# Using Amazon IoT Core with interface VPC endpoints
<a name="IoTCore-VPC"></a>

With Amazon IoT Core, you can create [IoT control plane endpoints](https://docs.amazonaws.cn//iot/latest/developerguide/connect-to-iot.html#iot-service-endpoint-intro) and [IoT data endpoints](https://docs.amazonaws.cn//iot/latest/developerguide/iot-connect-devices.html) within your virtual private cloud (VPC) by using [interface VPC endpoints](https://docs.amazonaws.cn//vpc/latest/userguide/vpce-interface.html#create-interface-endpoint). Interface VPC endpoints are powered by Amazon PrivateLink, an Amazon technology that you can use to access services running on Amazon by using private IP addresses. For more information, see [Amazon Virtual Private Cloud](https://docs.amazonaws.cn//AmazonVPC/latest/UserGuide/VPC_Introduction.html). 

To connect devices in the field on remote networks, such as a corporate network to your Amazon VPC, refer to the options listed in the [Network-to-Amazon VPC connectivity matrix](https://docs.amazonaws.cn//whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html). 

**Topics**
+ [Creating VPC endpoints for Amazon IoT Core control plane](#Create-VPC-endpoints-CP)
+ [Creating VPC endpoints for Amazon IoT Core data plane](#Create-VPC-endpoints)
+ [Creating an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc)
+ [Configure a private hosted zone](#connect-iot-core-create-phz-lns)
+ [Controlling Access to Amazon IoT Core over VPC endpoints](#Control-VPC-access)
+ [Limitations](#VPC-limitations)
+ [Scaling VPC endpoints with Amazon IoT Core](#Scaling-VPC-endpoints)
+ [Using custom domains with VPC endpoints](#VPC-custom-domains)
+ [Availability of VPC endpoints for Amazon IoT Core](#VPC-availability)
+ [Using Amazon IoT Device Management secure tunneling with interface VPC endpoints](IoTCore-ST-VPC.md)

## Creating VPC endpoints for Amazon IoT Core control plane
<a name="Create-VPC-endpoints-CP"></a>

You can create a VPC endpoint for Amazon IoT Core control plane API to connect your devices to Amazon IoT services and other Amazon services. To get started with VPC endpoints, [create an interface VPC endpoint](https://docs.amazonaws.cn//vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) and select Amazon IoT Core as the Amazon service. If you are using the CLI, first call [describe-vpc-endpoint-services](https://docs.amazonaws.cn//cli/latest/reference/ec2/describe-vpc-endpoint-services.html) to ensure that you are choosing an Availability Zone where Amazon IoT Core is present in your particular Amazon Web Services Region. For example, in us-east-1, this command would look like:

```
aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.iot.api
```

See the detailed instructions below to [Create an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc) for Amazon IoT Core control plane.

## Creating VPC endpoints for Amazon IoT Core data plane
<a name="Create-VPC-endpoints"></a>

You can create a VPC endpoint for Amazon IoT Core data plane API to connect your devices to Amazon IoT services and other Amazon services. To get started with VPC endpoints, [create an interface VPC endpoint](https://docs.amazonaws.cn//vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) and select Amazon IoT Core as the Amazon service. If you are using the CLI, first call [describe-vpc-endpoint-services](https://docs.amazonaws.cn//cli/latest/reference/ec2/describe-vpc-endpoint-services.html) to ensure that you are choosing an Availability Zone where Amazon IoT Core is present in your particular Amazon Web Services Region. For example, in us-east-1, this command would look like:

```
aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.iot.data
```

**Note**  
The VPC feature for automatically creating a DNS record is disabled. To connect to these endpoints, you must manually create a Private DNS record. For more information about Private VPC DNS records, see [Private DNS for interface endpoints](https://docs.amazonaws.cn//vpc/latest/privatelink/vpce-interface.html#vpce-private-dns). For more information about Amazon IoT Core VPC limitations, see [Limitations](#VPC-limitations) .

To connect MQTT clients to the VPC endpoint interfaces:
+ You must manually create DNS records in a private hosted zone that is attached to your VPC. To get started, see [Creating a private hosted zone](https://docs.amazonaws.cn//Route53/latest/DeveloperGuide/hosted-zone-private-creating.html). 
+ Within your private hosted zone, create an alias record for each elastic network interface IP for the VPC endpoint. If you have multiple network interface IPs for multiple VPC endpoints, create weighted DNS records with equal weights across all the weighted records. These IP addresses are available from the [DescribeNetworkInterfaces](https://docs.amazonaws.cn//AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html) API call when filtered by the VPC endpoint ID in the description field.

See the detailed instructions below to [Create an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc) and [Configure private hosted zone](#connect-iot-core-create-phz-lns) for Amazon IoT Core data plane.

## Creating an Amazon VPC interface endpoint
<a name="Create-VPC-endpoints-core-create-vpc"></a>

You can create an interface VPC endpoint to connect to Amazon services powered by Amazon PrivateLink. Use the following procedure to create an interface VPC endpoint that connects to Amazon IoT Core data plane or Amazon IoT Core credential provider. For more information, see [Access an Amazon service using an interface VPC endpoint](https://docs.amazonaws.cn//vpc/latest/privatelink/create-interface-endpoint.html). 

**Note**  
The processes to create an Amazon VPC interface endpoint for Amazon IoT Core data plane and Amazon IoT Core credential provider are similar, but you must make endpoint specific changes to make the connection work.

 **To create an interface VPC endpoint using [VPC](https://console.amazonaws.cn/vpc/home#/endpoints) **Endpoints** console** 

1. Navigate to the [VPC](https://console.amazonaws.cn/vpc/home#/endpoints) **Endpoints** console, under **Virtual private cloud** on the left menu, choose **Endpoints** then **Create Endpoint**. 

1. In the **Create endpoint** page, specify the following information.
   + Choose **Amazon Web Services services** for **Service category**. 
   + For **Service Name**, search by entering the keyword `iot`. In the list of `iot` services displayed, choose the endpoint. 

     If you create a VPC endpoint for Amazon IoT Core control plane, choose the Amazon IoT Core control plane API endpoint for your Amazon Web Services Region. The endpoint will be of the format `com.amazonaws.region.iot.api`. 

     If you create a VPC endpoint for Amazon IoT Core data plane, choose the Amazon IoT Core data plane API endpoint for your Region. The endpoint will be of the format `com.amazonaws.region.iot.data`. 

     If you create a VPC endpoint for Amazon IoT Core credential provider, choose the Amazon IoT Core credential provider endpoint for your Region. The endpoint will be of the format `com.amazonaws.region.iot.credentials`. 

     If you create a VPC endpoint for Federal Information Processing Standard (FIPS) regions, choose the FIPS API endpoint for your Amazon Web Services Region. The endpoint will be of the format `com.amazonaws.region.iot-fips.api`. This is only for control plane.
**Note**  
The service name for Amazon IoT Core data plane in China Region will be of the format `cn.com.amazonaws.region.iot.data`. The service name for Amazon IoT Core control plane in China Region will be of the format `com.amazonaws.region.iot.api`. 
   + For **VPC** and **Subnets**, choose the VPC where you want to create the endpoint, and the Availability Zones (AZs) in which you want to create the endpoint network.
   + For **Enable DNS name**, make sure that **Enable for this endpoint** is not selected for Amazon IoT Core data plane and Amazon IoT Core credential provider. Neither Amazon IoT Core data plane nor Amazon IoT Core credential provider supports private DNS names yet.

     For Amazon IoT Core control plane, **Enable DNS name** is selected by default. This ensures that any requests to the Amazon IoT Core control plane public endpoints will route through the VPC endpoints instead. When this is enabled, you do not need to configure a privated hosted zone.
   + For **Security group**, choose the security groups you want to associate with the endpoint network interfaces.
   + Optionally, you can add or remove tags. Tags are name-value pairs that you use to associate with your endpoint. 

1. To create your VPC endpoint, choose **Create endpoint**. 

After you create the Amazon PrivateLink endpoint, in the **Details** tab of your endpoint, you'll see a list of DNS names. You can use one of these DNS names you created in this section to [configure your private hosted zone](#connect-iot-core-create-phz-lns). If you are using Amazon IoT Core control plane, you do not need to configure a private hosted zone.

## Configure a private hosted zone
<a name="connect-iot-core-create-phz-lns"></a>

**Note**  
If you are using Amazon IoT Core control plane and have **Enable DNS name** selected, you do not need to configure a private hosted zone. If you disable it, you must follow this procedure to configure a private hosted zone.

You can use one of these DNS names you created in the previous section to configure your private hosted zone.

 **For Amazon IoT Core data plane** 

The DNS name must be your domain configuration name or your `IoT:Data-ATS` endpoint. An example DNS name can be: ` xxx-ats.data.iot.region.amazonaws.com`. 

 **For Amazon IoT Core credential provider** 

The DNS name must be your `iot:CredentialProvider` endpoint. An example DNS name can be: ` xxxx.credentials.iot.region.amazonaws.com`. 

 **For Amazon IoT Core control plane** 

The DNS name must be your Amazon IoT Core control plane endpoint. An example DNS name for Amazon IoT Core control plane is ` xxxx.api.iot.region.amazonaws.com`. 

**Note**  
The processes to configure private hosted zone for Amazon IoT Core data plane and Amazon IoT Core credential provider are similar, but you must make endpoint specific changes to make the connection work.

### Create a private hosted zone
<a name="connect-iot-core-create-phz-lns-private-hosted-zone"></a>

 **To create a private hosted zone using Route 53 console** 

1. Navigate to the [Route 53](https://console.amazonaws.cn/route53/v2/hostedzones#/) **Hosted zones** console and choose **Create hosted zone**. 

1. In the **Create hosted zone** page, specify the following information.
   + For **Domain name**, enter the endpoint address for your `iot:Data-ATS` or `iot:CredentialProvider` endpoint. The following Amazon CLI command shows how to get the endpoint through a public network: `aws iot describe-endpoint --endpoint-type iot:Data-ATS`, or `aws iot describe-endpoint --endpoint-type iot:CredentialProvider`. 
**Note**  
If you're using custom domains, see [ Using custom domains with VPC endpoints](https://docs.amazonaws.cn/iot/latest/developerguide/IoTCore-VPC.html#VPC-custom-domains). Custom domains are not supported for Amazon IoT Core credential provider.
   + For **Type**, choose **Private hosted zone**. 
   + Optionally, you can add or remove tags to associate with your hosted zone.

1. To create your private hosted zone, choose **Create hosted zone**. 

For more information, see [Creating a private hosted zone](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html). 

### Create a record
<a name="connect-iot-core-create-phz-lns-create-record"></a>

After you have created a private hosted zone, you can create a record that tells the DNS how you want traffic to be routed to that domain. 

 **To create a record** 

1. In the list of hosted zones displayed, choose the private hosted zone that you created earlier and choose **Create record**. 

1. Use the wizard method to create the record. If the console presents you the **Quick create** method, choose **Switch to wizard**. 

1. Choose **Simple Routing** for **Routing policy** and then choose **Next**. 

1. In the **Configure records** page, choose **Define simple record**. 

1. In the **Define simple record** page:
   + For **Record name**, enter `iot:Data-ATS` endpoint or `iot:CredentialProvider` endpoint. This must be the same as the private hosted zone name.
   + For **Record type**, if you want only IPv4 support, keep the value as `A - Routes traffic to an IPv4 address and some Amazon resources`. If you want only IPv6 support, keep the value as `AAAA - Routes traffic to an IPv6 address and some Amazon resources`. If you want dual-stack support (both IPv4 and IPv6), create two records (`A` and `AAAA` in the hosted zone with the same **Record name** and **Value/Route traffic to**. 
   + For **Value/Route traffic to**, choose **Alias to VPC endpoint**. Then choose your **Region** and then choose the endpoint that you created previously, as described in [Creating an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc) from the list of endpoints displayed.

1. Choose **Define simple record** to create your record.

## Controlling Access to Amazon IoT Core over VPC endpoints
<a name="Control-VPC-access"></a>

You can restrict device access to Amazon IoT Core to be allowed only through VPC endpoint by using VPC [condition context keys](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_condition-keys.html). Amazon IoT Core supports the following VPC related context keys:
+  [SourceVpc](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc) 
+  [SourceVpce](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce) 
+  [VPCSourceIp](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpcsourceip) 

**Note**  
Amazon IoT Core doesn't support [Endpoints policies for VPC endpoints](https://docs.amazonaws.cn//vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoint-policies). 

For example, the following policy grants permission to connect to Amazon IoT Core using a client ID that matches the thing name, and to publish to any topic prefixed by the thing name, conditional on the device connecting to a VPC endpoint with a particular VPC Endpoint ID. This policy would deny connection attempts to your public IoT data endpoint.

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws-cn:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "vpce-1a2b3c4d"
            }
        }
            
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": [
                "arn:aws-cn:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
            ]
        }
    ]
}
```

## Limitations
<a name="VPC-limitations"></a>

VPC endpoints are currently supported for [Amazon IoT Core control plane endpoints](https://docs.amazonaws.cn//iot/latest/developerguide/connect-to-iot.html#iot-service-endpoint-intro), [Amazon IoT Core data endpoints](https://docs.amazonaws.cn//iot/latest/developerguide/iot-connect-devices.html#iot-connect-device-endpoints), and [Amazon IoT Core credential provider](https://docs.amazonaws.cn//iot/latest/developerguide/authorizing-direct-aws.htm) endpoints. VPC endpoints are only supported for [Federal Information Processing Standard (FIPS) endpoints](https://docs.amazonaws.cn//iot/latest/developerguide/iot-connect-fips.html) when using the Amazon IoT Core control plane.

### Limitations of IoT control plane VPC endpoints
<a name="VPC-limitations-iot-control"></a>

This section covers the limitations of IoT control plane VPC endpoints.
+ VPC endpoints will serve ATS certificates only.
+ Custom domains are not supported for control plane endpoints.
+ For information regarding FIPS security policies, see [FIPS security policies](https://docs.amazonaws.cn//elasticloadbalancing/latest/application/describe-ssl-policies.html#fips-security-policies). 

### Limitations of IoT data VPC endpoints
<a name="VPC-limitations-iot-data"></a>

This section covers the limitations of IoT data VPC endpoints.
+ MQTT keep alive periods are limited to 230 seconds. Keep alive periods longer than that will be automatically reduced to 230 seconds.
+ Each VPC endpoint supports 100,000 total concurrent connected devices. If you require more connections see [Scaling VPC endpoints with Amazon IoT Core](#Scaling-VPC-endpoints) .
+ VPC endpoints will serve [ATS certificates](https://docs.amazonaws.cn//iot/latest/developerguide/server-authentication.html) only, except for custom domains.
+  [VPC endpoint policies](https://docs.amazonaws.cn//vpc/latest/privatelink/vpc-endpoints-access.html) are not supported.
+ For VPC endpoints that are created for the Amazon IoT Core data plane, Amazon IoT Core doesn't support using zonal or regional public DNS records.

### Limitations of credential provider endpoints
<a name="VPC-limitations-credential-provider"></a>

This section covers the limitations of credential provider VPC endpoints.
+ VPC endpoints will serve [ATS certificates](https://docs.amazonaws.cn//iot/latest/developerguide/server-authentication.html) only.
+  [VPC endpoint policies](https://docs.amazonaws.cn//vpc/latest/privatelink/vpc-endpoints-access.html) are not supported.
+ Custom domains are not supported for credential provider endpoints.
+ For VPC endpoints that are created for the Amazon IoT Core credential provider, Amazon IoT Core doesn't support using zonal or regional public DNS records.

## Scaling VPC endpoints with Amazon IoT Core
<a name="Scaling-VPC-endpoints"></a>

Amazon IoT Core Interface VPC endpoints are limited to 100,000 connected devices over a single interface endpoint. If your use case calls for more concurrent connections to the broker, then we recommend using multiple VPC endpoints and manually routing your devices across your interface endpoints. When creating private DNS records to route traffic to your VPC endpoints, make sure to create as many weighted records as you have VPC endpoints to distribute traffic across your multiple endpoints. 

## Using custom domains with VPC endpoints
<a name="VPC-custom-domains"></a>

If you want to use custom domains with VPC endpoints, you must create your custom domain name records in a private hosted zone and create routing records in Route53. For more information, see [Creating A private hosted zone](https://docs.amazonaws.cn//Route53/latest/DeveloperGuide/hosted-zone-private-creating.html). 

**Note**  
Custom domains are only supported for Amazon IoT Core data endpoints.

## Availability of VPC endpoints for Amazon IoT Core
<a name="VPC-availability"></a>

Amazon IoT Core Interface VPC endpoints are available in all [Amazon IoT Core supported regions](https://www.amazonaws.cn//about-aws/global-infrastructure/regional-product-services/). Amazon IoT Core Interface VPC endpoints for Amazon IoT Core credential provider are not supported in China Region and Amazon GovCloud (US) Regions.