Introduction
If you operate secure private networks—such as an assembly line’s operational technology (OT) network at a factory or government agency—and intend to connect your devices to AWS, then you need to use X.509 client certificates for authenticating requests to AWS services—all while staying within the Virtual Private Cloud (VPC). In this post, we will demonstrate how to use the new capability, VPC endpoint (VPCe) for AWS IoT Core credential provider to manage component deployments into AWS IoT Greengrass-powered gateways running on private networks. Similarly, we will also demonstrate how to develop and connect devices that use AWS IoT Device SDK and require exchange of X.509 client certificates for security tokens to interact with other AWS services.
AWS IoT Core is a fully managed service that supports connectivity for billions of devices. Devices and software clients that connect to AWS IoT Core rely on X.509 certificates for authentication. However, other AWS services rely on security tokens to authenticate API calls. To avoid hardcoding credentials and/or tokens in the clients, AWS IoT Core provides AWS IoT Core credential provider endpoint. This endpoint allows clients, like AWS IoT Greengrass components, to exchange their X.509 certificates as security tokens to interact with other AWS services. Moreover, with AWS IoT Core’s credential provider endpoint capability, you can extend your operational networks to a VPC in AWS via Virtual Private Network (VPN), thus eliminating the need for your equipment to use public internet access to reach AWS IoT Core’s credential provider.
How customers are benefiting from the new capability
VR-Yhtymä Oy is a public sector Finnish railway that operates 250 long-distance and 800 commuter rail services every day. VR-Yhtymä Oy is using VPC for private communication between trains and AWS services.
“With VPC endpoints for AWS IoT Core credential provider, we can use X.509 client certificates to get credentials for accessing AWS services, such as Amazon S3 or Lambda, without leaving our private VPC subnets.” said Tomi Uutela, Head of Digital Operations at VR-Yhtymä Oy.
Utopus Insights is a data-driven energy analytics Software as a Service (SaaS) company that develops global digital solutions to accelerate the integration of renewable energy into the modern grid. Utopus Insights is using VPC for private communication between AWS IoT Greengrass, AWS IoT Core, and other AWS services.
“Integrating AWS IoT Core and AWS IoT Greengrass VPC Endpoints will bring several benefits to our operations. Firstly, it will simplify our infrastructure architecture by eliminating the need for an additional proxy server. This will streamline our setup and reduce maintenance overhead. VPC Endpoints will also enhance security by enabling private connections between our VPC and AWS IoT Greengrass. This ensures that our IoT devices and data remain isolated from the public internet, reducing the risk of unauthorized access.” said Gopi Valiyaveedu, Platform Engineering Manager, Utopus Insights, Inc.
Pre-requisites
Administrator access to an AWS account
Basic AWS CLI skills
Basic AWS IoT Greengrass and AWS IoT Core knowledge
Solution architecture
The following architecture represents a typical IoT infrastructure where devices using on-premises operational networks connect to AWS through a private network.
Walkthrough
In this walkthrough you will learn how to use AWS IoT Core credential provider to enable a VPCe connection either for AWS IoT Greengrass or IoT devices developed using the AWS IoT Device SDK.
Note that you must implement the section “Create VPC endpoints” for both cases.
AWS IoT Greengrass
Create VPC endpoints
To establish an edge-to-cloud communication link completely over VPC, you must first setup AWS Direct Connect between your on-premises network infrastructure and your AWS VPC. For detailed implementation, please refer to AWS Direct Connect developer guide.
Once AWS Direct Connect is setup, there are 3 VPC Endpoints required for an IoT gateway to be provisioned, managed, and synchronized (component deployments) as an AWS IoT Greengrass gateway.
AWS IoT Greengrass
AWS IoT Core data
AWS IoT Core credential provider
The AWS IoT Greengrass endpoint (com.amazonaws.[region].greengrass) is used to manage components, deployments, and devices from the AWS IoT Greengrass cloud service. Authentication and authorization with this endpoint are done using X.509 certificates as described in Device authentication and authorization for AWS IoT Greengrass.
The AWS IoT Core data endpoint (com.amazonaws.[region].iot.data) is used for interactions between AWS IoT Greengrass components and AWS IoT Core by publishing/subscribing to AWS IoT Core MQTT broker. Authentication and authorization with this endpoint is also done using X.509 certificates.
The AWS IoT Core credential provider endpoint (com.amazonaws.[region].iot.credentials) is used to communicate with other AWS services that do not support X.509 authentication and authorization, such as Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Container Registry (Amazon ECR). In either case, the devices developed using the AWS IoT SDK or an AWS IoT Greengrass component, will call the AWS IoT Core credential provider endpoint using the X.509 certificate to authenticate and get authorized. The endpoint will then issue a temporary security token for the client to use in the call to the services not supporting X.509.
Calls to Amazon S3 and Amazon ECR are required during AWS IoT Greengrass component deployments as described in the following sequence diagram. The AWS IoT Greengrass component will also require a security token if it uses AWS SDKs to communicate with other cloud services not supporting X.509 certificates authentication and authorization.
Then, to accomplish an end-to-end VPCe communication, you must create these 3 VPC endpoints pointing to one or more private subnets selected to route traffic to and from AWS.
Each VPC endpoint will get an Internet Protocol (IP) address, one for each private subnet where the VPCe is created. We recommend selecting at least 2 subnets for high availability.
You can use the following AWS CLI commands to create the 3 VPC endpoints passing your private subnet as parameters or use the AWS Console to create them.
All following commands are for us-east-1 region.
Create VPC endpoints
“YOUR VPCID” –vpc-endpoint-type Interface –service-name com.amazonaws.us-east-1.iot.credentials | jq -r “.VpcEndpoint.VpcEndpointId”
“YOUR VPCID” –vpc-endpoint-type Interface –service-name com.amazonaws.us-east-1.greengrass | jq -r “.VpcEndpoint.VpcEndpointId”
“YOUR VPCID” –vpc-endpoint-type Interface –service-name com.amazonaws.us-east-1.iot.data | jq -r “.VpcEndpoint.VpcEndpointId”
Get security groups associated with the VPC endpoints
ingress rule to the security groups
add_ingress_rule_here
egress rule to the security groups
add_egress_rule_here
subnets to the VPC endpoints
add_subnets_here
DNS support for the VPC
enable_dns_support_here
private hosted zone in Amazon Route 53
set_up_hosted_zone
IMPORTANT
set_up_info_here
AWS IoT devices
Create VPC endpoints
Follow the step by step wizard in the console to create a single thing.
Authorizing direct calls to AWS services using AWS IoT Core credential provider
Move the connect_device_package.zip file created during the wizard execution into the device where you are planning to use the AWS IoT Device SDK. For testing this, you can use an Amazon EC2 instance. In any case, confirm the device or EC2 instance is connected to a network or subnet within the VPC where the VPC endpoint was created. You can validate this running the following commands from the device or EC2 instance.
nslookup [the ‘A’ record created in Route53 for IoT Credential Endpoin]
nslookup [the ‘A’ record created in Route53 for IoT Data Enpoint]
aws iot describe-endpoint –endpoint-type iot:CredentialProvider | jq -r ‘.endpointAddress’
aws iot describe-endpoint –endpoint-type iot:Data-ATS | jq -r ‘.endpointAddress’
aws ec2 describe-vpc-endpoints –vpc-endpoint-ids <.iot.credentials VpcEndpointId FROM STEP 1> | jq -r “.VpcEndpoints[0].DnsEntries[0].DnsName”
aws ec2 describe-vpc-endpoints –vpc-endpoint-ids <.iot.data VpcEndpointId FROM STEP 1> | jq -r “.VpcEndpoints[0].DnsEntries[0].DnsName”
Conclusion
With the new VPCe support for AWS IoT Core credential provider, you can now have end-to-end VPC communication between devices—either directly through AWS IoT Device SDKs or AWS IoT Greengrass—without needing to set up network proxies and complex firewall configurations. This simplified network infrastructure can help you reduce operational overhead costs and improve the security posture of your solution. To learn more, go to AWS IoT Greengrass and interface VPC endpoints (AWS PrivateLink)
About the authors
Vladi Salomon is a Principal IoT Data Architect with Amazon Web Services. He has 7+ years of experience in IoT architecture in different vertical like IIoT, Smart Home, Smart City and Mining as well as data warehousing and big data platform. In the latest years he got focus in how to bring AI to IoT through scalable MLOps platforms. As a member of AWS Professional Services, He works with customers of different scale and industries architecting and implementing a variety of end-to-end IoT solutions.
Victor Lesau is a Sr. Technical Product Manager at Amazon Web Services. He focuses on product strategy, roadmap planning, business analysis, customer engagement, and other product management areas of AWS IoT Core, AWS IoT Identity, and smart home initiatives.
Ben Omer is a Sr. Technical Product Manager at Amazon Web Services. He works with IoT device services and products including FreeRTOS, AWS IoT Greengrass, and KVS, with a focus on roadmap planning, feature exploration, and customer engagement.