If the private subnets where Tetra Data Platform (TDP) is deployed are restricted and don't have outbound access to the internet, then the VPC will need the following endpoints enabled. This ensures that resources running in the private subnets can reach the required service endpoints without going through the internet.

Required Interface VPC Endpoints

com.amazonaws.<REGION>.ecr.dkr
com.amazonaws.<REGION>.monitoring
com.amazonaws.<REGION>.cloudformation
com.amazonaws.<REGION>.athena
com.amazonaws.<REGION>.sqs
com.amazonaws.<REGION>.ssmmessages
com.amazonaws.<REGION>.iotsitewise.data
com.amazonaws.<REGION>.ec2messages
com.amazonaws.<REGION>.ecs-agent
com.amazonaws.<REGION>.glue
com.amazonaws.<REGION>.ecr.api
com.amazonaws.<REGION>.logs
com.amazonaws.<REGION>.ssm
com.amazonaws.<REGION>.sns
com.amazonaws.<REGION>.s3
com.amazonaws.<REGION>.sts
com.amazonaws.<REGION>.ecs-telemetry
com.amazonaws.<REGION>.ecs
com.amazonaws.<REGION>.kms
com.amazonaws.<REGION>.email-smtp
com.amazonaws.<REGION>.ec2
com.amazonaws.<REGION>.codebuild
com.amazonaws.<REGION>.lambda
com.amazonaws.<REGION>.secretsmanager
com.amazonaws.<REGION>.servicediscovery
com.amazonaws.<REGION>.data-servicediscovery
com.amazonaws.<REGION>.appstream.api
com.amazonaws.<REGION>.appstream.streaming

Required Gateway VPC Endpoints

com.amazonaws.<REGION>.dynamodb

Handling Services Without VPC Endpoints

Some TDP services running in private subnets also need to access the following endpoints, which AWS doesn't provide VPC endpoints for:

• iam.amazonaws.com
• cognito-idp.<REGION>.amazonaws.com
• email.<REGION>.amazonaws.com

To allow TDP services running in your private subnet to access these endpoints, you can do either of the following:

• Allow the private subnets to access this endpoint through the internet.
  -or-
• Configure the TDP service to use a proxy server to access the endpoint. (If you use this option, make sure that you share the proxy server details with TetraScience.)