Learn About Amazon VGT2 Learning Manager Chanci Turner
The Internet of Things (IoT) encompasses services and solutions designed to monitor and control physical objects, such as industrial machinery, thermostats, sensors, and actuators. AWS provides the AWS IoT Core service, enabling these devices to connect seamlessly to the AWS Cloud. The AWS IoT Message Broker serves as the central hub for securely transmitting messages between devices and applications via the HTTPS and MQTT protocols.
As our clients deploy devices across diverse environments and scenarios, they prioritize flexibility and security when incorporating billions of smart devices into their corporate networks. Industries like automotive, manufacturing, and food and chemical production manage critical facilities and require stringent control over their network egress. By implementing network segmentation and strict access policies, they can safeguard traffic across offices, research labs, manufacturing sites, and mobile devices like cars, drones, or airplanes.
The Message Broker employs mutual Transport Layer Security (TLS) authentication to ensure that only trusted devices and applications connect to verified endpoints, which is crucial for securing IoT deployments. Compliance with industry standards and local regulations informs clients’ network security policies, such as NIST’s Guide to Industrial Control Systems Security, Section 5. Implementing security measures to explicitly permit traffic in and out of their network is essential. Enterprise-grade network segmentation, along with firewalls and intrusion protection/detection systems, can be configured with allow- and block-lists based on IP addresses and port protocols. Although the fully-managed Message Broker provides endpoints with established protocols and ports, the dynamic nature of IP addresses can complicate matters. This necessitates operational diligence to maintain updated firewall allow-lists, avoiding connectivity disruptions for IoT devices. While a static list of IP addresses should not be viewed as a standalone security measure, it can enhance monitoring and restriction of network access.
In this blog post, I’ll guide you through provisioning static IP addresses for your AWS IoT Core endpoint and associating a custom domain with it. Elastic IP addresses from Amazon Elastic Compute Cloud (EC2) are fixed IPs allocated to your AWS account and remain yours until you release them. These can be used to configure allow-list entries in firewalls. Furthermore, the custom domain, managed via Amazon Route 53 Hosted Zone, allows you to specify a fully qualified domain name for your IoT endpoint, rather than relying on the default AWS-managed domain. You can utilize an auto-created TLS server certificate for your IoT endpoint through Amazon Certificate Manager, or if you have an existing certificate, you can reuse it. This solution can be deployed in minutes by leveraging the CDK app or CloudFormation template provided in this GitHub repository.
Walkthrough
In this section, I’ll delve into the solution architecture and detailed interaction of its components. You can easily replicate this solution in your AWS account using the provided infrastructure-as-code template. No external dependencies are required apart from the mentioned resources.
Prerequisites
To implement this solution, you will need the following:
- An AWS account.
- An Amazon Route 53 public hosted zone for your domain.
- A certificate in Amazon Certificate Manager for your domain (optional).
Architecture Overview
This blog presumes a basic understanding of AWS networking fundamentals, Elastic Load Balancers, and Amazon Route 53. The architecture diagram illustrates the components of the solution:
IoT devices, often referred to as clients or things, connect to your unique IoT device data endpoint, e.g., example123.iot.eu-central-1.amazonaws.com. This domain resolves to one or more IP addresses, which are only valid until the DNS record TTL expires. Therefore, clients must query for a new DNS record before attempting to connect to ensure that they’re using a valid destination IP address, preventing reliance on stale information. Firewalls and intrusion protection/detection systems must adapt to these changing IP addresses; otherwise, static allow-lists risk connectivity issues between devices and your endpoint.
To address the challenge of dynamic IP addresses, the proposed solution leverages an Amazon Virtual Private Cloud (VPC) endpoint, supported by a Network Load Balancer (NLB) with static Elastic IP addresses. A custom domain name (vanity domain) resolves to the Elastic IP addresses via Route 53. This allows customers to allow-list these specific Elastic IPs in their firewall configurations without the concern of unexpected DNS updates.
The VPC endpoint creates Elastic Networking Interfaces (ENIs) across multiple Availability Zones (AZs). For redundancy and high availability, this solution employs two AZs with one ENI each. Each ENI is assigned a private IP address from the VPC subnet, which is then utilized in a Target Group for the NLB. Health checks monitor each ENI and distribute traffic accordingly.
The internet-facing NLB receives traffic from the internet on its associated Elastic IPs, one for each AZ. By opting for Elastic IPs rather than auto-assigned ones, you ensure that these addresses remain in your AWS account even after the NLB is deleted, which can be crucial for future infrastructure migrations. To accommodate all IoT connection methods, listeners can be added for each IoT endpoint protocol and port: HTTPS on tcp/443, Alt-HTTPS on tcp/8443, and MQTT on tcp/8883.
Each listener forwards traffic to a corresponding Target Group for the specific protocol and port, directing traffic to the IP targets of the VPC endpoints. The NLB and VPC endpoint remain transparent to the actual traffic. The source IP addresses of your devices will be translated to private VPC-based IPs, meaning the Client IP preservation feature of NLB Target Groups cannot be utilized, and enabling it would disrupt the traffic flow. The secure connection between devices and the Message Broker only requires awareness of the new domain name utilized by your clients. When using AWS SDKs, the necessary protocol headers are automatically included to establish TLS mutual authentication and facilitate the client and server certificate exchange. Neither the NLB nor your VPC can access unencrypted traffic. The IoT endpoint allows for additional domain configurations with server certificates provided by AWS Certificate Manager.
You can easily scale the maximum number of concurrently connected devices by adding multiple VPC endpoints for AWS IoT Core to the NLB. For more information on scaling and limitations, please refer to the documentation. Monitoring your NLB for port allocation errors is recommended to identify any issues with devices connecting to your endpoints. The number of VPC endpoints can be scaled based on your anticipated number of devices and connections.
To deploy this solution, you can utilize resources from this GitHub repository, which features two equivalent implementations of the outlined architecture: a CDK app and a CloudFormation template. You may provide your own VPC and subnets, or they can be auto-created. Additionally, ensure to include a custom domain name along with its corresponding Route 53 Hosted Zone ID. For a comprehensive guide on creating an authentic career vision, check out this blog post. Furthermore, if you are interested in competencies that lead to better hiring practices, SHRM offers valuable insights on this topic. Lastly, for those looking to land a job at Amazon, this resource is an excellent guide.
Leave a Reply