Required service endpoints for AWS IoT SiteWise Edge gateways - AWS Prescriptive Guidance

Required service endpoints for AWS IoT SiteWise Edge gateways

To set up connections with the AWS services required for the AWS IoT SiteWise Edge gateway, configure endpoints for the following AWS services:

Unless noted as optional, the endpoints in this section are required by the AWS IoT SiteWise Edge gateway or to adhere to AWS recommendations and security best practices. Set up and test these endpoints before creating the gateway.

Note

Values that need to be customized for your deployment configuration are in angle brackets (<>). For a complete list of AWS Regions, see AWS Regions in AWS General Reference.

IAM endpoint

The following is the required service endpoint for AWS Identity and Access Management (IAM). For more information, see IAM endpoints.

Destination endpoint

Port

Protocol

Direction

Description

iam.amazonaws.com

443

TCP

Outbound

Edge device to IAM

AWS IoT Core endpoints

The following are the service endpoints for AWS IoT Core. For more information, see AWS IoT Core endpoints. In this table, prefix is your account-specific prefix for AWS IoT Device Management - jobs data endpoints (AWS IoT Core documentation).

Destination endpoint

Port

Protocol

Direction

AWS CLI commands

Description

<prefix-ats>.iot.<region>.amazonaws.com

443

TCP

Outbound

aws iot describe-endpoint --endpoint-type iot:Data-ATS

Edge device to the account-specific AWS IoT data plane

<prefix>.credentials.iot.<region>.amazonaws.com

443

TCP

Outbound

aws iot describe-endpoint --endpoint-type iot:CredentialProvider

Edge device to authenticate AWS IoT Core calls by using a built-in X.509 client certificate

<prefix>.jobs.iot.<region>.amazonaws.com

443

TCP

Outbound

aws iot describe-endpoint --endpoint-type iot:Jobs

Edge device to the AWS IoT Core control plane

AWS IoT Greengrass V2 endpoints

The following are the service endpoints for AWS IoT Greengrass V2. For more information, see AWS IoT Greengrass V2 endpoints.

Destination endpoint

Port

Protocol

Direction

Description

greengrass.<region>.amazonaws.com

443

TCP

Outbound

Edge device to the AWS IoT Greengrass V2 control plane

greengrass-ats.iot.<region>.amazonaws.com

443

TCP

Outbound

Edge device to the AWS IoT Greengrass data plane

AWS IoT SiteWise endpoints

The following are the service endpoints for AWS IoT SiteWise. For more information, see AWS IoT SiteWise endpoints.

Destination endpoint

Port

Protocol

Direction

Description

data.iotsitewise.<region>.amazonaws.com

443

TCP

Outbound

Edge device to the AWS IoT SiteWise data plane

iotsitewise.<region>.amazonaws.com

443

TCP

Outbound

(Optional) Edge device to the AWS IoT SiteWise service plane

api.iotsitewise.<region>.amazonaws.com

443

TCP

Outbound

Edge device to the AWS IoT SiteWise control plane

model.iotsitewise.<region>.amazonaws.com

443

TCP

Outbound

Edge device to the AWS IoT SiteWise model control plane

edge.iotsitewise.<region>.amazonaws.com

443

TCP

Outbound

Edge device to the AWS IoT SiteWise edge API operations

monitor.iotsitewise.<region>.amazonaws.com

443

TCP

Outbound

(Optional) Edge device to an AWS IoT SiteWise Monitor portal

AWS KMS endpoint

The following is the service endpoint for AWS Key Management Service (AWS KMS). For more information, see AWS KMS endpoints.

Destination endpoint

Port

Protocol

Direction

Description

kms.<region>.amazonaws.com

443

TCP

Outbound

Edge device to AWS KMS

Secrets Manager endpoint

The following is the service endpoint for AWS Secrets Manager. For more information, see Secrets Manager endpoints.

Destination endpoint

Port

Protocol

Direction

Description

secretsmanager.<region>.amazonaws.com

443

TCP

Outbound

Edge device to Secrets Manager

AWS STS endpoint

The following is the service endpoint for AWS Security Token Service (AWS STS). For more information, see AWS STS endpoints.

Destination endpoint

Port

Protocol

Direction

Description

sts.<region>.amazonaws.com

443

TCP

Outbound

Edge device to AWS STS

Amazon S3 endpoints

The following are the service endpoints for Amazon Simple Storage Service (Amazon S3). For more information, see Amazon S3 endpoints.

Destination endpoint

Port

Protocol

Direction

Description

s3.<region>.amazonaws.com

443

TCP

Outbound

Edge device to all S3 buckets in the AWS Region

*.s3.amazonaws.com

443

TCP

Outbound

Edge device to any S3 bucket for downloading all AWS IoT Greengrass V2 components, including AWS provided components

*.s3.<region>.amazonaws.com

443

TCP

Outbound

(Optional) Edge device to any S3 bucket in the AWS Region for downloading all AWS IoT Greengrass V2 components, including AWS provided components

Systems Manager endpoints

The following are the service endpoints for AWS Systems Manager. For more information, see Systems Manager endpoints.

Destination endpoint

Port

Protocol

Direction

Description

ssm.<region>.amazonaws.com

443

TCP

Outbound

Edge device to Systems Manager

ssmmessages.<region>.amazonaws.com

443

TCP

Outbound

(Optional) Edge device to Session Manager