Three types of endpoints must be added to your organization's allow list before you can use a Tetra Data Hub:

• Required AWS endpoints
• Required Connector endpoints
• Required Tetra Data Hub installer endpoints

If you're configuring a Tetra Agent on your Data Hub, see Endpoint Allow List for Tetra Agents When Using a Tetra Data Hub.

📘

NOTE

For the endpoints listed in this topic, [region] is the AWS Region where the TetraScience stack is deployed. TetraScience uses us-east-1 for Tetra hosted deployments.

Required AWS Endpoints

🚧

IMPORTANT

Make sure that all of the following endpoints are visible through standard HTTPS port 443.

Endpoints Required for the SSM Agent

The AWS Systems Manager Agent (SSM Agent) installed on the Data Hub machine uses the following endpoints:

For Remote Management of the Host Machine by AWS Systems Manager

• https://ssm.[region].amazonaws.com
• https://ssmmessages.[region].amazonaws.com
• https://ec2messages.[region].amazonaws.com

For Shipping Connector Logs to Amazon CloudWatch

• https://logs.[region].amazonaws.com

For Shipping Metrics to Amazon CloudWatch

• https://monitoring.[region].amazonaws.com

For Downloading Configuration and Upload Data to Amazon S3

• https://s3.[region].amazonaws.com

For Sending Notifications about Tetra Data Hub Status to Amazon SNS

• https://sns.[region].amazonaws.com

For Receiving and Replying to Commands for Tetra Data Hub, Its Connectors, and Agents

• https://sqs.[region].amazonaws.com

Endpoints Required for AWS IoT Credentials

A Tetra Data Hub must refresh AWS IoT credentials periodically, because the credentials expire after one hour. For this reason, any AWS IoT credentials endpoints visible to the Data Hub machine must also be visible through standard HTTPS port 443.

AWS IoT credentials endpoints are in the following format:

• https://*.credentials.iot.[region].amazonaws.com

📘

NOTE

The * value at the beginning of the URL is a general value. The actual name of the machine where the endpoint is deployed depends on the AWS account and Region that you used for platform deployment.

If your setup requires a Fully Qualified Domain Name (FQDN) instead of a general value, use the AWS Command Line Interface (AWS CLI) to run the AWS describe-endpoint command. The command returns the endpointAddress that you use to request security tokens.

Endpoints Required for Amazon ECR

To pull required Docker images, Tetra Data Hubs must have access to the following Amazon Elastic Container Registry (Amazon ECR) endpoints:

For Connecting to the Main Amazon ECR Endpoints in the AWS Region Where the TDP Stores Docker Images

• https://ecr.us-east-1.amazonaws.com
• https://api.ecr.us-east-1.amazonaws.com

For Connecting to the Account-Specific Amazon ECR Endpoint

• https://753968983172.dkr.ecr.us-east-1.amazonaws.com

Required Connector Endpoints

The following Tetra Connectors need additional endpoints added to the Data Hub machine's allow list, based on the specific integration:

📘

NOTE

Tetra Connectors that aren't included in the following list rely on AWS infrastructure, and don't require additional URLs.

• Tetra HRB Cellario Connector must have access to the Cellario URLs it connects to and polls for new data. However, if your Cellario software is part of an internal network, then no additional allow list configuration is needed.
• Tetra AGU SDC Connector must have access to the SDC URLs it connects to and polls for new data. However, if your SDC software is part of an internal network, then no additional allow list configuration is needed.

Required Tetra Data Hub Installer Endpoints

📘

NOTE

The following endpoints are required at the time of Tetra Data Hub installation and activation.

Ubuntu Linux

• https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
• https://objects.githubusercontent.com/*
• https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
• https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
• https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
• https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
• https://s3.[region].amazonaws.com/amazoncloudwatch-agent-[region]/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
• Ubuntu access to its own software source URLs in order to install: Unzip, Python, and Docker

Red Hat and CentOs Linux

• https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
• https://objects.githubusercontent.com/*
• https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
• https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
• http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.107-3.el7.noarch.rpm
• https://download.docker.com/linux/centos/docker-ce.repo
• https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
• (For CentOS)https://s3.amazonaws.com/amazoncloudwatch-agent/centos/amd64/latest/amazon-cloudwatch-agent.rpm
• (For CentOS) https://s3.[region].amazonaws.com/amazoncloudwatch-agent-[region]/centos/amd64/latest/amazon-cloudwatch-agent.rpm
• (For Red Hat) https://s3.amazonaws.com/amazoncloudwatch-agent/redhat/amd64/latest/amazon-cloudwatch-agent.rpm
• (For Red Hat) https://s3.[region].amazonaws.com/amazoncloudwatch-agent-[region]/redhat/amd64/latest/amazon-cloudwatch-agent.rpm

Certificates Access

• https://www.amazontrust.com/repository/AmazonRootCA1.pem

Endpoint Allow List for Tetra Agents When Using a Tetra Data Hub

🚧

IMPORTANT

If you select the Enable S3 Direct Upload or Receive Commands option when you configure a Tetra Agent, then you must add the following endpoints to your organization's allow list before you can use a Tetra Data Hub.