Tetra Data Hub Allow List Endpoints
Three types of endpoints must be added to your organization's allow list before you can use a Tetra Data Hub:
NOTE
For the endpoints listed in this topic, [region] is the AWS Region where the TetraScience stack is deployed. TetraScience uses us-east-1 for Tetra hosted deployments.
Required AWS Endpoints
IMPORTANT
Make sure that all of the following endpoints are visible through standard HTTPS port 443.
Endpoints Required for the SSM Agent
The AWS Systems Manager Agent (SSM Agent) installed on the Hub machine uses the following endpoints:
For Remote Management of the Host Machine by AWS Systems Manager
https://ssm.[region].amazonaws.com
https://ssmmessages.[region].amazonaws.com
https://ec2messages.[region].amazonaws.com
For Shipping Connector Logs to Amazon CloudWatch
https://logs.[region].amazonaws.com
For Shipping Metrics to Amazon CloudWatch
https://monitoring.[region].amazonaws.com
For Downloading Configuration and Upload Data to Amazon S3
https://s3.[region].amazonaws.com
For Sending Notifications about Tetra Data Hub Status to Amazon SNS
https://sns.[region].amazonaws.com
For Receiving and Replying to Commands for Tetra Data Hub, Its Connectors, and Agents
https://sqs.[region].amazonaws.com
Endpoints Required for AWS IoT Credentials
Tetra Data Hub must refresh AWS IoT credentials periodically, because the credentials expire after one hour. For this reason, any AWS IoT credentials endpoints visible to the Hub machine must also be visible through standard HTTPS port 443.
AWS IoT credentials endpoints are in the following format:
https://*.credentials.iot.[region].amazonaws.com
NOTE
The * value at the beginning of the URL is a general value. The actual name of the machine where the endpoint is deployed depends on the AWS account and Region that you used for platform deployment.
If your setup requires a Fully Qualified Domain Name (FQDN) instead of a general value, use the AWS Command Line Interface (AWS CLI) to run the AWS describe-endpoint command. The command returns the
endpointAddress
that you use to request security tokens.
Endpoints Required for Amazon ECR
To pull required Docker images, Tetra Data Hub must have access to the following Amazon Elastic Container Registry (Amazon ECR) endpoints:
For Connecting to the Main Amazon ECR Endpoints in the AWS Region Where the TDP Stores Docker Images
https://ecr.us-east-1.amazonaws.com
https://api.ecr.us-east-1.amazonaws.com
For Connecting to the Account-Specific Amazon ECR Endpoint
https://753968983172.dkr.ecr.us-east-1.amazonaws.com
Required Connector Endpoints
The following Tetra Connectors need additional endpoints added to the Data Hub machine's allow list, based on the specific integration:
NOTE
Tetra Connectors that aren't included in the following list rely on AWS infrastructure, and don't require additional URLs.
- Tetra HRB Cellario Connector must have access to the Cellario URLs it connects to and polls for new data. However, if your Cellario software is part of an internal network, then no additional allow list configuration is needed.
- Tetra AGU SDC Connector must have access to the SDC URLs it connects to and polls for new data. However, if your SDC software is part of an internal network, then no additional allow list configuration is needed.
Required Tetra Data Hub Installer Endpoints
NOTE
The following endpoints are required at the time of Tetra Data Hub installation and activation.
Ubuntu Linux
https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
https://objects.githubusercontent.com/*
https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
https://s3.[region].amazonaws.com/amazoncloudwatch-agent-[region]/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
- Ubuntu access to its own software source URLs in order to install: Unzip, Python, and Docker
Red Hat and CentOs Linux
https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
https://objects.githubusercontent.com/*
https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.107-3.el7.noarch.rpm
https://download.docker.com/linux/centos/docker-ce.repo
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
- (For CentOS)
https://s3.amazonaws.com/amazoncloudwatch-agent/centos/amd64/latest/amazon-cloudwatch-agent.rpm
- (For CentOS)
https://s3.[region].amazonaws.com/amazoncloudwatch-agent-[region]/centos/amd64/latest/amazon-cloudwatch-agent.rpm
- (For Red Hat)
https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/amd64/latest/amazon-cloudwatch-agent.rpm
- (For Red Hat)
https://s3.[region].amazonaws.com/amazoncloudwatch-agent-[region]/redhat/amd64/latest/amazon-cloudwatch-agent.rpm
Certificates Access
https://www.amazontrust.com/repository/AmazonRootCA1.pem
Endpoint Allow List for Tetra Agents When Using a Tetra Data Hub
If your Hub acts as a proxy for Tetra Agents, the Hub must have access to those Agents' required endpoints.
Updated 5 months ago