Using AWS IoT Core with interface VPC endpoints - AWS IoT Core

Using AWS IoT Core with interface VPC endpoints

With AWS IoT Core, you can create IoT data endpoints within your VPC by using interface VPC endpoints. Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that you can use to access services running on AWS by using private IP addresses. For more information, see Amazon Virtual Private Cloud.

In order to connect devices in the field on remote networks, such as a corporate network to your AWS VPC, refer to the various options listed in the Network-to-Amazon VPC connectivity matrix.

Note

VPC endpoints for IoT Core are currently not supported in AWS China Regions.

Chapter Topics:

Creating VPC endpoints for AWS IoT Core

To get started with VPC endpoints, simply create an interface VPC endpoint, and select AWS IoT Core as the AWS service. If you are using the CLI, first call describe-vpc-endpoint-services to ensure that you are choosing an Availability Zone where AWS IoT Core is present in your particular AWS Region. For example, in us-east-1, this command would look like:

aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.iot.data
Note

The VPC feature for automatically creating a DNS record is disabled because the IoT control and data endpoints are split. To join these endpoints, you must manually create a Private DNS record. For more information about Private VPC DNS records, see Private DNS for interface endpoints. For more information about AWS IoT Core VPC limitations, see Limitations of VPC endpoints.

To correctly route DNS queries from your devices to the VPC endpoint interfaces, you must manually create DNS records in a Private Hosted Zone that is attached to your VPC. To get started, see Creating A Private Hosted Zone. Within your Private Hosted Zone, create an alias record for each elastic network interface IP for the VPC endpoint. If you have multiple network interface IPs for multiple VPC endpoints, create weighted DNS records with equal weights across all the weighted records. These IP addresses are available from the DescribeNetworkInterfaces API call when filtered by the VPC endpoint ID in the description field.

Controlling Access to AWS IoT Core over VPC endpoints

You can restrict device access to AWS IoT Core to be allowed only through VPC endpoint by using VPC condition context keys. AWS IoT Core supports the following VPC related context keys:

Note

AWS IoT Core does not support https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoint-policiesVPC endpoint policies at this time.

For example, the following policy grants permission to connect to AWS IoT Core using a client ID that matches the thing name and to publish to any topic prefixed by the thing name, conditional on the device connecting to a VPC endpoint with a particular VPC Endpoint ID. This policy would deny connection attempts to your public IoT data endpoint.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}" ], "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-1a2b3c4d" } } }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*" ] } ] }

Limitations of VPC endpoints

This section covers the limitations of VPC endpoints compared to public endpoints.

  • VPC endpoints are currently supported for IoT data endpoints only

  • MQTT keep alive periods are limited to 230 seconds. Keep alives longer than that period will be automatically reduced to 230 seconds

  • Each VPC endpoint supports 100,000 total concurrent connected devices. If you require more connections see Scaling VPC endpoints with IoT Core.

  • VPC endpoints support IPv4 traffic only.

  • VPC endpoints will serve ATS certificates only, except for custom domains.

  • VPC endpoint policies are not supported at this time.

Scaling VPC endpoints with IoT Core

AWS IoT Core Interface VPC endpoints are limited to 100,000 connected devices over a single interface endpoint. If your use case calls for more concurrent connections to the broker, then we recommend using multiple VPC endpoints and manually routing your devices across your interface endpoints. When creating private DNS records to route traffic to your VPC endpoints, make sure to create as many weighted records as you have VPC endpoints to distribute traffic across your multiple endpoints.

Using custom domains with VPC endpoints

If you want to use custom domains with VPC endpoints, you must create your custom domain name records in a Private Hosted Zone and create routing records in Route53. For more information, see Creating A Private Hosted Zone.

Availability of VPC endpoints for AWS IoT Core

AWS IoT Core Interface VPC endpoints are available in all AWS IoT Core supported regions, with the exception of AWS China Regions.