VPC Endpoints

If the private subnets where Tetra Data Platform (TDP) will be deployed are restricted and don't have outbound access to the internet, then TetraScience needs to enable these VPC endpoints. This ensures that resources running in the private subnets can reach the required service endpoints without going through the internet.

com.amazonaws.<REGION>.ecr.dkr
com.amazonaws.<REGION>.monitoring
com.amazonaws.<REGION>.cloudformation
com.amazonaws.<REGION>.athena
com.amazonaws.<REGION>.sqs
com.amazonaws.<REGION>.ssmmessages
com.amazonaws.<REGION>.iotsitewise.data
com.amazonaws.<REGION>.ec2messages
com.amazonaws.<REGION>.ecs-agent
com.amazonaws.<REGION>.glue
com.amazonaws.<REGION>.ecr.api
com.amazonaws.<REGION>.logs
com.amazonaws.<REGION>.ssm
com.amazonaws.<REGION>.sns
com.amazonaws.<REGION>.s3
com.amazonaws.<REGION>.sts
com.amazonaws.<REGION>.ecs-telemetry
com.amazonaws.<REGION>.ecs
com.amazonaws.<REGION>.kms
com.amazonaws.<REGION>.email-smtp
com.amazonaws.<REGION>.ec2
com.amazonaws.<REGION>.codebuild
com.amazonaws.<REGION>.lambda
com.amazonaws.<REGION>.secretsmanager

Additionally, some services running in private subnets will also need to access the following endpoints, which AWS doesn't provide a VPC endpoint for:

  • iam.amazonaws.com
  • cognito-idp.<REGION>.amazonaws.com
  • email.<REGION>.amazonaws.com

To do this, you can do either of the following:

  • Allow the private subnets to access this endpoint through the internet
    - or -
  • Configure the TDP service to use a proxy server to access the endpoint. If you use this option, make sure that you share the proxy server details with TetraScience.