At this time, this project requires that anyone deploying to the Mission Cloud Platform (MCP) environments should have gone through a NASA credentialing process and then submitted and gotten approval for access to the VEDA project on MCP.
VPC interface endpoints must be configured to allow app components to connect to other services within the VPC and gateway endpoints need to be configured for external connections.
| service-name | vpc-endpoint-type | comments |
|---|---|---|
| secretsmanager | Interface | security group configuration recommendations below |
| logs | Interface | cloudwatch-logs, security group configuration recommendations below |
| s3 | Gateway | |
| dynamodb | Gateway | required if using DynamoDB streams |
Create a security group for the VPC Interface endpoints (AWS docs)
aws ec2 create-security-group --vpc-id <vpc-id> --group-name vpc-interface-endpoints --description "security group for vpc interface endpoints"Configure ingress policy for this SG (the egress is configured for 'free' when a new SG is created)
# Lookup CidrBlock
aws ec2 describe-vpcs --vpc-ids $VPC_ID | jq -r '.Vpcs[].CidrBlock'
aws ec2 authorize-security-group-ingress --group-id <new sg just created above> --protocol tcp --port 443 --cidr <cidr range>Create VPC Interface endpoints
# Choose private subnets (example subnet was generated by aws-cdk)
aws ec2 describe-subnets --filters Name=vpc-id,Values=<vpc-id> Name=tag:aws-cdk:subnet-name,Values=private | jq -r '.Subnets[].SubnetId'
# Secrets manager endpoint
aws ec2 create-vpc-endpoint \
--vpc-id <vpc-id> \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-west-2.secretsmanager \
--subnet-ids <private subnet> <private subnet> \
--security-group-ids <new sg just created above>
# Cloudwatch logs endpoint uses same security group cfg
aws ec2 create-vpc-endpoint \
--vpc-id <vpc-id> \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-west-2.logs \
--subnet-ids <private subnet> <private subnet> \
--security-group-ids <new sg just created above>
# List route tables for VPC
aws ec2 describe-route-tables --filters Name=vpc-id,Values=<vpc-id> | jq -r '.RouteTables[].RouteTableId'
# Create Gateway endpoint for S3
aws ec2 create-vpc-endpoint \
--vpc-id <vpc-id> \
--vpc-endpoint-type Gateway \
--service-name com.amazonaws.us-west-2.s3 \
--route-table-ids <route table ids for each subnet in vpc>
# Optional create Gateway endpoint for DynamoDB
aws ec2 create-vpc-endpoint \
--vpc-id <vpc-id> \
--vpc-endpoint-type Gateway \
--service-name com.amazonaws.us-west-2.dynamodb \
--route-table-ids <route table ids for each subnet in vpc>
For convenience, standalone base infrastructure scripts are provided to deploy base infrastructure to simulate deployment in a controlled environment.