Using Amazon IoT Core with interface VPC endpoints - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon IoT Core with interface VPC endpoints

With Amazon IoT Core, you can create IoT data endpoints within your virtual private cloud (VPC) by using interface VPC endpoints. Interface VPC endpoints are powered by Amazon PrivateLink, an Amazon technology that you can use to access services running on Amazon by using private IP addresses. For more information, see Amazon Virtual Private Cloud.

To connect devices in the field on remote networks, such as a corporate network to your Amazon VPC, refer to the options listed in the Network-to-Amazon VPC connectivity matrix.

Creating VPC endpoints for Amazon IoT Core data plane

You can create a VPC endpoint for Amazon IoT Core data plane API to connect your devices to Amazon IoT services and other Amazon services. To get started with VPC endpoints, create an interface VPC endpoint and select Amazon IoT Core as the Amazon service. If you are using the CLI, first call describe-vpc-endpoint-services to ensure that you are choosing an Availability Zone where Amazon IoT Core is present in your particular Amazon Web Services Region. For example, in us-east-1, this command would look like:

aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.iot.data
Note

The VPC feature for automatically creating a DNS record is disabled. To connect to these endpoints, you must manually create a Private DNS record. For more information about Private VPC DNS records, see Private DNS for interface endpoints. For more information about Amazon IoT Core VPC limitations, see Limitations.

To connect MQTT clients to the VPC endpoint interfaces:

  • Within your private hosted zone, create an alias record for each elastic network interface IP for the VPC endpoint. If you have multiple network interface IPs for multiple VPC endpoints, create weighted DNS records with equal weights across all the weighted records. These IP addresses are available from the DescribeNetworkInterfaces API call when filtered by the VPC endpoint ID in the description field.

See the detailed instructions below to Create an Amazon VPC interface endpoint and Configure private hosted zone for Amazon IoT Core data plane.

Creating an Amazon VPC interface endpoint

You can create an interface VPC endpoint to connect to Amazon services powered by Amazon PrivateLink. Use the following procedure to create an interface VPC endpoint that connects to Amazon IoT Core data plane or Amazon IoT Core credential provider. For more information, see Access an Amazon service using an interface VPC endpoint.

Note

The processes to create an Amazon VPC interface endpoint for Amazon IoT Core data plane and Amazon IoT Core credential provider are similar, but you must make endpoint specific changes to make the connection work.

To create an interface VPC endpoint using VPC Endpoints console

  1. Navigate to the VPC Endpoints console, under Virtual private cloud on the left menu, choose Endpoints then Create Endpoint.

  2. In the Create endpoint page, specify the following information.

    • Choose Amazon Web Services for Service category.

    • For Service Name, search by entering the keyword iot. In the list of iot services displayed, choose the endpoint.

      If you create a VPC endpoint for Amazon IoT Core data plane, choose the Amazon IoT Core data plane API endpoint for your Region. The endpoint will be of the format com.amazonaws.region.iot.data.

      If you create a VPC endpoint for Amazon IoT Core credential provider, choose the Amazon IoT Core credential provider endpoint for your Region. The endpoint will be of the format com.amazonaws.region.iot.credentials.

      Note

      The service name for Amazon IoT Core data plane in China Region will be of the format cn.com.amazonaws.region.iot.data. Creating VPC endpoints for Amazon IoT Core credential provider is not supported in China Region.

    • For VPC and Subnets, choose the VPC where you want to create the endpoint, and the Availability Zones (AZs) in which you want to create the endpoint network.

    • For Enable DNS name, make sure that Enable for this endpoint is not selected. Neither Amazon IoT Core data plane nor Amazon IoT Core credential provider supports private DNS names yet.

    • For Security group, choose the security groups you want to associate with the endpoint network interfaces.

    • Optionally, you can add or remove tags. Tags are name-value pairs that you use to associate with your endpoint.

  3. To create your VPC endpoint, choose Create endpoint.

After you create the Amazon PrivateLink endpoint, in the Details tab of your endpoint, you'll see a list of DNS names. You can use one of these DNS names you created in this section to configure your private hosted zone.

Configuring private hosted zone

You can use one of these DNS names you created in the previous section to configure your private hosted zone.

For Amazon IoT Core data plane

The DNS name must be your domain configuration name or your IoT:Data-ATS endpoint. An example DNS name can be: xxx-ats.data.iot.region.amazonaws.com.

For Amazon IoT Core credential provider

The DNS name must be your iot:CredentialProvider endpoint. An example DNS name can be: xxxx.credentials.iot.region.amazonaws.com.

Note

The processes to configure private hosted zone for Amazon IoT Core data plane and Amazon IoT Core credential provider are similar, but you must make endpoint specific changes to make the connection work.

Create a private hosted zone

To create a private hosted zone using Route 53 console

  1. Navigate to the Route 53 Hosted zones console and choose Create hosted zone.

  2. In the Create hosted zone page, specify the following information.

    • For Domain name, enter the endpoint address for your iot:Data-ATS or iot:CredentialProvider endpoint. The following Amazon CLI command shows how to get the endpoint through a public network: aws iot describe-endpoint --endpoint-type iot:Data-ATS, or aws iot describe-endpoint --endpoint-type iot:CredentialProvider.

      Note

      If you're using custom domains, see Using custom domains with VPC endpoints. Custom domains are not supported for Amazon IoT Core credential provider.

    • For Type, choose Private hosted zone.

    • Optionally, you can add or remove tags to associate with your hosted zone.

  3. To create your private hosted zone, choose Create hosted zone.

For more information, see Creating a private hosted zone.

Create a record

After you have created a private hosted zone, you can create a record that tells the DNS how you want traffic to be routed to that domain.

To create a record

  1. In the list of hosted zones displayed, choose the private hosted zone that you created earlier and choose Create record.

  2. Use the wizard method to create the record. If the console presents you the Quick create method, choose Switch to wizard.

  3. Choose Simple Routing for Routing policy and then choose Next.

  4. In the Configure records page, choose Define simple record.

  5. In the Define simple record page:

    • For Record name, enter iot:Data-ATS endpoint or iot:CredentialProvider endpoint. This must be the same as the private hosted zone name.

    • For Record type, keep the value as A - Routes traffic to an IPv4 address and some Amazon resources.

    • For Value/Route traffic to, choose Alias to VPC endpoint. Then choose your Region and then choose the endpoint that you created previously, as described in Creating an Amazon VPC interface endpoint from the list of endpoints displayed.

  6. Choose Define simple record to create your record.

Controlling Access to Amazon IoT Core over VPC endpoints

You can restrict device access to Amazon IoT Core to be allowed only through VPC endpoint by using VPC condition context keys. Amazon IoT Core supports the following VPC related context keys:

Note

Amazon IoT Core doesn't support Endpoints policies for VPC endpoints.

For example, the following policy grants permission to connect to Amazon IoT Core using a client ID that matches the thing name, and to publish to any topic prefixed by the thing name, conditional on the device connecting to a VPC endpoint with a particular VPC Endpoint ID. This policy would deny connection attempts to your public IoT data endpoint.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-1a2b3c4d" } } }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*" ] } ] }

Limitations

VPC endpoints are currently supported only for Amazon IoT Core data endpoints and Amazon IoT Core credential provider endpoints.

Limitations of IoT data VPC endpoints

This section covers the limitations of IoT data VPC endpoints.

  • MQTT keep alive periods are limited to 230 seconds. Keep alive periods longer than that will be automatically reduced to 230 seconds.

  • Each VPC endpoint supports 100,000 total concurrent connected devices. If you require more connections see Scaling VPC endpoints with Amazon IoT Core.

  • VPC endpoints support IPv4 traffic only.

  • VPC endpoints will serve ATS certificates only, except for custom domains.

  • VPC endpoint policies are not supported.

  • For VPC endpoints that are created for the Amazon IoT Core data plane, Amazon IoT Core doesn't support using zonal or regional public DNS records.

Limitations of credential provider endpoints

This section covers the limitations of credential provider VPC endpoints.

  • VPC endpoints support IPv4 traffic only.

  • VPC endpoints will serve ATS certificates only.

  • VPC endpoint policies are not supported.

  • Custom domains are not supported for credential provider endpoints.

  • For VPC endpoints that are created for the Amazon IoT Core credential provider, Amazon IoT Core doesn't support using zonal or regional public DNS records.

Scaling VPC endpoints with Amazon IoT Core

Amazon IoT Core Interface VPC endpoints are limited to 100,000 connected devices over a single interface endpoint. If your use case calls for more concurrent connections to the broker, then we recommend using multiple VPC endpoints and manually routing your devices across your interface endpoints. When creating private DNS records to route traffic to your VPC endpoints, make sure to create as many weighted records as you have VPC endpoints to distribute traffic across your multiple endpoints.

Using custom domains with VPC endpoints

If you want to use custom domains with VPC endpoints, you must create your custom domain name records in a private hosted zone and create routing records in Route53. For more information, see Creating A private hosted zone.

Note

Custom domains are only supported for Amazon IoT Core data endpoints.

Availability of VPC endpoints for Amazon IoT Core

Amazon IoT Core Interface VPC endpoints are available in all Amazon IoT Core supported regions. Amazon IoT Core Interface VPC endpoints for Amazon IoT Core credential provider are not supported in China Region and Amazon GovCloud (US) Regions.