cockroachdb · jhlodin · Dec 19, 2025 · Dec 15, 2025 · Dec 18, 2025 · Dec 19, 2025
diff --git a/src/current/cockroachcloud/egress-private-endpoints.md b/src/current/cockroachcloud/egress-private-endpoints.md
@@ -131,6 +131,28 @@ curl https://cockroachlabs.cloud/api/v1/clusters/{cluster_id}/networking/egress-
 }'
 ~~~
 
+#### Amazon CloudWatch logs export endpoint
+
+Log export to Amazon CloudWatch requires that you create a private service endpoint for each CockroachDB {{ site.data.products.cloud }} region, populating `target_service_identifier` with the domain name of a CloudWatch instance in that region. Since CloudWatch is an AWS-managed service, logs are scoped to the AWS account where the endpoint is created. The access keys on the export dictate which CloudWatch account receives the logs.
+
+To export logs from multiple {{ site.data.products.cloud }} clusters across different regions to a single CloudWatch instance, [configure custom DNS](#configure-custom-dns) so that each `target_service_identifier` value resolves to the same target CloudWatch endpoint. In this situation, the `logexport` [endpoint]({% link cockroachcloud/export-logs-advanced.md %}#the-logexport-endpoint) automatically sets the `region` field to the region of the CloudWatch instance. 
+
+{% include_cached copy-clipboard.html %}
+~~~ shell
+curl https://cockroachlabs.cloud/api/v1/clusters/{cluster_id}/networking/egress-private-endpoints \
+-X POST \
+-H "Authorization: Bearer {secret_key}" \
+-H 'Content-Type: application/json' \
+-d '{
+  "cluster_id": "{cluster_id}",
+  "region": "us-east-1",
+  "target_service_identifier": "com.amazonaws.us-east-1.log",
+  "target_service_type": "PRIVATE_SERVICE"
+}'
+~~~
+
+For more information about log export to Amazon CloudWatch, read the [log export documentation]({% link cockroachcloud/export-logs.md %}).
+
 #### MSK cluster endpoint
 
 {% include_cached copy-clipboard.html %}

diff --git a/src/current/cockroachcloud/export-logs-advanced.md b/src/current/cockroachcloud/export-logs-advanced.md
@@ -509,6 +509,12 @@ To enable log export for your CockroachDB {{ site.data.products.advanced }} clus
 Once log export has been enabled, logs generated going forward are sent to the specified cloud sink. Logs are not back-filled to the specified cloud sink.
 {{site.data.alerts.end}}
 
+## Send logs over a private cloud connection
+
+You can send logs to Amazon CloudWatch from private egress endpoints on your CockroachDB {{ site.data.products.cloud }} clusters to ensure they are sent over private connections within the cloud service.
+
+To learn more, read the [egress private endpoints documentation]({% link cockroachcloud/egress-private-endpoints.md %}).
+
 ## Monitor the status of a log export configuration
 
 To check the status of an existing CockroachDB {{ site.data.products.advanced }} log export configuration, use the following Cloud API command: