Device Advisor VPC endpoints (Amazon PrivateLink) - Amazon IoT Core
Considerations for Amazon IoT Core Device Advisor VPC endpointsCreate an interface VPC endpoint for Amazon IoT Core Device AdvisorControlling access to Amazon IoT Core Device Advisor over VPC endpoints
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Device Advisor VPC endpoints (Amazon PrivateLink)

You can establish a private connection between your VPC and the Amazon IoT Core Device Advisor test endpoint (data plane) by creating an interface VPC endpoint. You can use this endpoint to validate Amazon IoT devices for reliable and secure connectivity with Amazon IoT Core before deploying devices to production. Device Advisor's pre-built tests helps you validate your device software against best practices for usage of TLS, MQTT, Device Shadow, and Amazon IoT Jobs.

Amazon PrivateLink powers the interface endpoints used with your IoT devices. This service helps you access the Amazon IoT Core Device Advisor test endpoint privately without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC that send TCP and MQTT packets don't need public IP addresses to communicate with Amazon IoT Core Device Advisor test endpoints. Traffic between your VPC and Amazon IoT Core Device Advisor doesn't leave Amazon Web Services Cloud. Any TLS and MQTT communication between IoT devices and Device Advisor test cases stay within the resources in your Amazon Web Services account.

Each interface endpoint is represented by one or more elastic network interfaces in your subnets.

To learn more about using interface VPC endpoints, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for Amazon IoT Core Device Advisor VPC endpoints

Review the interface endpoint properties and limitations in the Amazon VPC User Guide before setting up interface VPC endpoints. Consider the following before you continue:

  • Amazon IoT Core Device Advisor currently supports making calls to Device Advisor test endpoint (data plane) from your VPC. A message broker uses data plane communications to send and receive data. It does this with the help of TLS and MQTT packets. VPC endpoints for Amazon IoT Core Device Advisor connect your Amazon IoT device to Device Advisor test endpoints. Control plane API actions aren't used by this VPC endpoint. To create or run a test suite or other control plane APIs, use the console, an Amazon SDK, or Amazon Command Line Interface over the public internet.

  • The following Amazon Web Services Regions support VPC endpoints for Amazon IoT Core Device Advisor:

    • US East (N. Virginia)

    • US West (Oregon)

    • Asia Pacific (Tokyo)

    • Europe (Ireland)

  • Device Advisor supports MQTT with X.509 client certificates and RSA server certificates.

  • VPC endpoint policies aren't supported at this time.

  • Check VPC endpoint prerequisites for instructions on how to create resources that connect VPC endpoints. You must create a VPC and private subnets to use Amazon IoT Core Device Advisor VPC endpoints.

  • There are quotas on your Amazon PrivateLink resources. For more information, see Amazon PrivateLink quotas.

  • VPC endpoints support only IPv4 traffic.

Create an interface VPC endpoint for Amazon IoT Core Device Advisor

To get started with VPC endpoints, create an interface VPC endpoint. Next, select Amazon IoT Core Device Advisor as the Amazon Web Service. If you are using the Amazon CLI, call describe-vpc-endpoint-services to confirm that Amazon IoT Core Device Advisor is present in an Availability Zone in your Amazon Web Services Region. Confirm that the security group attached to the endpoint allows TCP protocol communication for MQTT and TLS traffic. For example, in the US East (N. Virginia) Region, use the following command: 

aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.deviceadvisor.iot

You can create a VPC endpoint for Amazon IoT Core using the following service name:

  • com.amazonaws.region.deviceadvisor.iot

By default, private DNS is turned on for the endpoint. This ensures that use of the default test endpoint stays within your private subnets. To get your account or device level endpoint, use the console, Amazon CLI or an Amazon SDK. For example, if you run get-endpoint within a public subnet or on the public internet, you can get your endpoint and use it to connect to Device Advisor. For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

To connect MQTT clients to the VPC endpoint interfaces, the Amazon PrivateLink service creates DNS records in a private hosted zone attached to your VPC. These DNS records direct the Amazon IoT device’s requests to the VPC endpoint.

Controlling access to Amazon IoT Core Device Advisor over VPC endpoints

You can restrict device access to Amazon IoT Core Device Advisor and allow access only through VPC endpoints by using VPC condition context keys. Amazon IoT Core supports the following VPC related context keys:

Note

Amazon IoT Core Device Advisor doesn't support VPC endpoint policies at this time.

The following policy grants permission to connect to Amazon IoT Core Device Advisor using a client ID that matches the thing name. It also publishes to any topic prefixed by the thing name. The policy is conditional on the device connecting to a VPC endpoint with a particular VPC endpoint ID. This policy denies connection attempts to your public Amazon IoT Core Device Advisor test endpoint. 

{
"Version": "2012-10-17",
    "Statement": [
        {
"Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
            ],
            "Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-1a2b3c4d"
                }
            }
            
        },
        {
"Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
            ]
        }
    ]
}