The Internet of Things on AWS – Official Blog

How to securely connect an AWS IoT Greengrass v1 device to AWS IoT Core using AWS PrivateLink

Introduction

Competitive environments generally result in bottom line pressure for manufacturers, driving leadership to explore additional innovations for revenue growth such as implementation of Industrial Internet of Things(IIoT) solutions. In this post, we discuss how to secure network traffic between a device running AWS IoT Greengrass on your Operational Technology (OT) network and your Internet of Things (IoT) services in the Cloud by accessing AWS PrivateLink over a dedicated connection. Increasingly, IT and OT leaders are adopting industry 4.0 solutions to drive revenue growth, streamline operations, and decrease costs. Managing security considerations while connecting your manufacturing plants to the cloud can be challenging. However, by following recommendations covered in the Security Best Practices for Manufacturing OT, you can establish secure connections with an AWS site-to-site VPN or AWS Direct Connect and Amazon VPC Endpoints and Amazon VPC Endpoint Services. Additionally, follow the guidelines in the Ten security golden rules for Industrial IoT Solutions, specifically rule 7 when connecting OT assets and industrial operations to AWS.

AWS IoT Greengrass is an open source edge runtime for building, deploying, and managing device software as well as locally processing, filtering, and aggregating telemetry before sending it to the cloud. With an AWS IoT Greengrass runtime you gain access to innovative and highly scalable Cloud IT resources to enhance your OT technology investments. To establish a private network between AWS cloud and your OT environment, you can use AWS PrivateLink VPC Endpoints with AWS VPN or AWS Direct Connect which allows all communication to remain within your AWS environment without routing over the public internet. While AWS API endpoints are available over the public internet, configuring a VPC endpoint on a per service basis for AWS services allows the AWS IoT Greengrass edge runtime to connect over your private network. Endpoint Private DNS records and Amazon Route 53 Private Hosted Zones create alias records for service endpoints directing traffic to your interface endpoints.

As more customers are building IIoT solutions and are following security best practices based on their security and compliance practices they are asking, how can they establish a private connection to AWS for their IIoT solution and not need to use AWS public endpoints. This blog provides guidance on how to implement AWS IoT Greengrass with other AWS services using private endpoints.

Solution Overview

In the following architecture, an Amazon Elastic Compute Cloud (Amazon EC2) instance is deployed into a private subnet to simulate an on-premises AWS IoT Greengrass edge runtime. The AWS IoT Greengrass edge runtime interacts with cloud based IoT services including AWS IoT Core, AWS IoT Greengrass, Amazon Simple Storage Service (Amazon S3), and Amazon CloudWatch to centralize activity like aggregation of telemetry from equipment into data lakes, issue remote commands, perform analysis and machine learning, and run jobs like firmware updates. You will setup private endpoints for these services to route traffic from the EC2 instance running AWS IoT Greengrass to AWS APIs without leaving the AWS private network; without these endpoints the default behavior of the AWS APIs is to resolve DNS over the public internet.

Walkthrough

This is an architecture diagram that illustrates the setup that this blog walks you through

Prerequisites

Before you begin configuring your VPC for private traffic, have a familiarity with AWS IoT Core, AWS IoT Greengrass, Amazon S3, Amazon CloudWatch, Amazon Route 53, Amazon EC2, and Amazon Virtual Private Cloud (Amazon VPC). We suggest you setup a dedicated VPC to manage your Greengrass private endpoints. If you plan to use the companion CDK stack, you should already be comfortable working with the AWS Cloud Development Kit (AWS CDK).

You should have setup a VPC named Greengrass VPC with a private subnet; when defining your subnets ensure the region and availability zones that you select support the IoT Core VPC Endpoint. You can follow the Modular and Scaleable VPC Architecture quick-start. If you plan to use the companion CDK stack, it will build a VPC for you.

Once you have a VPC, you’ll need an EC2 instance in an isolated private subnet of your VPC with AWS IoT Greengrass version 1 runtime installed on the instance. You should be able to connect to this instance either using AWS Systems Manager or via a Bastion host. For instructions on how to install AWS IoT Greengrass version 1 refer to the developer guide Setting up an EC2 instance. To isolate your AWS IoT Greengrass edge runtime and private subnet you can remove any routes to a NAT Gateway that were used during AWS IoT Greengrass installation. Isolating your private subnet from the internet will ensure your AWS IoT Greengrass edge runtime cannot reach out of your network simulating a private OT and IT hybrid network of an industry 4.0 plant.

You can use the following instructions to configure your VPC in the AWS Console, or you can use the companion solution on GitHub to automate the configuration of your VPC. The readme file in this companion solution provides instructions for installation with the AWS CDK.

Step 1: Setting up Security Groups

AWS IoT Greengrass Endpoints Security Group

A security group is a software defined firewall that implicitly denies inbound traffic and implicitly allows outbound traffic. You can explicitly define and configure allow rules for initiated traffic from the simulated device running AWS IoT Greengrass to each of the VPC Endpoints. AWS IoT Greengrass needs access to Amazon S3 for accessing assets as well as AWS IoT Core and Cloud side AWS IoT Greengrass MQTT for Jobs and Telemetry messaging.

1.     From the AWS VPC console, choose Security Group from the left navigation under the Security heading and then choose Create security group

2.     For Name enter iot-endpoints-security-group

3.     For Description (optional) enter securing the endpoints used to create private connection with AWS IoT Greengrass

4.     Select your AWS IoT Greengrass VPC

5.     Choose Add under the Inbound Rules heading to configure four inbound rules as defined in the following table. Repeat the process for each rule and enter the corresponding value for each field in the column heading

Type Port Range Source Description
HTTP 80 Enter EC2 Security Group name All Amazon S3 HTTP
HTTPS 443 Enter EC2 Security Group name All Amazon S3 HTTPS
Customer TCP 8883 Enter EC2 Security Group name Allow AWS IoT Greengrass MQTT
Customer TCP 8443 Enter EC2 Security Group name Allow AWS IoT Core MQTT

6.     Choose Create security group. Once complete, your configuration should look similar to the following screenshot

Screenshot of security group configured to allow traffic from AWS IoT Greengrass to Amazon S3, AWS IoT Core, and AWS IoT Greengrass endpoints

AWS CloudWatch Endpoints Security Group

From the AWS VPC console, choose Security Group from the left navigation under the Security heading and then choose Create security group

1.     For Name enter logs-endpoints-security-group

2.     For Description (optional) enter securing the endpoints used to create private connection with Cloudwatch logs

3.     Select your AWS IoT Greengrass VPC

4.     Choose Add under the Inbound Rules heading to configure four inbound rules as defined in the following table. Repeat the process for each rule and enter the corresponding value for each field in the column heading.

Type Port Range Source Description
HTTP 80 Enter EC2 Security Group name Allow HTTP to CloudWatch
HTTPS 443 Enter EC2 Security Group name Allow HTTPS to CloudWatch

5.    Choose Create security group. Once complete your configuration should look similar to the following screenshot.

Screenshot of security group configured to allow traffic from AWS IoT Greengrass edge runtime to Amazon CloudWatch logs VPC endpoint

Step 2: Creating Private Endpoints

From the AWS VPC console, choose Endpoints from the left navigation under the Virtual Private Cloud heading and then choose Create endpoint

1.     For Name enter, iot-core-endpoint

2.     For Service Category, choose AWS services

3.     For Services, enter iot in the search bar and choose search then select the iot endpoint that ends with iot.data, the Type is interface

4.     Choose the VPC that your AWS IoT Greengrass edge runtime is located in

5.     Open Expand Additional Settings and unselect Enable DNS Name

6.     For Subnets, select the Availability Zone of your Private Subnet’s and select the Private Subnet where your Greengrass instance is located

7.     For Security group, select the endpoints-security-group and choose Create endpoint.

AWS IoT Greengrass needs you to configure 3 more VPC endpoints. Follow the same steps that you used above for AWS IoT Core, but enter the corresponding value for each field matching the column heading for each value in the configuration table that follows.

Name Service Category Services Type VPC Additional Settings Enable DNS Name Subnets Security Group
Greengrass-endpoint AWS services Greengrass Interface Greengrass VPC Selected AZ of your private subnets endpoints-security-group
s3-endpoint(com.amazonaws.<region> AWS services S3 Interface Greengrass VPC Unselected AZ of your private subnets endpoints-security-group
logs-endpoint AWS services logs Interface Greengrass VPC Selected AZ of your private subnets cloudwatch-endpoints-security-group

Each of the Summary screens for your VPC endpoints will look similar to the following screenshot for the AWS IoT Core endpoint.

Screenshot of AWS IoT Core VPC endpoint configured to provide a private connection to the AWS IoT core service

Setting up Route 53 for IoT Core

Earlier when the AWS IoT Greengrass, and Amazon CloudWatch endpoints were created, the Enable DNS name was selected, but for AWS IoT Core it was not. To enable DNS for AWS IoT Core, you can configure a Route 53 entry.

From the Route 53 console, choose Hosted Zone from the left navigation

1.     Choose Create hosted zone

2.     For Domain Name, enter iot.<AWS_REGION>.amazonaws.com. Replace the <AWS_REGION> with the region the VPC is deployed in. ex. .iot.us-east-2.amazonaws.com

3.     For Description, enter Hosted Zone for IoT Core

4.     For Type, select Private

5.     Choose the Region and the VPC ID that were configured during the pre-requisite steps

6.     Choose Create Hosted Zone

7.     Select the recently created hosted zone and create two new records:

8.     Create an A record for AWS IoT Core. The prefix will be the AWS IoT Core prefix (ours is: a23nouzhauflk3-ats, replace with yours) pointed to the IP address of the AWS IoT Core Endpoint IP that was created earlier, ours is 10.0.4.77. Your final record name would look similar to a23nouzhauflk3-ats.iot.us-east-2.amazonaws.com

IoT Core A record created under the IoT Core Hosted Zone

9.     Create an A record for AWS IoT Greengrass with the prefix as greengrass-ats, so the record name would equal greengrass-ats.iot.us-east-2.amazonaws.com pointed to the IP address of the AWS IoT Core Endpoint IP, 10.0.4.77

Greengrass A record created under the IoT core Hosted Zone

10.  Choose Save

Setting up Route 53 for S3

Earlier when the AWS IoT Greengrass, and Amazon CloudWatch endpoints were created, the Enable DNS name was selected, but for S3 it was not. To enable DNS for S3, you can configure a Route 53 entry.

From the Route 53 console, choose Hosted Zone from the left navigation

1.     Choose Create hosted zone

2.     For Domain Name, enter s3.<AWS_REGION>.amazonaws.com. Replace the <AWS_REGION> with the region the VPC is deployed in. ex: s3.us-east-2.amazonaws.com

3.     For Description, enter Hosted Zone for S3

4.     For Type, select Private

5.     Choose Create Hosted Zone

6.     Select the recently created hosted zone and create two new records:

7.     Create an A record for S3 targeting your S3 VPC Interface EndpointApex record routing traffic to an Endpoint Specific Regional DNS hostname

8.     Additionally create a wildcard A record for S3 targeting your S3 VPC Interface Endpoint. In this case for Record Name enter *.Wildcard record routing traffic to Endpoint Specific Regional DNS hostname

9.     Choose Save

Validation

After completing the above steps, the EC2 instance using AWS IoT Greengrass version 1 will be communicating entirely using private connections and will not send any data over the public internet. This statement can be made because the Internet Gateway and NAT Gateway are removed and therefore the only communication paths are the VPC Endpoints. A couple ways to test this are noted below as commands from a terminal interface on the EC2 instance running AWS IoT Greengrass; as an extension try these after the Prerequisites, but before completing the steps outlined in this blog:

  • From the terminal of the EC2 instance running AWS IoT Greengrass type ‘yum check-update’ (or equivalent based on the OS used). Notice that this throws an error as only connectivity to the VPC Endpoints is available
  • From the terminal of the EC2 instance running AWS IoT Greengrass type ‘nslookup Greengrass-ats.iot.us-east-2.amazonaws.com’. The result will be the IP address of the VPC Endpoint that was configured; note you can do similar with the Amazon CloudWatch Logs, IoT Core, and S3 endpoints
  • Test the ability to interact with the AWS IoT Greengrass device as outlined in Module 3-Part 1 of the AWS IoT Greengrass version 1 quick start. If you have already completed this during the prerequisites modify the Lambda function code and re-deploy to the AWS IoT Greengrass device.

Considerations for your OT Network

The preceding configuration places the AWS IoT Greengrass edge runtime in your VPC for testing and demonstration purposes only. In practice your AWS IoT Greengrass runtime will run in your OT network and can access the private endpoints you’ve configured through your secure AWS connection over AWS VPN or AWS Direct Connect. Details on configuration of the AWS Greengrass runtime in your OT network including DNS forwarding requirements will be explained in a follow up blog post.

Cleanup

If you followed along with this solution, we suggest that you complete the following steps if you wish to avoid incurring charges to your AWS account once you have completed the walkthrough.

Amazon EC2

  • Terminate the EC2 instance serving as the bastion host
  • Terminate the EC2 instance running AWS IoT Greengrass

Amazon CloudWatch

  • Delete the relevant log groups

Amazon Route53

  • In the Hosted Zone created for AWS IoT Core, delete the A records for AWS IoT Core Endpoint and AWS IoT Greengrass Endpoint
  • Delete the Hosted Zone created for AWS IoT Core and S3

Amazon Virtual Private Cloud

  • Delete each of the four VPC Endpoints you created; AWS IoT Core, AWS IoT Greengrass, Amazon S3, and Amazon CloudWatch

Security Groups

  • Delete the endpoints-security-group and the cloudwatch-endpoints-security-group

Conclusion

Security is critical for customers to implement an Industry 4.0 solution where they are connecting their OT manufacturing environment to the AWS cloud. This blog walked a reader through how to connect a simulated device running AWS IoT Greengrass v1 to the AWS Cloud while only using private internet connections via VPC Endpoints. This enables the solution to never access the public internet, which may be required based on the security posture of a company.

To try this yourself, go to the AWS console and follow the step by step instructions in the preceding walkthrough or deploy this automatically using the companion CDK to setup your IoT solution in a private network. Based on your use case, try to extend this by adding your own twist to it!

For more information reach out to your assigned AWS technical representative to discuss the requirements of your project and how to best implement a secure IoT solution as the nuances of this do not provide a one size fits all solution.

About the Authors

Ariana Lopez Ariana Lopez is a Senior Partner Solutions Architect at AWS. She has ten years of industry experience spending a majority of her career in cloud. She has experience in cloud automation, strategy, and solution architecting. Today, she is focused on helping Partners architect best practice solutions.
Nick White Nick White is a Senior Partner Solutions Architect with AWS focusing on IoT applications. He joined AWS from a global diversified manufacturer where he led the IoT program for connected mobile equipment and industrial equipment. Nick has also developed systems and advanced controls for industrial machinery where he recognized the value of connected devices throughout the product lifecycle. Nick is passionate about IoT because of the efficiencies and insights that can be unlocked by bringing visibility of the physical world into the business decision making process.
Kevin Schwarz Kevin Schwarz is a North Carolina based Senior Solutions Architect for AWS. He brings more than 20 years experience to the design, development and delivery of large scale enterprise platforms, transformation and agile initiatives. Kevin is motivated by seeing customers realize business value through technology projects and has an interest in IoT. Outside of work, Kevin enjoys being a father, husband, running and gardening.