Machine onboarding to AWS IoT utilizing Digital Non-public Cloud endpoints


Introduction

When you function safe non-public networks—equivalent to an meeting line’s operational know-how (OT) community at a manufacturing facility or authorities company­—and intend to attach your units to AWS, then that you must use X.509 consumer certificates for authenticating requests to AWS companies—all whereas staying throughout the Digital Non-public Cloud (VPC). On this submit, we’ll reveal easy methods to use the brand new functionality, VPC endpoint (VPCe) for AWS IoT Core credential supplier to handle element deployments into AWS IoT Greengrass-powered gateways operating on non-public networks. Equally, we can even reveal easy methods to develop and join units that use AWS IoT Machine SDK and require trade of X.509 consumer certificates for safety tokens to work together with different AWS companies.

AWS IoT Core is a totally managed service that helps connectivity for billions of units. Gadgets and software program shoppers that connect with AWS IoT Core depend on X.509 certificates for authentication. Nonetheless, different AWS companies depend on safety tokens to authenticate API calls. To keep away from hardcoding credentials and/or tokens within the shoppers, AWS IoT Core supplies AWS IoT Core credential supplier endpoint. This endpoint permits shoppers, like AWS IoT Greengrass elements, to trade their X.509 certificates as safety tokens to work together with different AWS companies. Furthermore, with AWS IoT Core’s credential supplier endpoint functionality, you possibly can prolong your operational networks to a VPC in AWS by way of Digital Non-public Community (VPN), thus eliminating the necessity on your gear to make use of public web entry to achieve AWS IoT Core’s credential supplier.

How prospects are benefiting from the brand new functionality

VR-Yhtymä Oy is a public sector Finnish railway that operates 250 long-distance and 800 commuter rail companies every single day. VR-Yhtymä Oy is utilizing VPC for personal communication between trains and AWS companies.

“With VPC endpoints for AWS IoT Core credential supplier, we will use X.509 consumer certificates to get credentials for accessing AWS companies, equivalent to Amazon S3 or Lambda, with out leaving our non-public VPC subnets.” stated Tomi Uutela, Head of Digital Operations at VR-Yhtymä Oy.

Utopus Insights is a data-driven power analytics Software program as a Service (SaaS) firm that develops world digital options to speed up the mixing of renewable power into the trendy grid. Utopus Insights is utilizing VPC for personal communication between AWS IoT Greengrass, AWS IoT Core, and different AWS companies.

“Integrating AWS IoT Core and AWS IoT Greengrass VPC Endpoints will convey a number of advantages to our operations. Firstly, it is going to simplify our infrastructure structure by eliminating the necessity for a further proxy server. This can streamline our setup and scale back upkeep overhead. VPC Endpoints can even improve safety by enabling non-public connections between our VPC and AWS IoT Greengrass. This ensures that our IoT units and information stay remoted from the general public web, decreasing the danger of unauthorized entry.” stated Gopi Valiyaveedu, Platform Engineering Supervisor, Utopus Insights, Inc.

Pre-requisites

  • Administrator entry to an AWS account
  • Primary AWS CLI abilities
  • Primary AWS IoT Greengrass and AWS IoT Core data

Answer structure

The next structure represents a typical IoT infrastructure the place units utilizing on-premises operational networks connect with AWS via a personal community.

Walkthrough

On this walkthrough you’ll learn to use AWS IoT Core credential supplier to allow a VPCe connection both for AWS IoT Greengrass or IoT units developed utilizing the AWS IoT Machine SDK. 

Notice that it’s essential to implement the part “Create VPC endpoints” for each instances.

AWS IoT Greengrass

Create VPC endpoints

To ascertain an edge-to-cloud communication hyperlink utterly over VPC, it’s essential to first setup AWS Direct Join between your on-premises community infrastructure and your AWS VPC. For detailed implementation, please seek advice from AWS Direct Join developer information.

As soon as AWS Direct Join is setup, there are 3 VPC Endpoints required for an IoT gateway to be provisioned, managed, and synchronized (element deployments) as an AWS IoT Greengrass gateway.

  • AWS IoT Greengrass
  • AWS IoT Core information
  • AWS IoT Core credential supplier

The AWS IoT Greengrass endpoint (com.amazonaws.[region].greengrass) is used to handle elements, deployments, and units from the AWS IoT Greengrass cloud service. Authentication and authorization with this endpoint are accomplished utilizing X.509 certificates as described in Machine authentication and authorization for AWS IoT Greengrass.

The AWS IoT Core information endpoint (com.amazonaws.[region].iot.information) is used for interactions between AWS IoT Greengrass elements and AWS IoT Core by publishing/subscribing to AWS IoT Core MQTT dealer. Authentication and authorization with this endpoint can be accomplished utilizing X.509 certificates.

The AWS IoT Core credential supplier endpoint (com.amazonaws.[region].iot.credentials) is used to speak with different AWS companies that don’t help X.509 authentication and authorization, equivalent to Amazon Easy Storage Service (Amazon S3) and Amazon Elastic Container Registry (Amazon ECR). In both case, the units developed utilizing the AWS IoT SDK or an AWS IoT Greengrass element, will name the AWS IoT Core credential supplier endpoint utilizing the X.509 certificates to authenticate and get approved. The endpoint will then situation a brief safety token for the consumer to make use of within the name to the companies not supporting X.509.

Calls to Amazon S3 and Amazon ECR are required throughout AWS IoT Greengrass element deployments as described within the following sequence diagram. The AWS IoT Greengrass element can even require a safety token if it makes use of AWS SDKs to speak with different cloud companies not supporting X.509 certificates authentication and authorization.

Then, to perform an end-to-end VPCe communication, it’s essential to create these 3 VPC endpoints pointing to a number of non-public subnets chosen to route visitors to and from AWS.

Every VPC endpoint will get an Web Protocol (IP) handle, one for every non-public subnet the place the VPCe is created. We advocate choosing a minimum of 2 subnets for prime availability.

You should utilize the next AWS CLI instructions to create the three VPC endpoints passing your non-public subnet as parameters or use the AWS Console to create them.

All following instructions are for us-east-1 area.

  1. Create VPC endpoints
aws ec2 create-vpc-endpoint --vpc-id <YOUR VPCID> --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.iot.credentials | jq -r ".VpcEndpoint.VpcEndpointId"
aws ec2 create-vpc-endpoint --vpc-id <YOUR VPCID> --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.greengrass | jq -r ".VpcEndpoint.VpcEndpointId"
aws ec2 create-vpc-endpoint --vpc-id <YOUR VPCID> --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.iot.information | jq -r ".VpcEndpoint.VpcEndpointId"

  1. Get safety teams related to the VPC endpoints

Utilizing the VPC endpoints IDs returned by the instructions carried out within the step 1, apply the next command to get the safety teams related to them.

aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <.iot.credentials VpcEndpointId> | jq -r ".VpcEndpoints[0].Teams[0].GroupId"
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <.greengrass VpcEndpointId> | jq -r ".VpcEndpoints[0].Teams[0].GroupId"
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <.iot.information VpcEndpointId> | jq -r ".VpcEndpoints[0].Teams[0].GroupId"

The safety groupId will most certainly be the identical for all of your VPC endpoints. If that’s the case, you possibly can run steps 3 and 4 simply as soon as.

  1. Add ingress rule to the safety teams

Utilizing the Safety Teams IDs returned by the instructions within the step 2, run the next command to permit ingress communication from the IP vary the place your AWS IoT Greengrass gadget can be operating.

On this weblog submit, for simplicity, we permit ingress from anyplace (0.0.0.0), however we advocate you restrict the ingress to the CidrIp the place your AWS IoT Greengrass gadget can be deployed.

aws ec2 authorize-security-group-ingress --group-id <.iot.credentials GroupID> --protocol tcp --cidr 0.0.0.0/0 --port 443
aws ec2 authorize-security-group-ingress --group-id <.greengrass GroupID> --protocol tcp --cidr 0.0.0.0/0 --port 443
aws ec2 authorize-security-group-ingress --group-id <.iot.information GroupID> --protocol tcp --cidr 0.0.0.0/0 --port 443

  1. Add egress rule to the safety teams

Utilizing the Safety Teams IDs returned by the instructions executed in step 2, run the next command to permit egress communication to the IP vary the place your AWS IoT Greengrass gadget can be operating.

On this weblog submit, for simplicity, we permit egress to anyplace (0.0.0.0), however we advocate you restrict the egress to the CidrIp the place your Greengrass gadget can be deployed.

aws ec2 authorize-security-group-egress --group-id <.iot.credentials GroupID> --protocol tcp --cidr 0.0.0.0/0 --port 443
aws ec2 authorize-security-group-egress --group-id <.greengrass GroupID> --protocol tcp --cidr 0.0.0.0/0 --port 443
aws ec2 authorize-security-group-egress --group-id <.iot.information GroupID> --protocol tcp --cidr 0.0.0.0/0 --port 443

  1. Add subnets to the VPC endpoints

As soon as the VPC endpoints have being created and configured, you possibly can comply with the Amazon Digital Public Cloud documentation so as to add or take away subnets to the VPC endpoint. We advocate configuring a minimum of 2 subnets in every endpoint for HA.

  1. Allow DNS help for the VPC

Run the next instructions to allow DNS help within the VPC the place the VPC endpoints had been created.

aws ec2 modify-vpc-attribute --vpc-id <YOUR VPCID> --enable-dns-support "{"Worth":true}"
aws ec2 modify-vpc-attribute --vpc-id <YOUR VPCID> --enable-dns-hostnames "{"Worth":true}"

  1. Create non-public hosted zone in Amazon Route 53

Subsequent step is to configure a personal hosted zone in Amazon Route 53.

First create a hosted zone for every VPC endpoint.

echo '{
"VPCRegion":"us-east-1",
"VPCId":"<YOUR VPCID>"
}' > vpc.json

echo '{
"Remark": "PrivateZoneForVPCe",
"PrivateZone": true
}' > hostedzoneconfig.json

aws route53 create-hosted-zone --name credentials.iot.us-east-1.amazonaws.com --vpc file://vpc.json --caller-reference <UUID> --hosted-zone-config file://hostedzoneconfig.json |jq -r ".HostedZone.Id"|sed 's?^.*hostedzone/??g'
aws route53 create-hosted-zone --name iot.us-east-1.amazonaws.com --vpc file://vpc.json --caller-reference <UUID> --hosted-zone-config file://hostedzoneconfig.json |jq -r ".HostedZone.Id"|sed 's?^.*hostedzone/??g'

You should utilize the next on-line software to generate the required UUIDs https://www.uuidgenerator.internet/version1

Then you definately get:

a. VPC endpoints addresses

aws iot describe-endpoint --endpoint-type iot:CredentialProvider | jq -r '.endpointAddress'
aws iot describe-endpoint --endpoint-type iot:Information-ATS | jq -r '.endpointAddress'

b. VPC endpoints DNS names

aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <.iot.credentials VpcEndpointId FROM STEP 1> | jq -r ".VpcEndpoints[0].DnsEntries[0].DnsName"
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <.iot.information VpcEndpointId FROM STEP 1> | jq -r ".VpcEndpoints[0].DnsEntries[0].DnsName"

c. Hosted Zone IDs

aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <.iot.credentials VpcEndpointId FROM STEP 1> | jq -r ".VpcEndpoints[0].DnsEntries[0].HostedZoneId"
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <.iot.information VpcEndpointId FROM STEP 1> | jq -r ".VpcEndpoints[0].DnsEntries[0].HostedZoneId"

With the data from sections 7.a, 7.b, and seven.c, you possibly can create the DNS file within the Non-public Hosted Zones.

Credential endpoint:

echo '{
"Remark": "Route visitors from Credential default endpoint to VPCe.",
"Modifications": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "<Credentials Endpoint Address from 7.a",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "<Credentials Endpoint Hosted Zone ID from 7.c>",
"DNSName": "<Credentials Endpoint DNS name from 7.b>",
"EvaluateTargetHealth": true
}
}
}
]
}' > credentialvpce.json

aws route53 change-resource-record-sets --hosted-zone-id <Hosted Zone Id of your Route53 hosted zone> --change-batch file://credentialvpce.json

IMPORTANT

HostedZoneId within the credentialvpce.json is the ID you will discover within the credentials VPCe console definition between parenthesis below the DNS Names part. It’s also returned by the command “aws ec2 describe-vpc-endpoints —vpc-endpoint-ids <.iot.credentials VpcEndpointId FROM STEP 1> ……” from part 7.c

–hosted-zone-id parameter within the AWS CLI command is the Hosted Zone Id returned by the command “aws route53 create-hosted-zone —identify credentials.us-east-1.iot.amazonaws.com …….” You’ll find this ID additionally within the Amazon Route 53 console, by choosing your hosted zone and navigating to the “Hosted zone particulars” part.

Information endpoint:

echo '{
"Remark": "Route visitors from IoT Core default information endpoint to VPCe.",
"Modifications": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "<Data Endpoint Address from 7.a",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "<Data Endpoint Hosted Zone ID from 7.c>",
"DNSName": "<Data Endpoint DNS name from 7.b>",
"EvaluateTargetHealth": true
}
}
}
]
}' > datavpce.json

aws route53 change-resource-record-sets --hosted-zone-id <Hosted Zone Id of your Route53 hosted zone> --change-batch file://datavpce.json

Deploy and join your AWS IoT Greengrass core gadget

Now you can comply with any of the supported strategies to configure your AWS IoT Greengrass core gadget. On this state of affairs, you’re most certainly working in an surroundings with out web entry to obtain packages into the machine the place you will set up AWS IoT Greengrass nucleus. We advocate following Set up with handbook provisioning.

Earlier than operating the set up command:

sudo -E java -Droot="/greengrass/v2" -Dlog.retailer=FILE 
-jar ./GreengrassInstaller/lib/Greengrass.jar 
--init-config ./GreengrassInstaller/config.yaml 
--component-default-user ggc_user:ggc_group 
--setup-system-service true

It’s a must to verify your “./GreengrassInstaller/config.yaml” seems like the next:

system:
certificateFilePath: "/greengrass/v2/[your thing cert]"
privateKeyPath: "/greengrass/v2/[your thing private key]"
rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
rootpath: "/greengrass/v2"
thingName: "[your thing name]"
companies:
aws.greengrass.Nucleus:
componentType: "NUCLEUS"
model: "[your NUCLEUS version]"
configuration:
awsRegion: "us-east-1"
iotRoleAlias: "[your GreengrassCoreTokenExchangeRoleAlias]"
iotDataEndpoint: "[the 'A' record created in Route53 for IoT Data Enpoint]"
iotCredEndpoint: "[the 'A' record created in Route53 for IoT Credential Endpoin]"
mqtt:
port: 443
greengrassDataPlaneEndpoint: "iotdata"
greengrassDataPlanePort: 443

Validate you’re utilizing VPCe

To validate you’re utilizing the VPCe and never traversing the general public web, run the next command from the AWS IoT Greengrass core machine:

nslookup [the 'A' record created in Route53 for IoT Credential Endpoin]
nslookup [the 'A' record created in Route53 for IoT Data Enpoint]

The IP addresses returned by the above instructions needs to be within the vary of the subnets related along with your VPC endpoints.

Then, you possibly can run the identical instructions out of your laptop computer. You need to get public IPs for the endpoints.

AWS IoT units

After you may have carried out the steps in part “Create VPC endpoints,” you may also use AWS IoT Core credential supplier via VPCe, immediately from AWS IoT Core issues operating in your VPC. To check this feature, comply with the following steps.

  1. Comply with the step-by-step wizard within the console to create a single factor.

  1. Comply with the Authorizing direct calls to AWS companies utilizing AWS IoT Core credential supplier documentation to create the required roles and insurance policies, and fasten them to the certificates created within the earlier step.
  1. Transfer the connect_device_package.zip file created through the wizard execution into the gadget the place you’re planning to make use of the AWS IoT Machine SDK. For testing this, you need to use an Amazon EC2 occasion. In any case, verify the gadget or EC2 occasion is linked to a community or subnet throughout the VPC the place the VPC endpoint was created. You’ll be able to validate this operating the next instructions from the gadget or EC2 occasion.
nslookup [the 'A' record created in Route53 for IoT Credential Endpoin]
nslookup [the 'A' record created in Route53 for IoT Data Enpoint]

The IP addresses returned by the above instructions needs to be within the vary of the subnets related along with your VPCe endpoints.

  1. Run the next CURL command from the Authorizing direct calls to AWS companies utilizing AWS IoT Core credential supplier documentation, pointing to the “A” file created in Amazon Route 53 within the credentials.iot.us-east-1.amazonaws.com non-public zone. It should appear to be your_aws_account_specific_prefix.credentials.iot.us-east-1.amazonaws.com
curl --cert your certificates --key your gadget certificates key pair -H "x-amzn-iot-thingname: your factor identify" --cacert AmazonRootCA1.pem https://your endpoint /role-aliases/your position alias/credentials

Conclusion

With the brand new VPCe help for AWS IoT Core credential supplier, now you can have end-to-end VPC communication between units—both immediately via AWS IoT Machine SDKs or AWS IoT Greengrass—without having to arrange community proxies and complicated firewall configurations. This simplified community infrastructure might help you scale back operational overhead prices and enhance the safety posture of your resolution. To be taught extra, go to AWS IoT Greengrass and interface VPC endpoints (AWS PrivateLink)


In regards to the authors

Vladi Salomon is a Principal IoT Information Architect with Amazon Net Companies. He has 7+ years of expertise in IoT structure in several vertical like IIoT, Good House, Good Metropolis and Mining in addition to information warehousing and large information platform. Within the newest years he obtained focus in easy methods to convey AI to IoT via scalable MLOps platforms. As a member of AWS Skilled Companies, He works with prospects of various scale and industries architecting and implementing quite a lot of end-to-end IoT options.
Victor Lesau is a Sr. Technical Product Supervisor at Amazon Net Companies. He focuses on product technique, roadmap planning, enterprise evaluation, buyer engagement, and different product administration areas of AWS IoT Core, AWS IoT Identification, and sensible house initiatives.
Ben Omer is a Sr. Technical Product Supervisor at Amazon Net Companies. He works with IoT gadget companies and merchandise together with FreeRTOS, AWS IoT Greengrass, and KVS, with a give attention to roadmap planning, function exploration, and buyer engagement.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles