Amazon IoT TwinMaker and interface VPC endpoints (Amazon PrivateLink) - Amazon IoT TwinMaker
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT TwinMaker and interface VPC endpoints (Amazon PrivateLink)

You can establish a private connection between your virtual private cloud (VPC) and Amazon IoT TwinMaker by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, which you can use to privately access Amazon IoT TwinMaker APIs without an internet gateway, network address translation (NAT) device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon IoT TwinMaker APIs. Traffic between your VPC and Amazon IoT TwinMaker doesn't leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for Amazon IoT TwinMaker VPC endpoints

Before you set up an interface VPC endpoint for Amazon IoT TwinMaker, review Interface endpoint properties and limitations in the Amazon VPC User Guide.

Amazon IoT TwinMaker supports making calls to all of its API actions from your VPC.

Creating an interface VPC endpoint for Amazon IoT TwinMaker

You can create a VPC endpoint for the Amazon IoT TwinMaker service by using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Amazon IoT TwinMaker that uses the following service name.

  • For data plane API operations, use the following service name:

    com.amazonaws.region.iottwinmaker.data
  • For control plane API operations, use the following service name:

    com.amazonaws.region.iottwinmaker.api

If you enable private DNS for the endpoint, you can make API requests to Amazon IoT TwinMaker by using its default DNS name for the Region, for example, iottwinmaker.us-east-1.amazonaws.com.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Amazon IoT TwinMaker PrivateLink is supported in the following regions:

  • us-east-1

    The ControlPlane service is supported in the following availability zones: use1-az1, use1-az2, and use1-az6.

    The DataPlane service is supported in the following availability zones: use1-az1, use1-az2, and use1-az4.

  • us-west-2

    The ControlPlane and DataPlane services are supported in the following availability zones: usw2-az1, usw2-az2, and usw2-az3.

  • eu-west-1

  • eu-central-1

  • ap-southeast-1

  • ap-southeast-2

For more information on availability zones, see Availability Zone IDs for your Amazon resources - Amazon Resource Access Manager.

Accessing Amazon IoT TwinMaker through an interface VPC endpoint

When you create an interface endpoint, Amazon IoT TwinMaker generates endpoint-specific DNS hostnames that you can use to communicate with Amazon IoT TwinMaker. The private DNS option is enabled by default. For more information, see Using private hosted zones in the Amazon VPC User Guide.

If you enable private DNS for the endpoint, you can make API requests to Amazon IoT TwinMaker through one of the following VPC endpoints.

  • For the data plane API operations, use the following endpoint.

    data.iottwinmaker.cn-north-1.amazonaws.com.cn
  • For the control plane API operations, use the following endpoint.

    data.iottwinmaker.cn-north-1.amazonaws.com.cn

If you disable private DNS for the endpoint, you must do the following to access Amazon IoT TwinMaker through the endpoint:

  • Specify the VPC endpoint URL in API requests.

    • For the data plane API operations, use the following endpoint URL. Replace vpc-endpoint-id with your VPC endpoint ID.

      vpc-endpoint-id.data.iottwinmaker.cn-north-1.vpce.amazonaws.com.cn
    • For the control plane API operations, use the following endpoint URL. Replace vpc-endpoint-id with your VPC endpoint ID.

      vpc-endpoint-id.api.iottwinmaker.cn-north-1.vpce.amazonaws.com.cn
  • Disable host prefix injection. The Amazon CLI and Amazon SDKs prepend the service endpoint with various host prefixes when you call each API operation. This causes the Amazon CLI and Amazon SDKs to produce invalid URLs for Amazon IoT TwinMaker when you specify a VPC endpoint.

    Important

    You can't disable host prefix injection in Amazon CLI or Amazon Tools for PowerShell. This means that if you've disabled private DNS, you won't be able to use Amazon CLI or Amazon Tools for PowerShell to access Amazon IoT TwinMaker through the VPC endpoint. If you want to use these tools to access Amazon IoT TwinMaker through the endpoint, enable private DNS.

    For more information about how to disable host prefix injection in the Amazon SDKs, see the following documentation sections for each SDK:

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Amazon IoT TwinMaker

You can attach an endpoint policy to your VPC endpoint that controls access to Amazon IoT TwinMaker. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Amazon IoT TwinMaker actions

The following is an example of an endpoint policy for Amazon IoT TwinMaker. When attached to an endpoint, this policy grants access to the listed Amazon IoT TwinMaker actions for the IAM user iottwinmakeradmin in the Amazon account 123456789012 on all resources.

{ "Statement":[ { "Principal": { "AWS": "arn:aws:iam::123456789012:user/role" }, "Resource": "*", "Effect":"Allow", "Action":[ "iottwinmaker:CreateEntity", "iottwinmaker:GetScene", "iottwinmaker:ListEntities" ] } ] }