Required endpoints for AWS IoT SiteWise Edge gateways

Anish Kunduru, Ayush Sood, Hemant Borole, and Sudhakar Reddy, Amazon Web Services (AWS)

March 2024 (document history)

AWS IoT SiteWise is a service for the AWS Cloud that helps you collect, model, analyze, and visualize data from devices at scale. To connect your edge devices and servers to AWS IoT SiteWise, you use a gateway. AWS IoT SiteWise Edge gateways run on AWS IoT Greengrass V2. The AWS IoT SiteWise Edge software is installed alongside an AWS IoT Greengrass core device and collects equipment data. AWS IoT Greengrass requires access to other AWS services, such as Amazon Simple Storage Service (Amazon S3), AWS Secrets Manager, and AWS Systems Manager. Connections to these services are required for AWS IoT SiteWise Edge gateways to function properly. You can optionally connect to other AWS services and features that provide additional business value, such as storing data, analyzing data, optimizing operations, and increasing availability.

However, common firewall configurations in industrial control networks can prevent these AWS IoT services from connecting to their supporting services in the AWS Cloud. A common approach for protecting on-premises systems or operational technology (OT) networks is to restrict Internet access by using an allow list. An allow list is an explicit list of trusted domains or IP addresses that users can access. Allow listing is typically configured in a firewall in the internet perimeter zone. This can prevent the AWS IoT SiteWise Edge gateways from accessing AWS services in the cloud.

This guide describes how to configure a network with firewalls to allow access to AWS service endpoints that allow your AWS IoT SiteWise Edge gateways to connect to the required target services. You use an endpoint to connect programmatically to an AWS service in a virtual private cloud (VPC). A service endpoint is the URL of the entry point for an AWS service. For more information, see AWS service endpoints in AWS General Reference. Configuring and testing endpoints helps make sure that the firewall permits the requests to those services before you create the gateway.

Intended audience

This guide is intended for, but not limited to, the following audiences:

Cloud application architects
Cloud infrastructure architects
Network engineers
DevOps professionals
Developers

Before reading this guide, it is helpful to understand the levels of an industrial control network, as defined in the Purdue reference model. For more information about this model and how cloud, Internet of Things (IoT), and edge computing developments are transforming on-premises OT workloads into hybrid workloads for the AWS Cloud, see Security Best Practices for Manufacturing OT (AWS Whitepaper).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Architecture options