Set up an AWS VPC endpoint to securely access Turso databases through AWS PrivateLink, keeping all traffic within AWS’s private network.

Prerequisites

  • Existing VPC in your target AWS region
  • Subnets in supported availability zones (see region-specific requirements below)
  • IAM permissions to create VPC endpoints and modify security groups
  • Active Turso account with configured databases

Quickstart

1

Create VPC Endpoint

Navigate to VPC DashboardEndpointsCreate endpoint and configure:

2

Configure Security Groups

Update security groups to allow proper communication:

VPC Endpoint Security Group:

  • Inbound: Allow HTTPS (port 443) from your application security groups

Application Security Groups:

  • Outbound: Allow HTTPS (port 443) to the VPC endpoint security group
3

Update Application Connections

Replace public Turso endpoints with the new VPC endpoint URL format:

curl -H "Host: <database-name>.turso.io" https://<database-name>.aws-us-east-1.turso.io
4

Verify Setup

Test your VPC endpoint configuration from within your VPC:

# Test connectivity
curl -v https://<your-database-name>.aws-us-east-1.turso.io

# Verify private routing (should show traffic staying within AWS network)
traceroute -T <your-database-name>.aws-us-east-1.turso.io

Important Notes

  • Traffic remains within AWS’s private network
  • Standard AWS VPC endpoint pricing applies
  • Applications can access the endpoint from any AZ in your VPC
  • Each region has specific service names and supported availability zones