Private Endpoints

Set up an AWS VPC endpoint to securely access Turso databases through AWS PrivateLink, keeping all traffic within AWS’s private network.

Prerequisites

Existing VPC in your target AWS region
Subnets in supported availability zones (see region-specific requirements below)
IAM permissions to create VPC endpoints and modify security groups
Active Turso account with configured databases

Quickstart

Create VPC Endpoint

Navigate to VPC Dashboard → Endpoints → Create endpoint and configure:

Basic Settings

Network Configuration

Configure Security Groups

Update security groups to allow proper communication:VPC Endpoint Security Group:

Inbound: Allow HTTPS (port 443) from your application security groups

Application Security Groups:

Outbound: Allow HTTPS (port 443) to the VPC endpoint security group

Update Application Connections

Replace public Turso endpoints with the new VPC endpoint URL format:

curl -H "Host: <database-name>.turso.io" https://<database-name>.aws-us-east-1.turso.io

Verify Setup

Test your VPC endpoint configuration from within your VPC:

# Test connectivity
curl -v https://<your-database-name>.aws-us-east-1.turso.io

# Verify private routing (should show traffic staying within AWS network)
traceroute -T <your-database-name>.aws-us-east-1.turso.io

Important Notes

Traffic remains within AWS’s private network
Standard AWS VPC endpoint pricing applies
Applications can access the endpoint from any AZ in your VPC
Each region has specific service names and supported availability zones

Getting Started

Product

Cloud

Help

Private Endpoints

Prerequisites

Quickstart

Important Notes

Getting Started

Product

Cloud

Help

​Prerequisites

​Quickstart

​Important Notes

Prerequisites

Quickstart

Important Notes