Amazon IoT Greengrass and interface VPC endpoints (Amazon PrivateLink) - Amazon IoT Greengrass
Considerations for Amazon IoT Greengrass VPC endpointsCreate an interface VPC endpoint for Amazon IoT Greengrass control plane operationsCreating a VPC endpoint policy for Amazon IoT GreengrassOperate an Amazon IoT Greengrass core device in VPC
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Greengrass and interface VPC endpoints (Amazon PrivateLink)

You can establish a private connection between your VPC and the Amazon IoT Greengrass control plane by creating an interface VPC endpoint. You can use this endpoint to manage components, deployments, and core devices in the Amazon IoT Greengrass service. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to access Amazon IoT Greengrass APIs privately without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon IoT Greengrass APIs. Traffic between your VPC and Amazon IoT Greengrass does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for Amazon IoT Greengrass VPC endpoints

Before you set up an interface VPC endpoint for Amazon IoT Greengrass, review Interface endpoint properties and limitations in the Amazon VPC User Guide. Additionally, be aware of the following considerations:

  • Amazon IoT Greengrass supports making calls to all of its control plane API actions from your VPC. The control plane includes operations such as CreateDeployment and ListEffectiveDeployments. The control plane does not include operations such as ResolveComponentCandidates and Discover, which are data plane operations.

  • VPC endpoints for Amazon IoT Greengrass are currently not supported in Amazon China Regions.

Create an interface VPC endpoint for Amazon IoT Greengrass control plane operations

You can create a VPC endpoint for the Amazon IoT Greengrass control plane using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Amazon IoT Greengrass using the following service name:

  • com.amazonaws.region.greengrass

If you enable private DNS for the endpoint, you can make API requests to Amazon IoT Greengrass using its default DNS name for the Region, for example, greengrass.us-east-1.amazonaws.com. Private DNS is enabled by default.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Amazon IoT Greengrass

You can attach an endpoint policy to your VPC endpoint that controls access to Amazon IoT Greengrass control plane operations. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that the principal can perform.

  • The resources that the principal can perform actions on.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Amazon IoT Greengrass actions

The following is an example of an endpoint policy for Amazon IoT Greengrass. When attached to an endpoint, this policy grants access to the listed Amazon IoT Greengrass actions for all principals on all resources.

{
    "Statement": [
        {
            "Principal": "*",
            "Effect": "Allow",
            "Action": [
                "greengrass:CreateDeployment",
                "greengrass:ListEffectiveDeployments"
            ],
            "Resource": "*"
        }
    ]
}

Operate an Amazon IoT Greengrass core device in VPC

You can operate a Greengrass core device and perform deployments in VPC without public internet access. At a minimum, you must set up the following VPC endpoints with the corresponding DNS aliases. For more information about how to create and use VPC endpoints, see Create a VPC endpoint in the Amazon VPC User Guide.

Note

The VPC feature for automatically creating a DNS record is disabled for Amazon IoT data and Amazon IoT Credentials. To connect these endpoints, you must manually create a Private DNS record. For more information, see Private DNS for interface endpoints. For more information about Amazon IoT Core VPC limitations, see Limitations of VPC endpoints.

Prerequisites

Limitations

  • Operating a Greengrass core device in VPC is not supported in China Regions and Amazon GovCloud (US) Regions.

  • For more information about limitations of Amazon IoT data and Amazon IoT credential provider VPC endpoints, see Limitations.

Set up your Greengrass core device to operate in VPC

  1. Get the Amazon IoT endpoints for your Amazon Web Services account, and save them to use later. Your device uses these endpoints to connect to Amazon IoT. Do the following:

    1. Get the Amazon IoT data endpoint for your Amazon Web Services account.

      aws iot describe-endpoint --endpoint-type iot:Data-ATS

      The response looks similar to the following example, if the request succeeds.

      {
  "endpointAddress": "device-data-prefix-ats.iot.us-west-2.amazonaws.com"
}

    2. Get the Amazon IoT credentials endpoint for your Amazon Web Services account.

      aws iot describe-endpoint --endpoint-type iot:CredentialProvider

      The response looks similar to the following example, if the request succeeds.

      {
  "endpointAddress": "device-credentials-prefix.credentials.iot.us-west-2.amazonaws.com"
}

  2. Create an Amazon VPC interface for Amazon IoT data and Amazon IoT credentials endpoints:

    1. Navigate to the VPC Endpoints console, under Virtual private cloud on the left menu, choose Endpoints then Create Endpoint.

    2. In the Create endpoint page, specify the following information.

      • Choose Amazon Web Services for Service category.

      • For Service Name, search by entering the keyword iot. In the list of iot services displayed, choose the endpoint.

        If you create a VPC endpoint for Amazon IoT Core data plane, choose the Amazon IoT Core data plane API endpoint for your Region. The endpoint will be of the format com.amazonaws.region.iot.data.

        If you create a VPC endpoint for Amazon IoT Core credential provider, choose the Amazon IoT Core credential provider endpoint for your Region. The endpoint will be of the format com.amazonaws.region.iot.credentials.

        Note

        The service name for Amazon IoT Core data plane in China Region will be of the format cn.com.amazonaws.region.iot.data. Creating VPC endpoints for Amazon IoT Core credential provider is not supported in China Region.

      • For VPC and Subnets, choose the VPC where you want to create the endpoint, and the Availability Zones (AZs) in which you want to create the endpoint network.

      • For Enable DNS name, make sure that Enable for this endpoint is not selected. Neither Amazon IoT Core data plane nor Amazon IoT Core credential provider supports private DNS names yet.

      • For Security group, choose the security groups you want to associate with the endpoint network interfaces.

      • Optionally, you can add or remove tags. Tags are name-value pairs that you use to associate with your endpoint.

    3. To create your VPC endpoint, choose Create endpoint.

  3. After you create the Amazon PrivateLink endpoint, in the Details tab of your endpoint, you'll see a list of DNS names. You can use one of these DNS names you created in this section to configure your private hosted zone.

  4. Create an Amazon S3 endpoint. For more information, see Create a VPC endpoint for Amazon S3.

  5. If you are using Amazon-provided Greengrass components, additional endpoints and configurations may be required. To view the endpoints requirements, select the component from the list of Amazon-provided components and look at the Requirements section. For example, the log manager component requirements advise that this component must be able to perform outbound requests to the endpoint logs.region.amazonaws.com.

    If you are using your own component, you may need to review the dependencies and perform additional testing to determine if any additional endpoints are required.

  6. In Greengrass nucleus configuration, greengrassDataPlaneEndpoint must be set to iotdata. For more information, see Greengrass nucleus configuration.

  7. If you are in the us-east-1 region, set the configuration parameter s3EndpointType to REGIONAL in the Greengrass nucleus configuration. This feature is available for Greengrass nucleus versions 2.11.3 or later.

Example: Component configuration
{
"aws.greengrass.Nucleus": {
   "configuration": {
      "awsRegion": "us-east-1",
      "iotCredEndpoint": "xxxxxx.credentials.iot.region.amazonaws.com",
      "iotDataEndpoint": "xxxxxx-ats.iot.region.amazonaws.com",
      "greengrassDataPlaneEndpoint": "iotdata",
      "s3EndpointType": "REGIONAL"
      ...
     }
   }
}

The following table gives information about the corresponding custom private DNS aliases.

Service VPC endpoint service name VPC endpoint type Custom private DNS alias Notes

Amazon IoT data

com.amazonaws.region.iot.data

Interface

prefix-ats.iot.region.amazonaws.com

The private DNS record should match your account's Amazon IoT data endpoint: aws iot describe–endpoint ––endpoint–type iot:Data-ATS.

Amazon IoT Credentials

com.amazonaws.region.iot.credentials

Interface

prefix.credentials.iot.region.amazonaws.com

The private DNS record should match your account Amazon IoT Credentials endpoint: aws iot describe–endpoint ––endpoint–type iot:CredentialProvider.

Amazon S3

com.amazonaws.region.s3

Interface

The DNS record is automatically created.