Amazon IoT SiteWise and interface VPC endpoints (Amazon PrivateLink)
You can establish a private connection between your virtual private cloud (VPC) and
Amazon IoT SiteWise by creating an interface VPC endpoint. Interface
endpoints are powered by Amazon PrivateLink
Each interface endpoint is represented by one or more elastic network interfaces in your subnets.
For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.
Considerations for Amazon IoT SiteWise VPC endpoints
Before you set up an interface VPC endpoint for Amazon IoT SiteWise, review the Interface endpoint properties and limitations in the Amazon VPC User Guide.
Amazon IoT SiteWise supports making calls to the following Amazon IoT SiteWise API operations from your VPC:
-
For all the data plane API operations, use the following endpoint.
data.iotsitewise.cn-north-1.amazonaws.com.cn
The data plane API operations include BatchGetAssetPropertyValue, BatchGetAssetPropertyValueHistory, BatchPutAssetPropertyValue, GetAssetPropertyAggregates, GetAssetPropertyValue, GetAssetPropertyValueHistory and GetInterpolatedAssetPropertyValues.
-
For the control plane API operations that you use to manage asset models, assets, SiteWise Edge gateways, tags, and account configurations, use the following endpoint.
api.iotsitewise.cn-north-1.amazonaws.com.cn
The supported control plane API operations include AssociateAssets, CreateAsset, CreateAssetModel, DeleteAsset, DeleteAssetModel, DeleteDashboard, DescribeAsset, DescribeAssetModel, DescribeAssetProperty, DescribeDashboard, DescribeLoggingOptions, DisassociateAssets, ListAssetModels, ListAssetRelationships, ListAssets, ListAssociatedAssets, PutLoggingOptions, UpdateAsset, UpdateAssetModel, UpdateAssetProperty, CreateGateway, DeleteGateway, DescribeGateway, DescribeGatewayCapabilityConfiguration, ListGateways, UpdateGateway, , DescribeDefaultEncryptionConfiguration, ListTagsForResource, PutDefaultEncryptionConfiguration, TagResource, and UntagResource.
Note
The interface VPC endpoint for the control plane API operations currently doesn't support making calls to the following SiteWise Monitor API operations: BatchAssociateProjectAssets, BatchDisassociateProjectAssets, CreateAccessPolicy, CreateDashboard, CreatePortal, CreateProject, DeleteAccessPolicy, DeletePortal, DeleteProject, DescribeAccessPolicy, DescribePortal, DescribeProject, ListAccessPolicies, ListDashboards, ListPortals, ListProjectAssets, ListProjects, UpdateAccessPolicy, UpdateDashboard, UpdatePortal, and UpdateProject.
Creating an interface VPC endpoint for Amazon IoT SiteWise
You can create a VPC endpoint for the Amazon IoT SiteWise service. You can use either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
Create a VPC endpoint for Amazon IoT SiteWise by using one of the following service names:
-
For the data plane API operations, use the following service name:
com.cn.amazonaws.cn-north-1.iotsitewise.data
-
For the control plane API operations, use the following service name:
com.cn.amazonaws.cn-north-1.iotsitewise.api
Accessing Amazon IoT SiteWise through an interface VPC endpoint
When you create an interface endpoint, we generate endpoint-specific DNS hostnames that you can use to communicate with Amazon IoT SiteWise. The private DNS option is enabled by default. For more information, see Using private hosted zones in the Amazon VPC User Guide.
If you enable private DNS for the endpoint, you can make API requests to Amazon IoT SiteWise through one of the following VPC endpoints.
-
For the data plane API operations, use the following endpoint.
data.iotsitewise.cn-north-1.amazonaws.com.cn
-
For the control plane API operations, use the following endpoint.
data.iotsitewise.cn-north-1.amazonaws.com.cn
If you disable private DNS for the endpoint, you must do the following to access Amazon IoT SiteWise through the endpoint:
-
Specify the VPC endpoint url in API requests.
-
For the data plane API operations, use the following endpoint url. Replace
vpc-endpoint-id
with your VPC endpoint ID.vpc-endpoint-id
.data.iotsitewise.cn-north-1.vpce.amazonaws.com.cn -
For the control plane API operations, use the following endpoint url. Replace
vpc-endpoint-id
with your VPC endpoint ID.vpc-endpoint-id
.api.iotsitewise.cn-north-1.vpce.amazonaws.com.cn
-
-
Disable host prefix injection. The Amazon CLI and Amazon SDKs prepend the service endpoint with various host prefixes when you call each API operation. This feature causes the Amazon CLI and Amazon SDKs to produce URLs that are not valid for Amazon IoT SiteWise when you specify a VPC endpoint.
Important
You can't disable host prefix injection in the Amazon CLI or the Amazon Tools for PowerShell. This means that if you disable private DNS, then you can't use these tools to access Amazon IoT SiteWise through the VPC endpoint. Enable private DNS to use the Amazon CLI or the Amazon Tools for PowerShell to access Amazon IoT SiteWise through the endpoint.
For more information about how to disable host prefix injection in the Amazon SDKs, see the following documentation sections for each SDK:
For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon IoT SiteWise
You can attach an endpoint policy to your VPC endpoint that controls access to Amazon IoT SiteWise. The policy specifies the following information:
-
The principal that can perform operations.
-
The operations that can be performed.
-
The resources on which operations can be performed.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: VPC endpoint policy for Amazon IoT SiteWise actions
The following is an example of an endpoint policy for Amazon IoT SiteWise. When attached to an
endpoint, this policy grants access to the listed Amazon IoT SiteWise actions for the user
in Amazon Web Services account
iotsitewiseadmin
123456789012
on the specified asset.
{ "Statement": [ { "Action": [ "iotsitewise:CreateAsset", "iotsitewise:ListGateways", "iotsitewise:ListTagsForResource" ], "Effect": "Allow", "Resource": "arn:aws-cn:iotsitewise:cn-north-1:123456789012:asset/a1b2c3d4-5678-90ab-cdef-33333EXAMPLE", "Principal": { "AWS": [ "123456789012:user/iotsitewiseadmin" ] } } ] }