Tetra Hub Allow List Endpoints

Three types of endpoints must be added to your organization's allow list before you can use a Tetra Hub:

📘

NOTE

For the endpoints listed in this topic, [region] is the AWS Region where the TetraScience stack is deployed. TetraScience uses us-east-1 for Tetra-hosted deployments.

Required AWS Endpoints

📘

NOTE

The following endpoints are used by Tetra Hub, the AWS Systems Manager Agent (SSM Agent), Amazon Elastic Compute Cloud (Amazon EC2) Agent, and Amazon CloudWatch Agent. These endpoints are required at runtime and for as long as the Tetra Hub is operational.

For Installation and Runtime Orchestration of Proxies and Connectors by Amazon ECS

  • https://ecs-a-*.[region].amazonaws.com
  • https://ecs-t-*.[region].amazonaws.com
  • https://ecs.[region].amazonaws.com

📘

NOTE

If you're using Amazon Virtual Private Cloud (Amazon VPC) and these wildcard hostnames are problematic in your network, you can use AWS PrivateLink to provide network connectivity instead.

For Remote Management of the Host Machine by AWS Systems Manager

  • https://ssm.[region].amazonaws.com
  • https://ec2messages.[region].amazonaws.com
  • https://ssmmessages.[region].amazonaws.com

For Downloading Configuration Data and Uploading Data to Amazon S3

  • https://s3.[region].amazonaws.com

For Sending Connector Logs to Amazon CloudWatch

  • https://logs.[region].amazonaws.com

For Sending Metrics to Amazon CloudWatch

  • https://monitoring.[region].amazonaws.com

For Downloading Required Docker Images

  • https://ecr.us-east-1.amazonaws.com
  • https://api.ecr.us-east-1.amazonaws.com
  • https://753968983172.dkr.ecr.us-east-1.amazonaws.com

Required Connector Endpoints

📘

NOTE

The following endpoints are required by all Connectors. Each Connector type might need additional endpoints added to your organization’s allow list, based on the specific integration. For example, the Tetra Cellario Connector requires access to the configured Cellario endpoint. These endpoints are required at runtime and for as long as the Connector is operational.

For Receiving and Responding To TDP Commands through Amazon SQS

  • https://sqs.[region].amazonaws.com

For Downloading Configuration Data and Uploading Data to Amazon S3

  • https://s3.[region].amazonaws.com

For Downloading Configuration Data from AWS Systems Manager

  • https://ssm.[region].amazonaws.com

For TDP Orchestration, Status Reporting, and Data Uploads

  • The TetraScience API (Verify with your customer success manager which endpoint is required for your use case)

Required Tetra Hub Installer Endpoints

📘

NOTE

The following endpoints are required at the time of Tetra Hub installation and activation. If these endpoints are not also present in the previous required, operational allow lists, access to them can be removed after installation is complete and the Hub is online.

For All Operating Systems

  • https://s3.[region].amazonaws.com
  • https://amazon-ecs-agent.s3.amazonaws.com
  • https://s3.amazonaws.com
  • https://raw.githubusercontent.com (to download public keys for verifying AWS packages)

For Ubuntu

  • All default Ubuntu package sources

For RHEL

  • All default RHEL package sources
  • https://download.docker.com
  • The following package sources for RHEL v7:
    • http://mirror.centos.org/
    • https://dl.fedoraproject.org/pub/

📘

NOTE

The http://mirror.centos.org/ endpoint supports the HTTP protocol only. The endpoint won't work if you use HTTPS.

For CentOS

  • All default CentOS package sources

Endpoint Allow List for Tetra Agents When Using a Tetra Hub

If your Hub acts as a proxy for Tetra Agents, the Hub must have access to those Agents' required endpoints.

This includes the TDP API endpoint for your deployment (for example, platform.tetrascience.com).

Connect a Hub Using AWS PrivateLink

If your network requirements don't allow the Tetra Hub access to the required TDP or AWS endpoints through the internet and the Hub is hosted in an Amazon VPC, you can use AWS PrivateLink to securely provide access to those endpoints.

To set up AWS PrivateLink for TDP endpoints, see AWS Private Link Connections.

To set up AWS PrivateLink for AWS endpoints, reference the example Amazon ECS Agent setup in Amazon ECS interface VPC endpoints (AWS PrivateLink) in the AWS documentation. The procedure is specific to setting up AWS PrivateLink for the required Amazon ECS endpoints, but is broadly applicable and can be applied across all of the required AWS endpoints.