Tetra Agent Allow List Endpoints
Tetra Agents must have access to at least one of the following endpoints:
- Your Tetra Data Platform (TDP) API (for example,
platform.tetrascience.com) - A Tetra Hub with Agent access configured on forward and reverse proxy ports
- A Tetra Data Hub with Agent access configured on a Generic Data Connector (GDC) and Tetra L7 Proxy Connector
Tetra Hub Agent Connection Requirements
If your Tetra Hub acts as a proxy for Tetra Agents, only the Hub must have access to those Agents' required endpoints. This includes the TDP API endpoint for your deployment (for example, platform.tetrascience.com).
The Agent only needs access to the Hub.
Tetra Data Hub Agent Connection Requirements
If your Tetra Data Hub acts as a proxy for Tetra Agents and plan to use the Archive and Delete feature in Tetra File-Log Agent v4.4.0 or higher, your TDP API endpoint (for example, platform.tetrascience.com) must be accessible from the Agent host, or from the Data Hub host if you're using a Tetra L7 Proxy Connector.
The File-Log Agent will use the Get File Information API endpoint to verify files are securely stored in the TDP before archiving or deleting them.
Required Agent Allow List Endpoints
If you select the recommended S3 Direct Upload or Receive Commands options during Agent deployment, then the Agent must have access to the following endpoints, either directly or through a proxy.
Required Endpoints for the S3 Direct Upload Option
For Uploading Data to Amazon S3
https://[infrastructure name]-[environment]-datalake.s3.[region].amazonaws.comhttps://[infrastructure name]-[environment]-backup.s3.[region].amazonaws.comhttps://[infrastructure name]-[environment]-events.s3.[region].amazonaws.comhttps://[infrastructure name]-[environment]-datalake.s3.amazonaws.com
NOTE
The global Data Lake endpoint (
https://[infrastructure name]-[environment]-datalake.s3.amazonaws.com) is required because some legacy TetraScience components, such as certain task scripts, still use the global Amazon S3 endpoint format when generating presigned URLs. This global endpoint requirement may be removed in future TDP versions once all legacy components are updated to use only Regional endpoints.
For Deployments in AWS Region us-east-1 that use S3 Direct Upload
If your TDP deployment is in AWS Region us-east-1, you must also include the following Amazon S3 global endpoints to use the S3 Direct Upload option:
https://[infrastructure name]-[environment]-backup.s3.amazonaws.comhttps://[infrastructure name]-[environment]-events.s3.amazonaws.com
NOTE
If you have a customer-hosted TDP deployment, you can find these Amazon Simple Storage Service (Amazon S3) bucket names in the Amazon S3 console.
For Posting Agent heart beats and logs
https://logs.[region].amazonaws.com
For sending metrics data (such as CPU, memory, and disk usage)
https://monitoring.[region].amazonaws.com
Required Endpoints for the Receive Commands Option
For fetching the command message and then returning the command processing status
https://sqs.[region].amazonaws.com
Connect an Agent Using AWS PrivateLink
If your network requirements don't allow the Agent access to the required TDP or AWS endpoints through the internet and the Agent is hosted in an Amazon VPC, you can use AWS PrivateLink to securely provide access to those endpoints.
To set up AWS PrivateLink for TDP endpoints, see AWS Private Link Connections.
To set up AWS PrivateLink for AWS endpoints, reference the example Amazon ECS Agent setup in Amazon ECS interface VPC endpoints (AWS PrivateLink) in the AWS documentation. The procedure is specific to setting up AWS PrivateLink for the required Amazon ECS endpoints, but is broadly applicable and can be applied across all of the required AWS endpoints.
Updated 14 days ago