AWS Deployment Requirements
To deploy the Tetra Data Platform (TDP), you must meet the following AWS deployment requirements:
- AWS Account and Networking Requirements
- AWS Account Permissions Requirements
- Network Connectivity Requirements
- SSL/TLS Certificate Requirements
- AWS Tag Policy Requirements
- Amazon Simple Email Service (Amazon SES) Requirements
Tetra Agents and Hubs
If you will be using Tetra Agents and Tetra Hubs to extract data from your systems, then you should be aware of their particular requirements. However, it is not necessary to meet those requirements to deploy the TDP, but they are required to install the Tetra Agent and set up the Hubs. For more information, see Tetra Data Hub System Requirements, Tetra Hub System Requirements, and Tetra Agents Hardware and Software Requirements.
AWS Account and Networking Requirements
The following are AWS account and networking prerequisites for deploying the TDP:
- A dedicated AWS account for the TDP.
- All required AWS services must be either allowed or enabled in the TDP's AWS account.
- A production environment with at least two /23-or-larger private subnets that are in each of the different AWS Availability Zones.
- A development and test environment that each have at least two /24-or-larger private subnets that are in each of the different Availability Zones.
- The virtual private cloud (VPC) Dynamic Host Configuration Protocol (DHCP) option set must allow Amazon Route53 domains to resolve (the only resolvers should be AWS provided DNS servers). All internal domains should be resolved through forwards (_not _by adding the internal resolvers in the DHCP option set).
Recommendation
TetraScience recommends that you have one dedicated AWS account for each environment. To learn more, see the Benefits of using multiple AWS accountsAWS whitepaper.
However, to streamline administration, you can have multiple environments under the same AWS account in different AWS Regions. For more information, see Supported AWS Regions. If a Region is not on this list, please contact your customer success manager (CSM).
AWS Account Permissions Requirements
The following are AWS account permissions prerequisites for deploying the TDP:
- Anyone performing the TDP installation and upgrades must have Admin or equivalent access for all of the required AWS services.
- Before you deploy the TDP, make sure that you review Security and AWS IAM to understand how permissions work within the platform.
Network Connectivity Requirements
The following are network connectivity prerequisites for deploying the TDP:
-
If direct routing to the internet is allowed, you must enable outbound
443
port access from within the VPC to all AWS endpoints in the VPC Endpoints list, in addition to AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS). -
If direct routing to the internet is not allowed, you must set up the following networking configurations:
- VPC endpoints
- An HTTPS proxy that is available in the VPC (as AWS IAM and AWS STS don't have VPC endpoints), and that meets the following criteria:
- The proxy must be unauthenticated.
- The proxy must remain available for the lifetime of the TDP installation.
- There is no SSL/TLS inspection in place (no additional certificate trust is required).
- Enable the Amazon Simple Storage Service (Amazon S3) VPC Gateway endpoint to reduce the data transfer cost between VPC and S3. For more information, see Gateway endpoints in the AWS Documentation.
SSL/TLS Certificate Requirements
A Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate is required to use the TDP. To set up the required certificate, do the following:
- Create an SSL/TLS certificate for the TDP that includes the following domain names:
platform-domain-name
api.platform-domain-name
NOTE
Make sure that you replace
platform-domain-name
with your TDP domain name. For more information, see Certificate and key format for importing in the AWS documentation.
- Register the certificate with AWS Certificate Manager (ACM). To import an existing certificate, see Importing a certificate in the AWS Documentation. To create a new certificate, see Requesting a public certificate.
IMPORTANT
For Pluggable Connectors and Hubs to work in environments with self-signed or private SSL/TLS certificates, make sure that you do the following:
- Add the certificate authority (CA) chain for the TDP certificate to a single
.pem
file.- Upload the
.pem
file to the following Amazon Simple Storage Service (Amazon S3) bucket:$stream-bucket/tdp-certificate/cert.pem
AWS Tag Policy Requirements
For Customer-hosted TDP deployments, AWS Organizations tag policies must not interfere with the AWS resource tagging performed by the TDP. TetraScience manages the tag policies for Tetra-hosted TDP deployments. To verify that your organization’s tag policies don’t conflict with any TDP tagging requirements, talk to your customer success manager (CSM).
For more information, see Tag policies in the AWS documentation.
TDP AWS Organizations Tags
The following tags are added to certain AWS resources by the TDP:
Tag | Required | Description |
---|---|---|
orgSlug: $orgSlug | Yes | Defines the TDP organization that the AWS resource belongs to. No resources are created that don't comply with the orgSlug: $orgSlug tag request. |
environment: $environment | No (optional) | Defines the TDP organization's environment that the AWS resource belongs to. This tag is recommended, but optional. |
NOTE
You can scope AWS Organizations tag policies at the AWS account level. For most use cases, it’s possible to modify the tag policies for TDP accounts only, without removing any tag policy protections across the organization.
Amazon SES Requirements
The following are Amazon Simple Email Service (Amazon SES) prerequisites for deploying the TDP:
- A valid sender email address identity. For more information, see Creating an email address identity in the AWS Documentation.
- For new Amazon SES account, you must submit a support ticket with AWS to remove Amazon SES from Sandbox mode. For more information, see Moving out of the Amazon SES sandbox in the AWS Documentation.
Updated 7 months ago