HomeIoTCreating static IP addresses and customized domains for AWS IoT Core endpoints

Creating static IP addresses and customized domains for AWS IoT Core endpoints

The Web of Issues (IoT) describes providers and options to watch and management actual world objects, akin to industrial tools, mild switches, thermostats, sensors and actuators. AWS affords the AWS IoT Core service that permits such gadgets to connect with the AWS Cloud. The AWS IoT Message Dealer is the central level to securely transmit messages to and from all of your gadgets and purposes utilizing the HTTPS and MQTT protocols.

With gadgets deployed in quite a lot of totally different environments, places, and eventualities, our clients need flexibility and safety when integrating billions of sensible gadgets into their company community. Industries, akin to automotive, manufacturing, or meals and chemical manufacturing, handle important manufacturing amenities and want to claim tight management over their community egress. Community segmentation and strict entry insurance policies assist safe visitors in places of work, analysis amenities, manufacturing crops, and free-moving gadgets, akin to vehicles, drones, or airplanes.

The Message Dealer offers mutual Transport Layer Safety (TLS) authentication to make sure that solely trusted gadgets and purposes are connecting to a trusted endpoint, which is a key element in securing IoT deployments. Business compliance and native laws present clients with steering on their community safety insurance policies, akin to NIST’s Information to Industrial Management Techniques Safety, Part 5. Including such safety measures to explicitly permit visitors into and out of their community is one other key element. Enterprise-grade community segmentation with firewalls and intrusion safety / detection techniques may be configured with allow- and block-lists based mostly on IP addresses and protocol ports. Whereas the fully-managed Message Dealer offers endpoints with well-known protocols and ports, the IP addresses themselves can change dynamically. This requires operational effort to maintain the firewall allow-lists updated and keep away from connectivity points for IoT gadgets. Preserving a static checklist of IP addresses shouldn’t be thought-about a stand-alone safety measure, however can function a further layer to watch and prohibit community entry.

On this weblog publish, I’ll present you how you can provision static IP addresses on your AWS IoT Core endpoint, and how you can affiliate a customized area with it. Elastic IP addresses, from Amazon Elastic Compute Cloud (EC2), are fastened (static) IP addresses allotted to your AWS account and are yours till you launch them. You need to use them to configure allow-list firewall entries. The customized area, managed through your Amazon Route 53 Hosted Zone, enables you to specify a totally certified area title on your IoT endpoint, as a substitute of utilizing the supplied default AWS-managed area. You need to use an auto-created TLS server certificates on your IoT endpoint through the Amazon Certificates Supervisor service, or if you have already got one, you’ll be able to re-use it. You may deploy this resolution inside minutes through the use of the CDK app or CloudFormation template supplied in this GitHub repository.


On this part, I’ll dive deep into the answer structure, and stroll you thru the person elements and the way they work together with one another. You may simply replicate this resolution in your AWS account through the use of the supplied infrastructure-as-code template. There aren’t any different exterior dependencies other than the talked about assets.


To deploy this resolution, you want the next conditions:

Structure deep-dive

This weblog publish assumes some familiarity with AWS networking fundamentals, Elastic Load Balancers, and Amazon Route 53. The next structure diagram depicts the person elements of the answer:

Architecture for Static IP Addresses for IoT Core Endpoint

IoT gadgets (additionally known as purchasers or issues) connect with your IoT system information endpoint, which is exclusive to your AWS account, e.g., example123.iot.eu-central-1.amazonaws.com. This area title resolves to a number of IP addresses which can be solely legitimate for so long as the DNS document TTL has not expired. In consequence, purchasers ought to question for a recent DNS document earlier than connecting to the endpoint to make sure that they use a sound vacation spot IP tackle and never a stale/outdated one. Firewalls and intrusion safety / detection techniques want to concentrate on these altering IP addresses, in any other case static allow-lists will result in connectivity points between gadgets and your endpoint.

To beat this problem with dynamic IP addresses, the proposed resolution makes use of an Amazon Digital Non-public Cloud (VPC) endpoint, fronted by a Community Load Balancer (NLB) with static Elastic IP addresses. A customized area title (vainness area) is used to resolve to the Elastic IP addresses through Route 53. Clients can then allow-list precisely these Elastic IPs of their firewalls or networking configuration with out worrying about surprising DNS updates.

The VPC endpoint creates Elastic Networking Interfaces (ENI) in a number of Availability Zones (AZ). For redundancy and excessive availability, this resolution makes use of two totally different AZs with one ENI every. Every ENI receives a non-public IP tackle from the VPC subnet. These non-public IPs are then utilized in a Goal Group for the NLB. Well being checks handle monitoring every ENI and distribute the visitors accordingly.

The web-facing NLB receives visitors from the web on the related Elastic IPs, one per AZ. Utilizing Elastic IPs as a substitute of auto-assigned IPs, means that you can retain these IP addresses in your AWS account even after deleting the NLB. This may be very important for future migrations of your infrastructure.
To assist all IoT connection strategies, you’ll be able to add one listener for every IoT endpoint protocol and port: HTTPS on tcp/443, Alt-HTTPS on tcp/8443, and MQTT on tcp/8883:

Every listener forwards visitors to a corresponding Goal Group, once more one per protocol and port, which sends the visitors to the IP targets of the VPC endpoints:

The NLB and the VPC endpoint are clear to the precise visitors. The safe connection between your gadgets and the Message Dealer solely wants to concentrate on the brand new area title that your purchasers are utilizing. When utilizing the AWS SDKs, the mandatory protocol headers are included robotically to ascertain TLS mutual authentication and carry out the shopper and server certificates trade. Neither the NLB nor your VPC have entry to unencrypted visitors. The IoT endpoint permits for extra area configurations with server certificates supplied by AWS Certificates Supervisor.

The utmost variety of concurrently related gadgets may be scaled simply by including a number of VPC endpoints for AWS IoT Core to the NLB. Please check with the documentation pages on scaling and limitations.

To deploy this resolution, you need to use the assets from this GitHub repository, there are two equal implementations of the proven structure: a CDK app and a CloudFormation template. You may convey your personal VPC and subnets, or have them be auto-created. It is advisable to present a customized area title with a corresponding Route 53 Hosted Zone ID. You may present an current certificates from ACM, or use the auto-generated certificates for this area title. The Elastic IP addresses are retained even after deleting the CDK app or CloudFormation stack. The supplied infrastructure as code assets are self-contained, other than the required inputs and don’t work together with different assets in your AWS account.

After a profitable creation of the CDK app or CloudFormation stack, the 2 newly assigned Elastic IP addresses can be found as Outputs in your stack. You need to use them to create allow-list entries in your company firewall. This allows your IoT gadgets to connect with the IoT endpoint through these static IP addresses.

Testing with an IoT system

In the event you don’t have already got a tool configured as AWS IoT Factor, you’ll be able to get began connecting your system within the AWS Console. Comply with the steps outlined on your platform and obtain the connection package with all mandatory information to get began. To check your newly created IoT endpoint, you’ll be able to run the pubsub.py pattern from the AWS IoT Gadget SDK v2 for Python and begin it together with your customized endpoint and the downloaded connection package (containing certificates and key information). See these instance shell instructions:

wget https://www.amazontrust.com/repository/AmazonRootCA1.pem
wget https://uncooked.githubusercontent.com/aws/aws-iot-device-sdk-python-v2/v1.8.0/samples/pubsub.py
python3 -m pip set up awsiotsdk==1.8.0
python3 pubsub.py 
--endpoint iot.instance.com 
--port 8883 
--cert TestThing.cert.pem 
--key TestThing.non-public.key 
--root-ca AmazonRootCA1.pem 
--client-id basicPubSub 
--topic sdk/take a look at/Python 
--count 1

A profitable take a look at will yield this output, earlier than the command exits:

Connecting to iot.instance.com with shopper ID 'basicPubSub'...
Subscribing to matter 'sdk/take a look at/Python'...
Subscribed with QoS.AT_LEAST_ONCE
Sending 1 message(s)
Publishing message to matter 'sdk/take a look at/Python': Whats up World! [1]
Obtained message from matter 'sdk/take a look at/Python': b'"Whats up World! [1]"'
1 message(s) obtained.

This take a look at established a connection to your new IoT endpoint with the customized area iot.instance.com. To view the resolved DNS information, you’ll be able to run it once more with –verbosity Debug. After a safe MQTT session is established, it subscribes to a subject, publishes a message to the identical matter, and waits for receiving this message through the subscription, earlier than disconnecting and finishing the take a look at efficiently.

Extensions and options

This resolution will also be tailored for personal networks by protecting all visitors away from the general public web. AWS Direct Join and AWS Website-to-Website VPN are two providers that present non-public community connectivity between your on-premises atmosphere and your AWS VPC. As an alternative of utilizing public Elastic IP addresses on an internet-facing NLB, you’ll be able to create an inside NLB to entrance your VPC endpoints. To ship visitors out of your gadgets to the inner non-public IP addresses of your NLB, merely add the mandatory routes over Direct Join or Website-to-Website VPN into your VPC.

Utilizing an NLB with Elastic IPs exposes your IoT endpoint through its dad or mum AWS Area. In case your gadgets are globally distributed and community latency is of concern, you need to use AWS World Accelerator to optimize the community path through the use of the AWS international community. You create a brand new Accelerator, choose the protocol and ports, and add the NLB in your area as new endpoint. The accelerator offers you with a brand new set of static anycast IP addresses that you need to use in your Route 53 information.

The offered structure covers the AWS IoT Core endpoints, for HTTPS and MQTT protocols. Any visitors to different AWS providers, e.g., Amazon S3 or Amazon DynamoDB, is unaffected. In case your gadgets connect with such providers utilizing dynamic IPs and your gadgets are Linux-based with enough compute assets, then this OpenVPN-based AWS Options Implementation offers a totally non-public VPN layer on your gadgets with static IP addresses on a single port to tunnel all visitors (together with IoT endpoints) out of your gadgets to the AWS cloud.

Cleansing up

To keep away from incurring future expenses, destroy the CDK app or delete the CloudFormation stack and manually launch the Elastic IPs after you have ensured and verified that you simply now not want them. In the event you created a brand new system with the “get began connecting” workflow, you’ll be able to delete the related factor, certificates, and coverage.


On this weblog publish, I demonstrated how you can create an AWS IoT Core system information endpoint with static IP addresses and a customized area. You need to use these static IP addresses to create firewall guidelines and improve community safety, whereas nonetheless permitting your IoT gadgets to connect with the AWS IoT service in your AWS account by means of a extremely scalable load balancer.

You may check out this resolution by deploying both the CDK app or the CloudFormation template your self: head over to your AWS account and use the supplied code assets to get a ready-to-go IoT endpoint with static IP addresses.

Thanks for studying this weblog publish on AWS IoT and networking in restricted environments. Please don’t hesitate to go away feedback or questions within the feedback part, or create new points and pull requests in the GitHub repository.

Concerning the creator

Thomas Kriechbaumer

Thomas Kriechbaumer is a Senior Options Architect at AWS, engaged on scaling startups within the space of mobility, transportation, and Web of Issues. Earlier than becoming a member of AWS, he labored on autonomous automobiles and large-scale information assortment and ingestion. Thomas is enthusiastic about built-in soft- and {hardware} options to enhance the lifetime of tens of millions of individuals.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments