AWS IoT core is a bunch of software suits that can help you integrate your IoT devices into AWS IoT-based solutions. If your devices can connect to AWS IoT, AWS IoT can connect them to the cloud services that AWS provides.
This opens a plethora of options, as your devices can leverage the full power of AWS. The AWS IoT Message Broker is the central point to securely transmit messages to and from all your devices and applications using the HTTPS and MQTT protocols. Devices connect to IoT Core using something called IoT Core endpoints, which allow control plane and data plane access to IoT Core.
The key focal point in IoT Core is always security. Each connected device or client must have a credential to interact with the AWS IoT endpoint. All traffic to and from AWS IoT is sent securely over Transport Layer Security (TLS). AWS cloud security mechanisms protect data as it moves between AWS IoT and other AWS services.
While the TLS mechanism is very good in protecting unintended intrusions, more sophisticated industrial-grade systems use a lot of firewalls to allow traffic from certain devices and block unintended ones. In that regard, it would be helpful to know the static IP addresses of IoT Core endpoints to prevent unintended access to your devices.
Unfortunately, AWS IoT endpoints resolve to dynamic IP Addresses. This is because serverless services like AWS IoT are designed to be able to handle different network load situations. To provide resilience and scale, this single FDQN resolves to a different set of IP addresses over time to handle the load which makes it unable to expose a single static IP address to communicate. Hence, there would not exist any single IP address from the AWS side which could be used for whitelisting.
This is why AWS has come up with three different workarounds to provide static IP addresses to IoT Core systems. While discussing the entire workaround would make this article exponentially large, I am sharing the relevant links and a short explanation below:
This solution establishes a secure virtual private network (VPN) connection with IoT devices without compromising your network security posture. This secure connection occurs over a set of static IP addresses using a single port number, allowing IoT device traffic destined for multiple AWS service endpoints to be tunneled through those IP addresses. This solution uses OpenVPN as the VPN system to create a secure client-to-server connection in a routed configuration mode.
This solution helps you to use Mosquitto MQTT broker which acts as a proxy server that connects your device to AWS IoT. MQTT broker is launched on EC2 instances and therefore you could use the static IP address of EC2 instances as endpoints. Do note that you would need to implement custom security to authenticate your IoT devices with an MQTT broker.
This workaround is to whitelist all the possible IP addresses on the firewall that the AWS IoT endpoint could use. However, due to the lengthy list of IP address ranges and the dynamic nature of address changes, it is difficult to continuously whitelist on the Firewall server and therefore not a recommended approach. That being said, as a brute force method, this method could be adopted as you can always subscribe to SNS topics to listen to IP address changes.
Hope this article helps in exploring ways to assign static IPs to IoT Core.
Also published here.