IoT Static IP Endpoints establishes a secure virtual private network (VPN) connection with IoT devices without compromising your network security posture. This secure connection occurs over a set of static IP addresses using a single port number, allowing IoT device traffic destined for multiple AWS service endpoints to be tunneled through those IP addresses. This Guidance uses OpenVPN as the VPN system to create a secure client-to-server connection in a routed configuration mode.
Benefits
Establish secure connections
Share secure static IP addresses
Connect IoT devices to AWS services
Overview
The diagram below presents the architecture you can build using the example code on GitHub.
IoT Static IP Endpoints architecture
The code deploys an Amazon Virtual Private Cloud (Amazon VPC) with a public and a private subnet in two Availability Zones. Within the Amazon VPC, an Auto Scaling Group (ASG) deploys a range of instances that run the OpenVPN server software. An Elastic File System (EFS) share is created and mounted as /mnt/efs/fs1/ovpn_data, and used as the common location for all OpenVPN software configurations.
A Network Load Balancer (NLB) is set up with the appropriate protocol, either UDP or TCP, and a port number on which it listens. It also allocates an Elastic IP (EIP) address for each zone, which serves as the static IP address for incoming connections.
Two AWS Lambda functions request either the creation or revocation of an OpenVPN client configuration. Additionally, IoT Static IP Endpoints creates a set of Amazon CloudWatch metrics and an Amazon CloudWatch dashboard for monitoring health and status.
Additional resources
Browse our library of AWS Solutions to get answers to common architectural problems.
Find AWS Partners to help you get started.
Find prescriptive architectural diagrams, sample code, and technical content for common use cases.