AWS Deployment Requirements

To deploy the Tetra Data Platform (TDP), you must meet the following AWS deployment requirements:


Tetra Agents and Hubs

If you will be using Tetra Agents and Tetra Hubs to extract data from your systems, then you should be aware of their particular requirements. However, it is not necessary to meet those requirements to deploy the TDP, but they are required to install the Tetra Agent and set up the Hubs. For more information, see Tetra Data Hub System Requirements, Tetra Hub System Requirements, and Tetra Agents Hardware and Software Requirements.

AWS Account and Networking Requirements

The following are AWS account and networking prerequisites for deploying the TDP:

  • A dedicated AWS account for the TDP.
  • All required AWS services must be either allowed or enabled in the TDP's AWS account.
  • A production environment with at least two /23-or-larger private subnets that are in each of the different AWS Availability Zones.
  • A development and test environment that each have at least two /24-or-larger private subnets that are in each of the different Availability Zones.
  • The virtual private cloud (VPC) Dynamic Host Configuration Protocol (DHCP) option set must allow Amazon Route53 domains to resolve (the only resolvers should be AWS provided DNS servers). All internal domains should be resolved through forwards (_not _by adding the internal resolvers in the DHCP option set).



TetraScience recommends that you have one dedicated AWS account for each environment. To learn more, see the Benefits of using multiple AWS accountsAWS whitepaper.

However, to streamline administration, you can have multiple environments under the same AWS account in different AWS Regions. For more information, see Supported AWS Regions. If a Region is not on this list, please contact your customer success manager (CSM).

AWS Account Permissions Requirements

The following are AWS account permissions prerequisites for deploying the TDP:

  • Anyone performing the TDP installation and upgrades must have Admin or equivalent access for all of the required AWS services.
  • Before you deploy the TDP, make sure that you review Security and AWS IAM to understand how permissions work within the platform.

Network Connectivity Requirements

The following are network connectivity prerequisites for deploying the TDP:

  • If direct routing to the internet is allowed, you must enable outbound 443 port access from within the VPC to all AWS endpoints in the VPC Endpoints list, in addition to AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS).

  • If direct routing to the internet is not allowed, you must set up the following networking configurations:

    • VPC endpoints
    • An HTTPS proxy that is available in the VPC (as AWS IAM and AWS STS don't have VPC endpoints), and that meets the following criteria:
      • The proxy must be unauthenticated.
      • The proxy must remain available for the lifetime of the TDP installation.
      • There is no SSL/TLS inspection in place (no additional certificate trust is required).
    • Enable the Amazon Simple Storage Service (Amazon S3) VPC Gateway endpoint to reduce the data transfer cost between VPC and S3. For more information, see Gateway endpoints in the AWS Documentation.

SSL/TLS Certificate Requirements

A Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate is required to use the TDP. To set up the required certificate, do the following:

  1. Create an SSL/TLS certificate for the TDP that includes the following domain names:
    • platform-domain-name
    • api.platform-domain-name



Make sure that you replace platform-domain-name with your TDP domain name. For more information, see Certificate and key format for importing in the AWS documentation.

  1. Register the certificate with AWS Certificate Manager (ACM). To import an existing certificate, see Importing a certificate in the AWS Documentation. To create a new certificate, see Requesting a public certificate.



For Pluggable Connectors and Tetra Hubs to work in environments with self-signed or private SSL/TLS certificates, make sure that you do the following:

  1. Add the certificate authority (CA) chain for the TDP certificate to a single .pem file.
  2. Upload the .pem file to the following Amazon Simple Storage Service (Amazon S3) bucket: $stream-bucket/tdp-certificate/cert.pem

AWS Tag Policy Requirements

For Customer-hosted TDP deployments, AWS Organizations tag policies must not interfere with the AWS resource tagging performed by the TDP. TetraScience manages the tag policies for Tetra-hosted TDP deployments. To verify that your organizationโ€™s tag policies donโ€™t conflict with any TDP tagging requirements, talk to your customer success manager (CSM).

For more information, see Tag policies in the AWS documentation.

TDP AWS Organizations Tags

The following tags are added to certain AWS resources by the TDP:

orgSlug: $orgSlugYesDefines the TDP organization that the AWS resource belongs to. No resources are created that don't comply with the orgSlug: $orgSlug tag request.
environment: $environmentNo (optional)Defines the TDP organization's environment that the AWS resource belongs to. This tag is recommended, but optional.



You can scope AWS Organizations tag policies at the AWS account level. For most use cases, itโ€™s possible to modify the tag policies for TDP accounts only, without removing any tag policy protections across the organization.

Amazon SES Requirements

The following are Amazon Simple Email Service (Amazon SES) prerequisites for deploying the TDP: