AWS IoT Greengrass V2 makes connections to the control plane and the data plane. You can create VPC endpoints for control plane operations. Theses are the greengrass.region.amazonaws.com endpoints. The "ats" endpoints are for the data plane.
The documentation you are referring to mentions only endpoints for the control plane and states also that you currently cannot configure Greengrass core devices to completely operate within a VPC.
As you are using a private subnet the public ats endpoints are not reachable. You need to configure your subnet in way to allow Greengrass to access the public ats endpoints.
you can find data plane and control plane operations in the AWS IoT Greengrass V2 endpoints and quotas documentation. Although not every single API is listed control plane operations are for manage components, devices, and deployments.
When you connect your device running Greengrass to a VPC for example with Direct Connect or a VPN you can reach the public endpoints from your VPC.
Device -> VPC -> Public AWS endpoints.
From the Amazon VPC FAQs:
" Q. Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?
No. When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions. "
BTW: If you are ingesting data into AWS IoT SiteWise with the SiteWise data collection pack, data is ingested directly into SiteWise and not via the Greengrass data plane.
Second question: is there a way to configure nucleus to port GreengrassDataPlanePort 443, when installing the GG V2, what are the steps?
Review the "Install the AWS IoT Greengrass Core software with private key and certificate files" section.
--- system: certificateFilePath: "/greengrass/v2/device.pem.crt" privateKeyPath: "/greengrass/v2/private.pem.key" rootCaPath: "/greengrass/v2/AmazonRootCA1.pem" rootpath: "/greengrass/v2" thingName: "MyGreengrassCore" services: aws.greengrass.Nucleus: componentType: "NUCLEUS" version: "2.5.5" configuration: awsRegion: "us-west-2" iotRoleAlias: "GreengrassCoreTokenExchangeRoleAlias" iotCredEndpoint: "device-credentials-prefix.credentials.iot.us-west-2.amazonaws.com" iotDataEndpoint: "device-data-prefix-ats.iot.us-west-2.amazonaws.com" mqtt: port: 443 greengrassDataPlanePort: 443 networkProxy: noProxyAddresses: "http://192.168.0.1,www.example.com" proxy: url: "https://my-proxy-server:1100" username: "Mary_Major" password: "pass@word1357"
Run the installer, and specify --init-config to provide the configuration file.
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE \ -jar ./GreengrassInstaller/lib/Greengrass.jar \ --init-config ./GreengrassInstaller/config.yaml \ --component-default-user ggc_user:ggc_group \ --setup-system-service true
VPC Private Endpoint Service for DatasyncAccepted Answerasked 2 years ago
Can you use a signed URL with S3 VPC Endpoint?Accepted Answerasked 6 years ago
Unable to use Session Manager on EC2 instances in a private subnet with SSM VPC endpointAccepted Answerasked 3 years ago
AWS IoT Greengrass VPC Endpoint port 8443asked 6 months ago
VPC Endpoint Questionasked 6 months ago
How to enable VPC Endpoint setting about multiple private subnet per AZasked an hour ago
Pushing to SQS through VPC Endpoint from lambda in private VPC failsasked a year ago
Accessing S3 Gateway VPC Endpoint from another VPC (VPC Peering established between both source and destination VPCs)Accepted Answerasked 2 years ago
How do I create a VPC Endpoint for S3 Interface?asked 8 months ago
where does this vpc endpoint coming fromasked 8 months ago