AWS IoT SiteWise and interface VPC endpoints (AWS PrivateLink) - AWS IoT SiteWise

AWS IoT SiteWise and interface VPC endpoints (AWS PrivateLink)

You can establish a private connection between your virtual private cloud (VPC) and AWS IoT SiteWise by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that lets you privately access AWS IoT SiteWise APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with AWS IoT SiteWise APIs. Traffic between your VPC and AWS IoT SiteWise doesn't leave the AWS network.

Each interface endpoint is represented by one or more elastic network interfaces in your subnets.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Considerations for AWS IoT SiteWise VPC endpoints

Before you set up an interface VPC endpoint for AWS IoT SiteWise, review the Interface endpoint properties and limitations in the Amazon VPC User Guide.

AWS IoT SiteWise supports making calls to the following API operations from your VPC:

VPC endpoint policies are not supported for AWS IoT SiteWise. By default, full access to AWS IoT SiteWise is allowed through the endpoint. For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Creating an interface VPC endpoint for AWS IoT SiteWise

You can create a VPC endpoint for the AWS IoT SiteWise service. Use either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for AWS IoT SiteWise using the following service name:

  • com.amazonaws.region.iotsitewise.data

Accessing AWS IoT SiteWise through an interface VPC endpoint

If you enable private DNS for the endpoint, you can make API requests to AWS IoT SiteWise using its default DNS name for the AWS Region, for example, iotsitewise.us-east-1.amazonaws.com. Private DNS is enabled by default.

If you disable private DNS for the endpoint, you must do the following to access AWS IoT SiteWise through the endpoint:

  • Specify the VPC endpoint in API requests.

    For the data plane actions (BatchPutAssetPropertyValue, GetAssetPropertyAggregates, GetAssetPropertyValue, and GetAssetPropertyValueHistory) use the following endpoint. Replace vpc-endpoint-id and region with your VPC endpoint ID and Region.

    vpc-endpoint-id.data.iotsitewise.region.vpce.amazonaws.com
  • Disable host prefix injection. The AWS CLI and AWS SDKs prepend the service endpoint with various host prefixes when you call each API operation. This feature causes the AWS CLI and AWS SDKs to produce invalid URLs for AWS IoT SiteWise when you specify a VPC endpoint.

    Important

    You can't disable host prefix injection in the AWS CLI or the AWS Tools for PowerShell. This means that if you disable private DNS, then you can't use these tools to access AWS IoT SiteWise through the VPC endpoint. Enable private DNS to use the AWS CLI or the AWS Tools for PowerShell to access AWS IoT SiteWise through the endpoint.

    For more information about how to disable host prefix injection in the AWS SDKs, see the following sections of each SDK's documentation:

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.