By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS IoT Greengrass VPC Endpoint port 8443

0

Hello All,

First question: I'm trying to setup AWS IoT Greengrass V2 with a VPC Endpoint. I have setup the VPC Endpoint in a private subnet, however, when GG deployments occur i see errors in Greengrass logs as below, greengras-ats.ap-northeast-2.amazonaws.com:8443. Caused by: org.apache.http.conn.HttpHostConnectException: Connect to greengrass-ats.iot.ap-northeast-2.amazonaws.com:8443

The VPC Endpoint has the following DNS names,

  • greengrass.ap-northeast-2.amazonaws.com (no ats)
  • 3 DNS entries starting with vpce...

Please can you provide or point me to a definitive guide on how VPC endpoints needs to setup for Greengrass V2 - https://docs.aws.amazon.com/greengrass/v2/developerguide/vpc-interface-endpoints.html , but this is not helping much.

I also observed that the port 443 is able to be reached via the VPC Endpoint, but not 8443 for some reason. i have tried creating a Private Hosted zone on Route 53, it works, however the port 8443 problem still exists.

Second question: is there a way to configure nucleus to port GreengrassDataPlanePort 443, when installing the GG V2, what are the steps?

Thank you.

Topics
Internet of Things (IoT)Networking & Content Delivery
Tags
AWS IoT GreengrassAmazon VPCAWS PrivateLink
Language
English
iotivity
asked 2 years ago877 views
3 Answers
1

Hi,

AWS IoT Greengrass V2 makes connections to the control plane and the data plane. You can create VPC endpoints for control plane operations. Theses are the greengrass.region.amazonaws.com endpoints. The "ats" endpoints are for the data plane.

The documentation you are referring to mentions only endpoints for the control plane and states also that you currently cannot configure Greengrass core devices to completely operate within a VPC.

As you are using a private subnet the public ats endpoints are not reachable. You need to configure your subnet in way to allow Greengrass to access the public ats endpoints.

KR, Philipp

AWS
EXPERT
Philipp S
answered 2 years ago
  • iotivity
    2 years ago

    Thanks Phillip.

    1. AWS IoT SiteWise endpoint - https://docs.aws.amazon.com/iot-sitewise/latest/userguide/vpc-interface-endpoints.html - as mentioned in this document, are the Greengrass Control plane and Data plane operations listed somewhere so that we can get a good hold of the respective API operations to analyze what is allowed and what is not through the VPC Endpoint ? Please can you share a link to the docs listing it.

    2. If data plane operations are not allowed for Greengrass via VPC endpoint how are customers ingesting data from their assets, when they are not allowed to go over the public internet? As mentioned by you, for reaching the ats endpoints for data ingestion, the data would have to traverse the public internet ? Please correct me if i'm wrong.

    SN

0

Hi,

you can find data plane and control plane operations in the AWS IoT Greengrass V2 endpoints and quotas documentation. Although not every single API is listed control plane operations are for manage components, devices, and deployments.

When you connect your device running Greengrass to a VPC for example with Direct Connect or a VPN you can reach the public endpoints from your VPC.

Device -> VPC -> Public AWS endpoints.

From the Amazon VPC FAQs:

" Q. Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?

No. When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions. "

BTW: If you are ingesting data into AWS IoT SiteWise with the SiteWise data collection pack, data is ingested directly into SiteWise and not via the Greengrass data plane.

KR,

Philipp

AWS
EXPERT
Philipp S
answered 2 years ago
  • iotivity
    2 years ago

    Thank you Phillip, appreciate your response, will try the setup you mentioned.

0

Second question: is there a way to configure nucleus to port GreengrassDataPlanePort 443, when installing the GG V2, what are the steps?

https://docs.aws.amazon.com/greengrass/v2/developerguide/manual-installation.html#run-greengrass-core-v2-installer-manual

Review the "Install the AWS IoT Greengrass Core software with private key and certificate files" section.

  • config.yaml
---
system:
  certificateFilePath: "/greengrass/v2/device.pem.crt"
  privateKeyPath: "/greengrass/v2/private.pem.key"
  rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
  rootpath: "/greengrass/v2"
  thingName: "MyGreengrassCore"
services:
  aws.greengrass.Nucleus:
    componentType: "NUCLEUS"
    version: "2.5.5"
    configuration:
      awsRegion: "us-west-2"
      iotRoleAlias: "GreengrassCoreTokenExchangeRoleAlias"
      iotCredEndpoint: "device-credentials-prefix.credentials.iot.us-west-2.amazonaws.com"
      iotDataEndpoint: "device-data-prefix-ats.iot.us-west-2.amazonaws.com"
      mqtt:
        port: 443
      greengrassDataPlanePort: 443
      networkProxy:
        noProxyAddresses: "http://192.168.0.1,www.example.com"
        proxy:
          url: "https://my-proxy-server:1100"
          username: "Mary_Major"
          password: "pass@word1357"

Run the installer, and specify --init-config to provide the configuration file.

sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE \
  -jar ./GreengrassInstaller/lib/Greengrass.jar \
  --init-config ./GreengrassInstaller/config.yaml \
  --component-default-user ggc_user:ggc_group \
  --setup-system-service true
profile picture
moritalous
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content