Amazon IoT Greengrass and interface VPC endpoints (Amazon PrivateLink)
You can establish a private connection between your VPC and the Amazon IoT Greengrass control plane by
creating an interface VPC endpoint. You can use this endpoint to manage
components, deployments, and core devices in the Amazon IoT Greengrass service. Interface endpoints are powered
by Amazon PrivateLink
Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.
For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.
Topics
Considerations for Amazon IoT Greengrass VPC endpoints
Before you set up an interface VPC endpoint for Amazon IoT Greengrass, review Interface endpoint properties and limitations in the Amazon VPC User Guide. Additionally, be aware of the following considerations:
-
Amazon IoT Greengrass supports making calls to all of its control plane API actions from your VPC. The control plane includes operations such as CreateDeployment and ListEffectiveDeployments. The control plane does not include operations such as ResolveComponentCandidates and Discover, which are data plane operations.
-
VPC endpoints for Amazon IoT Greengrass are currently not supported in Amazon China Regions.
Create an interface VPC endpoint for Amazon IoT Greengrass control plane operations
You can create a VPC endpoint for the Amazon IoT Greengrass control plane using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
Create a VPC endpoint for Amazon IoT Greengrass using the following service name:
-
com.amazonaws.
region
.greengrass
If you enable private DNS for the endpoint, you can make API requests to Amazon IoT Greengrass using its
default DNS name for the Region, for example, greengrass.us-east-1.amazonaws.com
.
Private DNS is enabled by default.
For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon IoT Greengrass
You can attach an endpoint policy to your VPC endpoint that controls access to Amazon IoT Greengrass control plane operations. The policy specifies the following information:
-
The principal that can perform actions.
-
The actions that the principal can perform.
-
The resources that the principal can perform actions on.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: VPC endpoint policy for Amazon IoT Greengrass actions
The following is an example of an endpoint policy for Amazon IoT Greengrass. When attached to an endpoint, this policy grants access to the listed Amazon IoT Greengrass actions for all principals on all resources.
{ "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "greengrass:ListEffectiveDeployments" ], "Resource": "*" } ] }
Operate an Amazon IoT Greengrass core device in VPC
You can operate a Greengrass core device and perform deployments in VPC without public internet access. At a minimum, you must set up the following VPC endpoints with the corresponding DNS aliases. For more information about how to create and use VPC endpoints, see Create a VPC endpoint in the Amazon VPC User Guide.
Note
The VPC feature for automatically creating a DNS record is disabled for Amazon IoT data and Amazon IoT Credentials. To connect these endpoints, you must manually create a Private DNS record. For more information, see Private DNS for interface endpoints. For more information about Amazon IoT Core VPC limitations, see Limitations of VPC endpoints.
Prerequisites
-
You must install the Amazon IoT Greengrass Core software using the manual provisioning steps. For more information, see Install Amazon IoT Greengrass Core software with manual resource provisioning.
Limitations
-
Operating a Greengrass core device in VPC is not supported in China Regions and Amazon GovCloud (US) Regions.
-
For more information about limitations of Amazon IoT data and Amazon IoT credential provider VPC endpoints, see Limitations.
Set up your Greengrass core device to operate in VPC
-
Get the Amazon IoT endpoints for your Amazon Web Services account, and save them to use later. Your device uses these endpoints to connect to Amazon IoT. Do the following:
-
Get the Amazon IoT data endpoint for your Amazon Web Services account.
aws iot describe-endpoint --endpoint-type iot:Data-ATS
The response looks similar to the following example, if the request succeeds.
{ "endpointAddress": "
device-data-prefix
-ats.iot.us-west-2.amazonaws.com" } -
Get the Amazon IoT credentials endpoint for your Amazon Web Services account.
aws iot describe-endpoint --endpoint-type iot:CredentialProvider
The response looks similar to the following example, if the request succeeds.
{ "endpointAddress": "
device-credentials-prefix
.credentials.iot.us-west-2.amazonaws.com" }
-
-
Create an Amazon VPC interface for Amazon IoT data and Amazon IoT credentials endpoints:
-
Navigate to the VPC
Endpoints console, under Virtual private cloud on the left menu, choose Endpoints then Create Endpoint. -
In the Create endpoint page, specify the following information.
-
Choose Amazon Web Services services for Service category.
-
For Service Name, search by entering the keyword
iot
. In the list ofiot
services displayed, choose the endpoint.If you create a VPC endpoint for Amazon IoT Core data plane, choose the Amazon IoT Core data plane API endpoint for your Region. The endpoint will be of the format
com.amazonaws.
.region
.iot.dataIf you create a VPC endpoint for Amazon IoT Core credential provider, choose the Amazon IoT Core credential provider endpoint for your Region. The endpoint will be of the format
com.amazonaws.
.region
.iot.credentialsNote
The service name for Amazon IoT Core data plane in China Region will be of the format
cn.com.amazonaws.
. Creating VPC endpoints for Amazon IoT Core credential provider is not supported in China Region.region
.iot.data -
For VPC and Subnets, choose the VPC where you want to create the endpoint, and the Availability Zones (AZs) in which you want to create the endpoint network.
-
For Enable DNS name, make sure that Enable for this endpoint is not selected. Neither Amazon IoT Core data plane nor Amazon IoT Core credential provider supports private DNS names yet.
-
For Security group, choose the security groups you want to associate with the endpoint network interfaces.
-
Optionally, you can add or remove tags. Tags are name-value pairs that you use to associate with your endpoint.
-
-
To create your VPC endpoint, choose Create endpoint.
-
-
After you create the Amazon PrivateLink endpoint, in the Details tab of your endpoint, you'll see a list of DNS names. You can use one of these DNS names you created in this section to configure your private hosted zone.
-
Create an Amazon S3 endpoint. For more information, see Create a VPC endpoint for Amazon S3.
-
If you are using Amazon-provided Greengrass components, additional endpoints and configurations may be required. To view the endpoints requirements, select the component from the list of Amazon-provided components and look at the Requirements section. For example, the log manager component requirements advise that this component must be able to perform outbound requests to the endpoint
logs.
.region
.amazonaws.comIf you are using your own component, you may need to review the dependencies and perform additional testing to determine if any additional endpoints are required.
-
In Greengrass nucleus configuration,
greengrassDataPlaneEndpoint
must be set toiotdata
. For more information, see Greengrass nucleus configuration. -
If you are in the
us-east-1
region, set the configuration parameters3EndpointType
toREGIONAL
in the Greengrass nucleus configuration. This feature is available for Greengrass nucleus versions 2.11.3 or later.
Example: Component configuration
{ "aws.greengrass.Nucleus": { "configuration": { "awsRegion": "us-east-1", "iotCredEndpoint": "xxxxxx.credentials.iot.region.amazonaws.com", "iotDataEndpoint": "xxxxxx-ats.iot.region.amazonaws.com", "greengrassDataPlaneEndpoint": "iotdata", "s3EndpointType": "REGIONAL" ... } } }
The following table gives information about the corresponding custom private DNS aliases.
Service | VPC endpoint service name | VPC endpoint type | Custom private DNS alias | Notes |
---|---|---|---|---|
Amazon IoT data |
|
Interface |
|
The private DNS record should match your account's Amazon IoT data endpoint:
|
Amazon IoT Credentials |
|
Interface |
|
The private DNS record should match your account Amazon IoT Credentials
endpoint: |
Amazon S3 |
|
Interface |
The DNS record is automatically created. |