Saturday, November 26, 2022
HomeIoTCreating static IP addresses and customized domains for AWS IoT Core endpoints

Creating static IP addresses and customized domains for AWS IoT Core endpoints

The Web of Issues (IoT) describes providers and options to observe and management actual world objects, akin to industrial gear, gentle switches, thermostats, sensors and actuators. AWS gives the AWS IoT Core service that permits such units to hook up with the AWS Cloud. The AWS IoT Message Dealer is the central level to securely transmit messages to and from all of your units and functions utilizing the HTTPS and MQTT protocols.

With units deployed in quite a lot of completely different environments, places, and eventualities, our prospects need flexibility and safety when integrating billions of sensible units into their company community. Industries, akin to automotive, manufacturing, or meals and chemical manufacturing, handle vital manufacturing amenities and want to claim tight management over their community egress. Community segmentation and strict entry insurance policies assist safe site visitors in places of work, analysis amenities, manufacturing vegetation, and free-moving units, akin to automobiles, drones, or airplanes.

The Message Dealer supplies mutual Transport Layer Safety (TLS) authentication to make sure that solely trusted units and functions are connecting to a trusted endpoint, which is a key element in securing IoT deployments. Business compliance and native laws present prospects with steerage on their community safety insurance policies, akin to NIST’s Information to Industrial Management Methods Safety, Part 5. Including such safety measures to explicitly permit site visitors into and out of their community is one other key element. Enterprise-grade community segmentation with firewalls and intrusion safety / detection techniques will be configured with allow- and block-lists based mostly on IP addresses and protocol ports. Whereas the fully-managed Message Dealer supplies endpoints with well-known protocols and ports, the IP addresses themselves can change dynamically. This requires operational effort to maintain the firewall allow-lists updated and keep away from connectivity points for IoT units. Maintaining a static record of IP addresses shouldn’t be thought-about a stand-alone safety measure, however can function an extra layer to observe and prohibit community entry.

On this weblog submit, I’ll present you tips on how to provision static IP addresses on your AWS IoT Core endpoint, and tips on how to affiliate a customized area with it. Elastic IP addresses, from Amazon Elastic Compute Cloud (EC2), are fastened (static) IP addresses allotted to your AWS account and are yours till you launch them. You should use them to configure allow-list firewall entries. The customized area, managed by way of your Amazon Route 53 Hosted Zone, helps you to specify a completely certified area title on your IoT endpoint, as a substitute of utilizing the supplied default AWS-managed area. You should use an auto-created TLS server certificates on your IoT endpoint by way of the Amazon Certificates Supervisor service, or if you have already got one, you’ll be able to re-use it. You possibly can deploy this resolution inside minutes through the use of the CDK app or CloudFormation template supplied in this GitHub repository.


On this part, I’ll dive deep into the answer structure, and stroll you thru the person parts and the way they work together with one another. You possibly can simply replicate this resolution in your AWS account through the use of the supplied infrastructure-as-code template. There aren’t any different exterior dependencies aside from the talked about assets.


To deploy this resolution, you want the next stipulations:

Structure deep-dive

This weblog submit assumes some familiarity with AWS networking fundamentals, Elastic Load Balancers, and Amazon Route 53. The next structure diagram depicts the person elements of the answer:

Architecture for Static IP Addresses for IoT Core Endpoint

IoT units (additionally referred to as purchasers or issues) hook up with your IoT gadget information endpoint, which is exclusive to your AWS account, e.g., This area title resolves to a number of IP addresses which can be solely legitimate for so long as the DNS report TTL has not expired. In consequence, purchasers ought to question for a contemporary DNS report earlier than connecting to the endpoint to make sure that they use a sound vacation spot IP tackle and never a stale/outdated one. Firewalls and intrusion safety / detection techniques want to concentrate on these altering IP addresses, in any other case static allow-lists will result in connectivity points between units and your endpoint.

To beat this problem with dynamic IP addresses, the proposed resolution makes use of an Amazon Digital Personal Cloud (VPC) endpoint, fronted by a Community Load Balancer (NLB) with static Elastic IP addresses. A customized area title (vainness area) is used to resolve to the Elastic IP addresses by way of Route 53. Prospects can then allow-list precisely these Elastic IPs of their firewalls or networking configuration with out worrying about sudden DNS updates.

The VPC endpoint creates Elastic Networking Interfaces (ENI) in a number of Availability Zones (AZ). For redundancy and excessive availability, this resolution makes use of two completely different AZs with one ENI every. Every ENI receives a personal IP tackle from the VPC subnet. These non-public IPs are then utilized in a Goal Group for the NLB. Well being checks handle monitoring every ENI and distribute the site visitors accordingly.

The web-facing NLB receives site visitors from the web on the related Elastic IPs, one per AZ. Utilizing Elastic IPs as a substitute of auto-assigned IPs, permits you to retain these IP addresses in your AWS account even after deleting the NLB. This may be important for future migrations of your infrastructure.
To help all IoT connection strategies, you’ll be able to add one listener for every IoT endpoint protocol and port: HTTPS on tcp/443, Alt-HTTPS on tcp/8443, and MQTT on tcp/8883:

Every listener forwards site visitors to a corresponding Goal Group, once more one per protocol and port, which sends the site visitors to the IP targets of the VPC endpoints:

The NLB and the VPC endpoint are clear to the precise site visitors. The safe connection between your units and the Message Dealer solely wants to concentrate on the brand new area title that your purchasers are utilizing. When utilizing the AWS SDKs, the required protocol headers are included routinely to determine TLS mutual authentication and carry out the shopper and server certificates trade. Neither the NLB nor your VPC have entry to unencrypted site visitors. The IoT endpoint permits for extra area configurations with server certificates supplied by AWS Certificates Supervisor.

The utmost variety of concurrently related units will be scaled simply by including a number of VPC endpoints for AWS IoT Core to the NLB. Please consult with the documentation pages on scaling and limitations.

To deploy this resolution, you need to use the assets from this GitHub repository, there are two equal implementations of the proven structure: a CDK app and a CloudFormation template. You possibly can carry your personal VPC and subnets, or have them be auto-created. It’s good to present a customized area title with a corresponding Route 53 Hosted Zone ID. You possibly can present an current certificates from ACM, or use the auto-generated certificates for this area title. The Elastic IP addresses are retained even after deleting the CDK app or CloudFormation stack. The supplied infrastructure as code assets are self-contained, aside from the required inputs and don’t work together with different assets in your AWS account.

After a profitable creation of the CDK app or CloudFormation stack, the 2 newly assigned Elastic IP addresses can be found as Outputs in your stack. You should use them to create allow-list entries in your company firewall. This permits your IoT units to hook up with the IoT endpoint by way of these static IP addresses.

Testing with an IoT gadget

For those who don’t have already got a tool configured as AWS IoT Factor, you’ll be able to get began connecting your gadget within the AWS Console. Comply with the steps outlined on your platform and obtain the connection package with all mandatory recordsdata to get began. To check your newly created IoT endpoint, you’ll be able to run the pattern from the AWS IoT Gadget SDK v2 for Python and begin it along with your customized endpoint and the downloaded connection package (containing certificates and key recordsdata). See these instance shell instructions:

python3 -m pip set up awsiotsdk==1.8.0
--port 8883 
--cert TestThing.cert.pem 
--key TestThing.non-public.key 
--root-ca AmazonRootCA1.pem 
--client-id basicPubSub 
--topic sdk/take a look at/Python 
--count 1

A profitable take a look at will yield this output, earlier than the command exits:

Connecting to with shopper ID 'basicPubSub'...
Subscribing to subject 'sdk/take a look at/Python'...
Subscribed with QoS.AT_LEAST_ONCE
Sending 1 message(s)
Publishing message to subject 'sdk/take a look at/Python': Good day World! [1]
Acquired message from subject 'sdk/take a look at/Python': b'"Good day World! [1]"'
1 message(s) obtained.

This take a look at established a connection to your new IoT endpoint with the customized area To view the resolved DNS data, you’ll be able to run it once more with –verbosity Debug. After a safe MQTT session is established, it subscribes to a subject, publishes a message to the identical subject, and waits for receiving this message by way of the subscription, earlier than disconnecting and finishing the take a look at efficiently.

Extensions and alternate options

This resolution may also be tailored for personal networks by retaining all site visitors away from the general public web. AWS Direct Join and AWS Web site-to-Web site VPN are two providers that present non-public community connectivity between your on-premises surroundings and your AWS VPC. As a substitute of utilizing public Elastic IP addresses on an internet-facing NLB, you’ll be able to create an inner NLB to entrance your VPC endpoints. To ship site visitors out of your units to the inner non-public IP addresses of your NLB, merely add the required routes over Direct Join or Web site-to-Web site VPN into your VPC.

Utilizing an NLB with Elastic IPs exposes your IoT endpoint by way of its guardian AWS Area. In case your units are globally distributed and community latency is of concern, you need to use AWS International Accelerator to optimize the community path through the use of the AWS world community. You create a brand new Accelerator, choose the protocol and ports, and add the NLB in your area as new endpoint. The accelerator supplies you with a brand new set of static anycast IP addresses that you need to use in your Route 53 data.

The introduced structure covers the AWS IoT Core endpoints, for HTTPS and MQTT protocols. Any site visitors to different AWS providers, e.g., Amazon S3 or Amazon DynamoDB, is unaffected. In case your units hook up with such providers utilizing dynamic IPs and your units are Linux-based with enough compute assets, then this OpenVPN-based AWS Options Implementation supplies a completely non-public VPN layer on your units with static IP addresses on a single port to tunnel all site visitors (together with IoT endpoints) out of your units to the AWS cloud.

Cleansing up

To keep away from incurring future expenses, destroy the CDK app or delete the CloudFormation stack and manually launch the Elastic IPs after you have ensured and verified that you just not want them. For those who created a brand new gadget with the “get began connecting” workflow, you’ll be able to delete the related factor, certificates, and coverage.


On this weblog submit, I demonstrated tips on how to create an AWS IoT Core gadget information endpoint with static IP addresses and a customized area. You should use these static IP addresses to create firewall guidelines and improve community safety, whereas nonetheless permitting your IoT units to hook up with the AWS IoT service in your AWS account by a extremely scalable load balancer.

You possibly can check out this resolution by deploying both the CDK app or the CloudFormation template your self: head over to your AWS account and use the supplied code assets to get a ready-to-go IoT endpoint with static IP addresses.

Thanks for studying this weblog submit on AWS IoT and networking in restricted environments. Please don’t hesitate to depart feedback or questions within the feedback part, or create new points and pull requests in the GitHub repository.

In regards to the creator

Thomas Kriechbaumer

Thomas Kriechbaumer is a Senior Options Architect at AWS, engaged on scaling startups within the space of mobility, transportation, and Web of Issues. Earlier than becoming a member of AWS, he labored on autonomous automobiles and large-scale information assortment and ingestion. Thomas is enthusiastic about built-in soft- and {hardware} options to enhance the lifetime of hundreds of thousands of individuals.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments