# Using Amazon IoT Device Management secure tunneling with interface VPC endpoints
<a name="IoTCore-ST-VPC"></a>

Amazon IoT Device Management secure tunneling supports interface VPC endpoints. You can use VPC endpoints to keep traffic between your VPC and Amazon IoT Secure Tunneling within the Amazon network, without requiring an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection.

Interface VPC endpoints are powered by [Amazon PrivateLink](https://docs.amazonaws.cn//vpc/latest/privatelink/what-is-privatelink.html), a technology that enables you to privately access services by using private IP addresses. For more information, see [Access an Amazon service using an interface VPC endpoint](https://docs.amazonaws.cn//vpc/latest/privatelink/create-interface-endpoint.html) in the Amazon PrivateLink Guide. 

**Topics**
+ [Prerequisites](#Create-ST-VPC-endpoints-prereq)
+ [Receiving tunnel notifications through VPC endpoints](#ST-VPC-Receive-notifications)
+ [Creating VPC endpoints for secure tunneling](#Create-ST-VPC-endpoints-Create)
+ [Configuring VPC endpoint policies on Proxy Server](#Create-ST-VPC-endpoints-Configure)
+ [Next steps](#Create-ST-VPC-endpoints-Next)

## Prerequisites
<a name="Create-ST-VPC-endpoints-prereq"></a>

Before you create VPC endpoints for Amazon IoT Secure Tunneling, verify that you have the following:
+ An Amazon account with the necessary permissions to create VPC endpoints.
+ A VPC in your Amazon account.
+ Understanding of Amazon IoT Device Management secure tunneling concepts.
+ Familiarity with VPC endpoint policies and Amazon Identity and Access Management (IAM)

## Receiving tunnel notifications through VPC endpoints
<a name="ST-VPC-Receive-notifications"></a>

To receive tunnel notifications through a VPC endpoint, your devices can connect to the Amazon IoT Core data plane through a VPC endpoint and subscribe to the secure tunneling reserved MQTT topic.

For instructions on how to create and configure a VPC endpoint in the Amazon IoT Core data plane, see [Using Amazon IoT Core with interface VPC endpoints](https://docs.amazonaws.cn/iot/latest/developerguide/IoTCore-VPC.html) in the Amazon IoT Developer Guide.

## Creating VPC endpoints for secure tunneling
<a name="Create-ST-VPC-endpoints-Create"></a>

You can create VPC endpoints for both secure tunneling control plane and proxy server.

**To create a VPC endpoint for secure tunneling**

1. Follow the steps in [Creating an interface endpoint](https://docs.amazonaws.cn//vpc/latest/privatelink/create-interface-endpoint.html) in the Amazon VPC Developer Guide

1. For **Service name**, choose one of the following options based on your endpoint type:

**Control plane**
   + Standard: `com.amazonaws.<region>.iot.tunneling.api` 
   + FIPS (available in FIPS regions): `com.amazonaws.<region>.iot-fips.tunneling.api` 

**Proxy server**
   + Standard: `com.amazonaws.<region>.iot.tunneling.data` 
   + FIPS (available in FIPS regions): `com.amazonaws.<region>.iot-fips.tunneling.data` 

   Replace {{<region>}} with your Amazon Web Services Region. For example, `us-east-1`. 

1. Complete the remaining steps in the VPC endpoint creation process according to your network requirements.

## Configuring VPC endpoint policies on Proxy Server
<a name="Create-ST-VPC-endpoints-Configure"></a>

In addition to client access token-based authorization that is used to authorize connections to tunnels, you can use VPC endpoint policies to further restrict how devices can use a VPC endpoint to connect to the Secure Tunneling Proxy Server. VPC endpoint policies follow an IAM-like syntax and are configured on the VPC endpoint itself.

Note that the only supported IAM action for proxy server VPC endpoint policies is `iot:ConnectToTunnel`. 

Below are examples of different VPC endpoint policies.

### Proxy server VPC endpoint policy examples
<a name="w2aac17c35c31c15b9"></a>

The following examples show Proxy Server VPC endpoint policy configurations for common use cases.

**Example - Default policy**  
This policy allows devices within your VPC to connect to any tunnel in the same Amazon Web Services Region where the endpoint is created, across any Amazon account.  

```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
```

**Example - Restrict access to specific Amazon accounts**  
This policy allows the VPC endpoint to connect only to tunnels in specific Amazon accounts.  

```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "iot:ConnectToTunnel",
            "Resource": [
                "arn:aws:iot:us-east-1:111122223333:tunnel/*",
                "arn:aws:iot:us-east-1:444455556666:tunnel/*"
            ]
        }
    ]
}
```

**Example - Restrict connections by tunnel endpoint**  
You can restrict VPC endpoint access to only allow devices to connect to the source or destination end of a tunnel.  
Source only:  

```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "iot:ConnectToTunnel",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iot:ClientMode": "source"
                }
            }
        }
    ]
}
```

Destination only:

```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "iot:ConnectToTunnel",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iot:ClientMode": "destination"
                }
            }
        }
    ]
}
```

**Example - Restrict access based on resource tags**  
This policy allows the VPC endpoint to connect only to tunnels that are tagged with a specific key-value pair.  

```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "iot:ConnectToTunnel",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Environment": "Production"
                }
            }
        }
    ]
}
```

**Example - Combined policy conditions**  
This policy demonstrates combining multiple policy elements. It allows connections to any tunnel in a specific Amazon account, but only if the tunnel is tagged with `AllowConnectionsThroughPrivateLink` set to `true` and the client is not connecting to the destination end of the tunnel.  

```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "iot:ConnectToTunnel",
            "Resource": [
                "arn:aws:iot:us-east-1:111122223333:tunnel/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/AllowConnectionsThroughPrivateLink": "true"
                }
            }
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "iot:ConnectToTunnel",
            "Resource": [
                "arn:aws:iot:us-east-1:111122223333:tunnel/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iot:ClientMode": "destination"
                }
            }
        }
    ]
}
```

## Next steps
<a name="Create-ST-VPC-endpoints-Next"></a>

After you create and configure your VPC endpoints for Amazon IoT Secure Tunneling, consider the following:
+ Test your VPC endpoint configuration by connecting devices through the endpoint.
+ Monitor VPC endpoint usage through Amazon CloudWatch metrics.
+ Review and update your VPC endpoint policies as needed for your security requirements.

For more information about Amazon IoT Device Management secure tunneling, see [Amazon IoT Secure Tunneling](https://docs.amazonaws.cn//iot/latest/developerguide/secure-tunneling.html).