URL Whitelisting

The Data Hub uses several URLs split into these four categories:

  • Category 1: AWS endpoints used by the Data Hub and AWS SSM agent
  • Category 2: Endpoints used by connectors
  • Category 3: Endpoints used by agents
  • Category 4: Endpoints used by the Data Hub installer

Category 1: AWS endpoints used by the Data Hub and AWS SSM agent. These are endpoints used by the AWS SSM agent daemon installed on the Data Hub machine. All of them should be visible through standard HTTPS port (443):

ssm.[region].amazonaws.com
logs.[region].amazonaws.com
monitoring.[region].amazonaws.com
ssmmessages.[region].amazonaws.com
ec2messages.[region].amazonaws.com
s3.[region].amazonaws.com
sns.[region].amazonaws.com
sqs.[region].amazonaws.com

Data Hub needs to refresh AWS credentials periodically because credentials expire after one hour. Therefore, any AWS IoT credentials endpoints visible to the Data Hub machine should also be visible on standard HTTPS port (443):

  • *.credentials.iot.[region].amazonaws.com

  • [region] - is AWS region where the TetraScience stack is deployed. TetraScience uses us-east-1 for multi-tenant deployment.

📘

NOTE

The value * at the beginning of the URL is the general value. The actual name of the machine where the endpoint is deployed depends on the AWS account and the region used for platform deployment. If the actual name is required, please refer to this document to learn how to obtain FQDN of credentials endpoint using AWS CLI.

Finally, the Data Hub also needs access to ECR endpoints to pull docker images:

ecr.us-east-1.amazonaws.com
api.ecr.us-east-1.amazonaws.com
753968983172.dkr.ecr.us-east-1.amazonaws.com

Category 2: Endpoints used by connectors. Depending on what connectors are planned for the Data Hub, another set of URLs should be open for the Data Hub machine.

  • GDC connector relies on AWS infrastructure and no additional URL is needed.
  • Cellario connector needs access to Cellario URLs to which connector should connect to and poll for new data. Cellario software may be part of an internal network, and if so, then no additional configuration is needed. If it is deployed externally, then those URLs must be whitelisted.
  • SDC connector needs access to SDC URLs to which connector should connect to and poll for new data. Similar to Cellario, SDC is usually deployed in an internal network, but can be in an external network. For an external network, the target SDC URLs must be whitelisted.

Category 3: Endpoints used by agents. These Tetra Agents use the following AWS endpoints:

  • Tetra Chromeleon Agent
  • Tetra Empower Agent
  • Tetra File-Log Agent
  • Tetra LabX Agent
  • Tetra UNICORN Agent

AWS Endpoint

Description

When Required

s3.[region].amazonaws.com

Uploads files

When the Enable S3 Direct Upload option is selected

sqs.[region].amazonaws.com

Fetches the command message and then returns the command processing status

When the Enable Queue option is selected

logs.[region].amazonaws.com

Posts Agent Heart Beats and Agent logs

When the Enable S3 Direct Upload option is selected

monitoring.[region].amazonaws.com

Sends Metrics Data (such as CPU, Memory, and Disk Usage)

When the Enable S3 Direct Upload option is selected

The Tetra IoT Agent does not connect to any AWS services; however, the Tetra IoT Agent does connect to IoT server-side services which require AWS endpoints. Additionally, the Tetra IoT Agent does require VPC endpoints.

Category 4: Data Hub installation script (software pre-requisites). These URLs are needed only if the related software is not pre-installed on the machine, and are required at the time of the Data Hub installation and activation:


Did this page help you?