Amazon IoT Greengrass and interface VPC endpoints (Amazon PrivateLink)
You can establish a private connection between your VPC and the Amazon IoT Greengrass control plane by
creating an interface VPC endpoint. You can use this endpoint to manage
components, deployments, and core devices in the Amazon IoT Greengrass service. Interface endpoints are
powered by Amazon PrivateLink
Currently, you can't configure Greengrass core devices to operate completely within your VPC.
Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.
For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.
Topics
Considerations for Amazon IoT Greengrass VPC endpoints
Before you set up an interface VPC endpoint for Amazon IoT Greengrass, review Interface endpoint properties and limitations in the Amazon VPC User Guide. Additionally, be aware of the following considerations:
-
Amazon IoT Greengrass supports making calls to all of its control plane API actions from your VPC. The control plane includes operations such as CreateDeployment and ListEffectiveDeployments. The control plane does not include operations such as ResolveComponentCandidates and Discover, which are data plane operations.
-
VPC endpoints for Amazon IoT Greengrass are currently not supported in Amazon China Regions.
Create an interface VPC endpoint for Amazon IoT Greengrass control plane operations
You can create a VPC endpoint for the Amazon IoT Greengrass control plane using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
Create a VPC endpoint for Amazon IoT Greengrass using the following service name:
-
com.amazonaws.
region
.greengrass
If you enable private DNS for the endpoint, you can make API requests to Amazon IoT Greengrass using
its default DNS name for the Region, for example,
greengrass.us-east-1.amazonaws.com
. Private DNS is enabled by
default.
For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon IoT Greengrass
You can attach an endpoint policy to your VPC endpoint that controls access to Amazon IoT Greengrass control plane operations. The policy specifies the following information:
-
The principal that can perform actions.
-
The actions that the principal can perform.
-
The resources that the principal can perform actions on.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: VPC endpoint policy for Amazon IoT Greengrass actions
The following is an example of an endpoint policy for Amazon IoT Greengrass. When attached to an endpoint, this policy grants access to the listed Amazon IoT Greengrass actions for all principals on all resources.
{ "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "greengrass:ListEffectiveDeployments" ], "Resource": "*" } ] }