Observability Stack

Apr 2026 · eu-west-1 · ~$80–120 / month

Clients
.NET Services
orders-service · product-service
customer-service · user-service
Authorization: Basic
Dev Team
Explore logs · traces · metrics
grafana.omniretailcore.com
HTTPS + password
HTTPS :443
AWS eu-west-1 — DNS + Load Balancing + TLS
Route 53
grafana.omniretailcore.com
ingest.omniretailcore.com
A → ALB
Application Load Balancer
HTTPS :443 · HTTP→HTTPS :80
Host + path routing
TLS termination
ACM
*.omniretailcore.com
Auto-renewing
Free managed cert
HTTP — ALB security group only
EC2 — t3.large · Amazon Linux 2023 · Elastic IP
Docker Compose — bridge network
Auth gateway & UI
Nginx 1.27
HTTP Basic Auth
Rate limit: 100 req/s per IP
:3100 · :4318 · :9090
Grafana 11.5
Dashboards · Alerts
Logs · Traces · Metrics
:3000 · direct
Backend services
Loki 3.1
Log ingestion
S3 backend
:3100
Tempo 2.5
Trace ingestion
OTLP HTTP · S3
:4318
Prometheus 2.51
Metrics · OTLP receiver
EBS · 180-day retention
:9090
S3 API — same region, no transfer cost
Storage
S3 — loki/
Log chunks
180-day lifecycle
$0.023 / GB·mo
S3 — tempo/
Trace blocks
180-day lifecycle
$0.023 / GB·mo
Secrets Manager
Per-service API keys
Read via EC2 instance role
no keys on disk
Cost Analysis
Grafana Cloud vs self-hosted — 1 TB traces · 500 GB logs · 200M requests/mo
Before · Grafana Cloud
$600
per month
  • Loki log ingestion
  • Tempo trace ingestion
  • Prometheus metrics
  • Grafana dashboards
  • Billed per user + ingestion volume
~83% cheaper
After · Self-hosted (AWS)
$80–120
per month
  • EC2 t3.large (reserved) — $38
  • S3 logs + traces — $7–35
  • ALB + ACM — $28
  • EBS 100 GB gp3 — $8
  • No per-seat or per-GB ingestion fees
$480/mo
Monthly saving
~$5.8k/yr
Annual saving
~$17k
3-year saving
180d
Data retention
Monthly spend
Grafana Cloud
$600
Self-hosted
$100

ALB routing rules

Host + Path Target Auth
grafana.omniretailcore.com/* :3000 Grafana Login
ingest.…/loki/* :3100 Nginx → Loki Basic
ingest.…/v1/traces :4318 Nginx → Tempo Basic
ingest.…/api/v1/otlp/* :9090 Nginx → Prometheus Basic

Security model

Control Detail
Network EC2 ports accept ALB SG only — direct IP blocked
SSH :22 Platform team IP only — SG locked
Ingest Per-service keys — revoke without downtime
TLS HTTPS everywhere, ACM auto-renews free
IAM Instance role scoped to omniretail-observability bucket only