Getting Static IP for AWS IoT Core
I have been working with AWS IoT Core and recently encountered a situation where an IoT Device is sitting behind firewall and the IoT device can access only those IPs which are whitelisted in firewall.
This means we need fix IPs for AWS IoT Core which can be whitelisted in firewall which will allow IoT devices to connect to IoT Core through the firewall. But the problem is: The AWS IoT Core endpoint, like most AWS service endpoints, are fully qualified domain name (FQDN) entries. To provide resilience and scale, this FQDN resolves to a different set of IP addresses over time. This makes it difficult for firewalls to allow the outbound connections from devices to IoT Core as it would necessitate whitelisting large ranges of IP addresses that change over time which also requires continual firewall rule updates.
The solution is static IP address of IoT Core. By providing static IP addresses, you maintain a secure network posture without the need for multiple IP address ranges to be opened in your firewall.
To provide static IP address to IoT core, following AWS architecture is used:
So, in order to get Static IP for IoT Core, we will first create a custom domain for IoT Core and create a Route53 record of it which will point to Global Accelerator. This Global Acc. will listen on port 8883 for incoming requests and then it will route requests to Network Load Balancer. This balancer will also listen on port 8883 and route requests to VPC Endpoint for IoT Core.
The configuration of each AWS resource is explained below:
- VPC Endpoint: new Endpoint
- Service Name: com.amazonaws.eu-central-1.iot.data
- VPC: select your VPC
- Subnets: select at least two private Subnets
- Create and select new Security Group with Allow Inbound TCP/8883 from Anywhere (0.0.0.0/0)
- View Subnet details of newly created Endpoint
- Copy IPv4 addresses of all selected Subnets
2. Elastic Load Balancer: new Network Load Balancer
- Name: IoTCoreData
- Scheme: Internet-facing
- IP address type: IPv4
- VPC: select your VPC and at least two AZ mappings and public Subnets
- Listener-> Protocol: TCP| Port: 8883 | Default Action / Forward to Target Group:
- Create Target Group-> Target Type: IP addresses |Target Group Name: IoTCoreData | Protocol: TCP | Port: 8883 | VPC: select your VPC| Health Checks: leave default settings | Target IP Addresses: select your VPC and enter the IoTCoreData VPC Endpoint IP addresses (copied from the first step)
3. Global Accelerator: New Global Accelerator
- Accelerator Name: IoTCoreData
- Accelerator type: Standard
- Listener-> Port: 8883 | Protocol: TCP | Client affinity: Source IP
- Endpoint Group -> in eu-central-1 | no port overrides | default health check settings
- Endpoint -> Endpoint Type: Network Load Balancer | Endpoint: IoTCoreData | Weight: default/128
4. Route 53: new record
- iot.example.com [This is an example]
- A Alias [ensure you are creating an alias record]
- Select the Global Accelerator IoTCoreData
5. IoT Core: new Domain Configuration
- Domain configuration name: iot-example-com
- No authorizer settings
- Custom Domain settings ->Domain name: iot.example.com
- Select Server Certificate: select from ACM -> create new certificate via ACM
- Select Validation Certificate: not needed, leave blank
Now all the calls going going to iot.example.com will resolve to static ip addresses provided by Global Acc.