AWS Deployment Requirements

Before you install the Tetra Data Platform (TDP), you must meet the following AWS deployment requirements:

  • AWS Account and Networking
  • AWS Account Permissions
  • Network Connectivity
  • TLS Certificate
  • AWS SES (Simple Email Service)
  • AWS CloudTrail

AWS Account and Networking Requirements

These are the AWS account and networking requirements:

  • You must have one dedicated AWS Account for the Tetra Data Platform (TDP).
  • You must allow or enable all of the required services in the AWS account. Click here for the list of required AWS services for the TDP.
  • The production environment must have at least two /23 or larger private subnets that are in each of the different availability zones.
  • The development and test environments must have at least two /24 or larger private subnets that are in each of the different availability zones.
  • The VPC DHCP option set must allow Route53 domains to resolve (the only resolvers should be AWS provided DNS servers). All internal domains should be resolved through forwards (not by adding the internal resolvers in the DHCP option set).



TetraScience recommends that you have one dedicated AWS account per environment. To learn more, see Amazon AWS's whitepaper: Benefits of using multiple AWS accounts.

However, to streamline administration, you can have multiple environments under the same AWS account in different regions. For a list of supported regions, click here. If a region is not on this list, please contact your Customer Success Manager (CSM).

AWS Account Permission Requirements

These are the AWS account permission requirements:

  • The person performing the installation and upgrades must have Admin or equivalent access for all of the services used by TetraScience.
  • Before you deploy the TDP, please review Security and AWS IAM for security information.

Network Connectivity Requirements

These are the network connectivity requirements:

  • If direct routing to the Internet is allowed, you need:
    Outbound 443 access from within the VPC to all AWS endpoints in the VPC Endpoints list, in addition to IAM and STS.

  • If direct routing to the Internet is not allowed, you need:

    • VPC endpoints
    • An HTTPS proxy that is available in the VPC (as AWS IAM and STS do not have VPC endpoints), meeting the following criteria:
      • It must be unauthenticated.
      • It must remain available for the lifetime of the TDP installation.
      • There is no SSL/TLS inspection in place (i.e., no additional certificate trust is required).
    • To enable the S3 VPC Gateway Endpoint for S3 to reduce the data transfer cost between VPC and S3. For details, click these instructions.

TLS Certificate

You must have one certificate that includes both of these domain names:

  • platform-domain-name
  • api.platform-domain-name

You must register the certificate with AWS certificate manager (ACM).

AWS SES (Simple Email Service)

These are the AWS SES requirements:

  • TDP uses AWS SES to send out notification emails, such as pipeline result status. The sender email address must be a valid email address that is validated with SES using this procedure.
  • You must submit a support ticket with AWS to remove SES from Sandbox mode (as documented here).

AWS CloudTrail

You must enable the AWS CloudTrail service.


Tetra Agents and Data Hub

If you will be using a Tetra Agent and the Data Hub to extract data from your systems, then you should be aware of their particular requirements. However, it is not necessary to meet those requirements to deploy the TDP, but they are required to install the Tetra Agent and set up the Datahub. For more details, see: Datahub Documentation and Basic Agent Documentation.