Allow device traffic through a proxy or firewall
Greengrass core devices and Greengrass components perform outbound requests to Amazon services and other websites. As a security measure, you might limit outbound traffic to a small range of endpoints and ports. You can use the following information about endpoints and ports to limit device traffic through a proxy, firewall, or Amazon VPC security group. For more information about how to configure a core device to use a proxy, see Connect on port 443 or through a network proxy.
Topics
Endpoints for basic operation
Greengrass core devices use the following endpoints and ports for basic operation.
Retrieve Amazon IoT endpoints
Get the Amazon IoT endpoints for your Amazon Web Services account, and save them to use later. Your device uses these endpoints to connect to Amazon IoT. Do the following:
-
Get the Amazon IoT data endpoint for your Amazon Web Services account.
aws iot describe-endpoint --endpoint-type iot:Data-ATSThe response looks similar to the following example, if the request succeeds.
{ "endpointAddress": "device-data-prefix-ats.iot.us-west-2.amazonaws.com" } -
Get the Amazon IoT credentials endpoint for your Amazon Web Services account.
aws iot describe-endpoint --endpoint-type iot:CredentialProviderThe response looks similar to the following example, if the request succeeds.
{ "endpointAddress": "device-credentials-prefix.credentials.iot.us-west-2.amazonaws.com" }
| Endpoint | Port | Required | Description |
|---|---|---|---|
|
|
8443 or 443 | Yes |
Used for data plane operations, such as installing deployments and working with client devices. |
|
|
MQTT: 8883 or 443 HTTPS: 8443 or 443 |
Yes |
Used for data plane operations for device management, such as MQTT communication and shadow sync with Amazon IoT Core. |
|
|
443 | Yes |
Used to acquire Amazon credentials, which the core device uses to download component artifacts from Amazon S3 and perform other operations. For more information, see Authorize core devices to interact with Amazon services. |
|
|
443 | Yes |
Used for deployments. This format includes the |
|
|
443 | No |
Required if the core device runs a version of the Greengrass nucleus earlier than v2.4.0 and is configured to use a network proxy. The core device uses this endpoint for MQTT communication with Amazon IoT Core when behind a proxy. For more information, see Configure a network proxy. |
Endpoints for installation with automatic provisioning
Greengrass core devices use the following endpoints and ports when you install the Amazon IoT Greengrass Core software with automatic resource provisioning.
| Endpoint | Port | Required | Description |
|---|---|---|---|
|
|
443 | Yes |
Used to create Amazon IoT resources and retrieve information about existing Amazon IoT resources. |
|
|
443 | Yes |
Used to create IAM resources and retrieve information about existing IAM resources. |
|
|
443 | Yes |
Used to get the ID of your Amazon Web Services account. |
|
|
443 | No |
Required if you use the |
Endpoints for Amazon-provided components
Greengrass core devices use additional endpoints depending on which software components they run. You can find the endpoints that each Amazon-provided component requires in the Requirements section on each component's page in this developer guide. For more information, see Amazon-provided components.