VPC Endpoints

If the private subnets (where Tetra Data Platform will be deployed) are restricted and do not have outbound access to the Internet, then TetraScience needs to enable these VPC endpoints. This ensures that resources running in the private subnets can reach the required service endpoints without going through the Internet.

com.amazonaws.<REGION>.ecr.dkr
com.amazonaws.<REGION>.monitoring
com.amazonaws.<REGION>.cloudformation
com.amazonaws.<REGION>.athena
com.amazonaws.<REGION>.sqs
com.amazonaws.<REGION>.ssmmessages
com.amazonaws.<REGION>.iotsitewise.data
com.amazonaws.<REGION>.ec2messages
com.amazonaws.<REGION>.ecs-agent
com.amazonaws.<REGION>.glue
com.amazonaws.<REGION>.ecr.api
com.amazonaws.<REGION>.logs
com.amazonaws.<REGION>.ssm
com.amazonaws.<REGION>.sns
com.amazonaws.<REGION>.s3
com.amazonaws.<REGION>.sts
com.amazonaws.<REGION>.ecs-telemetry
com.amazonaws.<REGION>.ecs
com.amazonaws.<REGION>.kms
com.amazonaws.<REGION>.email-smtp
com.amazonaws.<REGION>.ec2
com.amazonaws.<REGION>.codebuild
com.amazonaws.<REGION>.lambda
com.amazonaws.<REGION>.secretsmanager

Additionally, some services running in private subnets will also need to access the IAM endpoint (iam.amazonaws.com). However, AWS does not provide a VPC endpoint for the IAM endpoint.

To do this, you can either:

  • Option 1: Allow the private subnets to access this endpoint through the Internet, or
  • Option 2: If option 1 is not possible, then you can configure the TDP service to use a proxy server to access the endpoint. If you use option 2, then please share the proxy server details with TetraScience.