If your network requirements don't allow access to the Tetra Data Platform (TDP) through the internet, you can configure AWS PrivateLink to securely connect your TDP account directly to one or more Amazon Virtual Private Clouds (Amazon VPCs) in your AWS account. AWS PrivateLink provides the ability to connect to the TDP through private IP addresses in your VPC. The interface endpoints are created inside your VPC, using elastic network interfaces and IP addresses in your VPC's subnets. This setup allows you to to use VPC Security Groups to manage access to the endpoints.

🚧

IMPORTANT

Your Amazon VPC and the TDP's VPC must be in the same AWS Region to establish an AWS PrivateLink connection.

Architecture

The following diagram shows an example workflow for an AWS PrivateLink connection to the TDP.

Configure an AWS PrivateLink Connection to the TDP

To set up AWS PrivateLink for your TDP account, do the following.

Provide TetraScience Your VPC Connection Details

TetraScience configures the AWS PrivateLink connection from the TDP service's side. Start by contacting your customers success manager (CSM) and providing them the following information:

• Your AWS account number
• The AWS Region that your Amazon VPC is in
• The Availability Zone IDs used in your VPC's subnets (this information is required, because TetraScience must use the same Availability Zones when setting up the connection)
• Will only human users or service users be accessing the TDP through the AWS PrivateLink connection, or both?
• What domain do you want emails generated by the TDP to originate from? (If using your own domain, please provide the required Amazon Simple Email Service (Amazon SES) validation)

🚧

IMPORTANT

Make sure that you confirm with your network and security team that a TDP domain ending with tetrascience.com is acceptable and won't be blocked.

Create an Interface VPC Endpoint in Your Environment

Create an interface VPC endpoint that connects to the TDP by following the instructions in Create an interface endpoint in the AWS PrivateLink documentation. Then, tell your CSM when you're done. They will accept the new connection request and confirm when the AWS PrivateLink connection is established.

🚧

IMPORTANT

Make sure that you copy and keep a record of the primary DNS name after you create the interface endpoint in your environment. This DNS name must specify the VPC's AWS Region. It should also resolve to more than one subnet, if more than one is used.

DNS Requirements

You must configure your DNS to resolve the TDP endpoint and any required AWS service endpoints to your interface VPC endpoint. Tetra components such as Tetra Hubs, Agents, and Connectors will attempt to reach these endpoints at their standard URLs (for example, api.platform.tetrascience.com).

For a list of the required endpoints for these components, see Tetra Hub Allow List Endpoints and Tetra Agent Allow List Endpoints. The documentation for each Tetra Connector lists its required endpoints.