Amazon IoT Greengrass and interface VPC endpoints (Amazon PrivateLink) - Amazon IoT Greengrass
Considerations for Amazon IoT Greengrass VPC endpointsCreate an interface VPC endpoint for Amazon IoT Greengrass control plane operationsCreating a VPC endpoint policy for Amazon IoT Greengrass
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Greengrass and interface VPC endpoints (Amazon PrivateLink)

You can establish a private connection between your VPC and the Amazon IoT Greengrass control plane by creating an interface VPC endpoint. You can use this endpoint to manage components, deployments, and core devices in the Amazon IoT Greengrass service. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to access Amazon IoT Greengrass APIs privately without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon IoT Greengrass APIs. Traffic between your VPC and Amazon IoT Greengrass does not leave the Amazon network.

Note

Currently, you can't configure Greengrass core devices to operate completely within your VPC.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for Amazon IoT Greengrass VPC endpoints

Before you set up an interface VPC endpoint for Amazon IoT Greengrass, review Interface endpoint properties and limitations in the Amazon VPC User Guide. Additionally, be aware of the following considerations:

  • Amazon IoT Greengrass supports making calls to all of its control plane API actions from your VPC. The control plane includes operations such as CreateDeployment and ListEffectiveDeployments. The control plane does not include operations such as ResolveComponentCandidates and Discover, which are data plane operations.

  • VPC endpoints for Amazon IoT Greengrass are currently not supported in Amazon China Regions.

Create an interface VPC endpoint for Amazon IoT Greengrass control plane operations

You can create a VPC endpoint for the Amazon IoT Greengrass control plane using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Amazon IoT Greengrass using the following service name:

  • com.amazonaws.region.greengrass

If you enable private DNS for the endpoint, you can make API requests to Amazon IoT Greengrass using its default DNS name for the Region, for example, greengrass.us-east-1.amazonaws.com. Private DNS is enabled by default.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Amazon IoT Greengrass

You can attach an endpoint policy to your VPC endpoint that controls access to Amazon IoT Greengrass control plane operations. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that the principal can perform.

  • The resources that the principal can perform actions on.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Amazon IoT Greengrass actions

The following is an example of an endpoint policy for Amazon IoT Greengrass. When attached to an endpoint, this policy grants access to the listed Amazon IoT Greengrass actions for all principals on all resources.

{
    "Statement": [
        {
            "Principal": "*",
            "Effect": "Allow",
            "Action": [
                "greengrass:CreateDeployment",
                "greengrass:ListEffectiveDeployments"
            ],
            "Resource": "*"
        }
    ]
}