Skip to main content
Set up an AWS VPC endpoint to securely access Turso databases through AWS PrivateLink, keeping all traffic within AWS’s private network.

Prerequisites

  • Existing VPC in your target AWS region
  • Subnets in supported availability zones (see region-specific requirements below)
  • IAM permissions to create VPC endpoints and modify security groups
  • Active Turso account with configured databases

Quickstart

  • us-east-1
  • us-west-2
  • eu-west-1
  • ap-south-1
  • ap-northeast-1
1

Create VPC Endpoint

Navigate to VPC DashboardEndpointsCreate endpoint and configure:
  • Name: Enter a descriptive name (e.g., turso-database-endpoint)
  • Service category: Select “Other endpoint services”
  • Service name: Enter com.amazonaws.vpce.us-east-1.vpce-svc-0608537f5fdfeaabc
  • Click Verify service
  • Select your VPC
  • Enable DNS name
  • Choose IPv4 for DNS record type
  • Select subnets in supported AZs (use1-az4 and/or use1-az6)
  • Configure security groups and click Create endpoint
2

Configure Security Groups

Update security groups to allow proper communication:VPC Endpoint Security Group:
  • Inbound: Allow HTTPS (port 443) from your application security groups
Application Security Groups:
  • Outbound: Allow HTTPS (port 443) to the VPC endpoint security group
3

Update Application Connections

Replace public Turso endpoints with the new VPC endpoint URL format:
curl -H "Host: <database-name>.turso.io" https://<database-name>.aws-us-east-1.turso.io
4

Verify Setup

Test your VPC endpoint configuration from within your VPC:
# Test connectivity
curl -v https://<your-database-name>.aws-us-east-1.turso.io

# Verify private routing (should show traffic staying within AWS network)
traceroute -T <your-database-name>.aws-us-east-1.turso.io

Important Notes

  • Traffic remains within AWS’s private network
  • Standard AWS VPC endpoint pricing applies
  • Applications can access the endpoint from any AZ in your VPC
  • Each region has specific service names and supported availability zones
I