VPC Endpoints

VPC Endpoints

If the private subnets where TDP will be deployed are restricted and do not have outbound access to the internet, we need to enable below VPC endpoints, so that resources running in the private subnets are able to reach the required service endpoints without going through the internet.

com.amazonaws.<REGION>.ecr.dkr
com.amazonaws.<REGION>.monitoring
com.amazonaws.<REGION>.cloudformation
com.amazonaws.<REGION>.athena
com.amazonaws.<REGION>.sqs
com.amazonaws.<REGION>.ssmmessages
com.amazonaws.<REGION>.iotsitewise.data
com.amazonaws.<REGION>.ec2messages
com.amazonaws.<REGION>.ecs-agent
com.amazonaws.<REGION>.glue
com.amazonaws.<REGION>.ecr.api
com.amazonaws.<REGION>.logs
com.amazonaws.<REGION>.ssm
com.amazonaws.<REGION>.sns
com.amazonaws.<REGION>.s3
com.amazonaws.<REGION>.sts
com.amazonaws.<REGION>.ecs-telemetry
com.amazonaws.<REGION>.ecs
com.amazonaws.<REGION>.kms
com.amazonaws.<REGION>.email-smtp
com.amazonaws.<REGION>.ec2
com.amazonaws.<REGION>.codebuild

Some services running in private subnets will also need to access the IAM endpoint (iam.amazonaws.com). However, AWS does not provide a VPC endpoint like the above for IAM endpoint. This can be achieved by doing one of the following.

  1. The private subnets should be allowed to access this endpoint through the internet.
  2. If option 1 is not possible, the TDP service can be configured to use a proxy server to access the endpoint. Please share the proxy server details with TetraScience.