# AWS IoT Core for LoRaWAN and interface VPC endpoints (AWS PrivateLink)
<a name="vpc-interface-endpoints"></a>

You can connect directly to AWS IoT Core for LoRaWAN through [ Interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) in your Virtual Private Cloud (VPC) instead of connecting over the public internet. When you use a VPC interface endpoint, communication between your VPC and AWS IoT Core for LoRaWAN is conducted entirely and securely within the AWS network.

AWS IoT Core for LoRaWAN supports Amazon Virtual Private Cloud interface endpoints that are powered by AWS PrivateLink. Each VPC endpoint is represented by one or more [Elastic Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) with private IP addresses in your VPC subnets. For more information, see [Interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html) in the *Amazon VPC User Guide*.

**Note**  
AWS IoT Core for LoRaWAN support both IPv6 and IPv4 address formats when communicating with the interface VPC endpoints using AWS PrivateLink. See [AWS services that support IPv6](https://docs.aws.amazon.com/general/latest/gr/aws-ipv6-support.html#ipv6-service-support).

For more information about VPC and endpoints, see [What is Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html#what-is-privatelink).

For more information about AWS PrivateLink, see [AWS PrivateLink and VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-services-overview.html). 

## Considerations for AWS IoT Wireless VPC endpoints
<a name="vpc-endpoint-considerations"></a>

Before you set up an interface VPC endpoint for AWS IoT Wireless, ensure that you review [Interface endpoint properties and limitations](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations) in the *Amazon VPC User Guide*.

AWS IoT Wireless supports making calls to all of its API actions from your VPC. VPC endpoint policies are not supported for AWS IoT Wireless. By default, full access to AWS IoT Wireless is allowed through the endpoint. For more information, see [Controlling access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*. 

## AWS IoT Core for LoRaWAN privatelink architecture
<a name="vpc-endpoint-architecture"></a>

The following diagram shows the privatelink architecture of AWS IoT Core for LoRaWAN. The architecture uses a Transit Gateway and Route 53 Resolver to share the AWS PrivateLink interface endpoints between your VPC, the AWS IoT Core for LoRaWAN VPC, and an on-premises environment. You'll find a more detailed architecture diagram when setting up the connection to the VPC interface endpoints.

![\[Image showing how you can use AWS PrivateLink to connect to AWS IoT Core for LoRaWAN endpoints.\]](http://docs.aws.amazon.com/iot-wireless/latest/developerguide/images/iot-lorawan-privatelink-architecture.png)


## AWS IoT Core for LoRaWAN endpoints
<a name="vpc-lorawan-endpoints"></a>

AWS IoT Core for LoRaWAN has three public endpoints. Each public endpoint has a corresponding VPC interface endpoint. The public endpoints can be classified into control plane and data plane endpoints. For information about these endpoints, see [AWS IoT Core for LoRaWAN API endpoints](https://docs.aws.amazon.com/general/latest/gr/iot-core.html#iot-wireless_region).
+ 

**Control plane API endpoints**  
 You can use control plane API endpoints to interact with the AWS IoT Wireless APIs. These endpoints can be accessed from a client that is hosted in your Amazon VPC by using AWS PrivateLink.
+ 

**Data plane API endpoints**  
Data plane API endpoints are LoRaWAN Network Server (LNS) and Configuration and Update Server (CUPS) endpoints that you can use to interact with the AWS IoT Core for LoRaWAN LNS and CUPS endpoints. These endpoints can be accessed from your LoRa gateways on premises by using Site-to-Site VPN or AWS Direct Connect. You get these endpoints when onboarding your gateway to AWS IoT Core for LoRaWAN. For more information, see [Add a gateway to AWS IoT Core for LoRaWAN](lorawan-onboard-gateway-add.md).

**Topics**
+ [

## Considerations for AWS IoT Wireless VPC endpoints
](#vpc-endpoint-considerations)
+ [

## AWS IoT Core for LoRaWAN privatelink architecture
](#vpc-endpoint-architecture)
+ [

## AWS IoT Core for LoRaWAN endpoints
](#vpc-lorawan-endpoints)
+ [

# Onboard AWS IoT Core for LoRaWAN control plane API endpoint
](lorawan-onboard-control-endpoint.md)
+ [

# Onboard AWS IoT Core for LoRaWAN data plane API endpoints
](onboard-lns-cups-endpoints.md)

# Onboard AWS IoT Core for LoRaWAN control plane API endpoint
<a name="lorawan-onboard-control-endpoint"></a>

You can use AWS IoT Core for LoRaWAN control plane API endpoints to interact with the AWS IoT Wireless APIs. For example, you can use this endpoint to run the [SendDataToWirelessDevice](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_SendDataToWirelessDevice.html) API to send data from AWS IoT to your LoRaWAN device. For more information, see [AWS IoT Core for LoRaWAN Control Plane API Endpoints](https://docs.aws.amazon.com/general/latest/gr/iot-core.html#iot-core.html#iot-wireless-control-plane-endpoints).

You can use the client hosted in your Amazon VPC to access the control plane endpoints that are powered by AWS PrivateLink. You use these endpoints to connect to the AWS IoT Wireless API through an interface endpoint in your Virtual Private Cloud (VPC) instead of connecting over the public internet.

**Topics**
+ [

## Create your Amazon VPC and subnet
](#create-vpc)
+ [

## Launch an Amazon EC2 instance in your subnet
](#launch-ec2-instance)
+ [

## Create Amazon VPC interface endpoint
](#create-vpc-endpoint)
+ [

## Test your connection to the interface endpoint
](#connect-vpc-endpoint)

## Create your Amazon VPC and subnet
<a name="create-vpc"></a>

Before you can connect to the interface endpoint, you must create a VPC and subnet. You'll then launch an EC2 instance in your subnet, which you can use to connect to the interface endpoint.

To create your VPC:

1. Navigate to the [VPCs](https://console.aws.amazon.com/vpc/home#/vpcs) page of the Amazon VPC console and choose **Create VPC**.

1. On the **Create VPC** page:
   + Enter a name for **VPC Name tag - optional** (for example, **VPC-A**).
   + Enter an IPv4 address range for your VPC in the **IPv4 CIDR** (for example, **10.100.0.0/16**).
   + If you want to create dualstack VPC endpoints in your VPC, choose **Amazon-provided IPv6 CIDR block** for **IPv6 CIDR block**.

1. Keep the default values for other fields and choose **Create VPC**.

To create your subnet:

1. Navigate to the [Subnets](https://console.aws.amazon.com/vpc/home#/subnets) page of the Amazon VPC console and choose **Create subnet**.

1. On the **Create subnet** page:
   + For **VPC ID**, choose the VPC that you created earlier (for example, `VPC-A`).
   + Enter a name for **Subnet name** (for example, **Private subnet**).
   + Choose the **Availability Zone** for your subnet.
   + Enter your subnet's IP address block in the **IPv4 subnet CIDR block** in CIDR format (for example, **10.100.0.0/24**).
   + If you want to create dualstack endpoints, choose the **IPv6 VPC CIDR block** for your VPC. Optionally, you can customize the **IPv6 subnet CIDR block**.

1. To create your subnet and add it to your VPC, choose **Create subnet**.

For more information, see [Work with VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html).

## Launch an Amazon EC2 instance in your subnet
<a name="launch-ec2-instance"></a>

To launch your EC2 instance:

1. Navigate to the [Amazon EC2](https://console.aws.amazon.com/ec2/home#/) console and choose **Launch Instance**.

1. For AMI, choose **Amazon Linux 2 AMI (HVM), SSD Volume Type** and then choose the **t2 micro** instance type. To configure the instance details, choose **Next**.

1. In the **Configure Instance Details** page:
   + For **Network**, choose the VPC that you created earlier (for example, `VPC-A`).
   + For **Subnet**, choose the subnet that you created earlier (for example, **Private subnet**).
**Note**  
If you provided an IPv6 CIDR block for your VPC and subnet, you can optionally choose to auto-assign an IPv6 IP address for your EC2 instance.
   + For **IAM role**, choose the role **AWSIoTWirelessFullAccess** to grant AWS IoT Core for LoRaWAN full access policy. For more information, see [`AWSIoTWirelessFullAccess` policy summary](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTWirelessFullAccess$serviceLevelSummary).
   + For **Assume Private IP**, use an IP address, for example, **10.100.0.42**.

1. Choose **Next: Add Storage** and then choose **Next: Add Tags**. You can optionally add any tags to associate with your EC2 instance. Choose **Next: Configure Security Group**.

1. In the **Configure Security Group** page, configure the security group to allow:
   + Open **All TCP** for Source as `10.200.0.0/16`.
   + Open **All ICMP - IPV4** for Source as `10.200.0.0/16`.

1. To review the instance details and launch your EC2 instance, choose **Review and Launch**.

For more information, see [Get started with Amazon EC2 Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/userguide/EC2_GetStarted.html).

## Create Amazon VPC interface endpoint
<a name="create-vpc-endpoint"></a>

You can create a VPC endpoint for your VPC, which can then be accessed by the EC2 API. To create the endpoint:

1. Navigate to the [VPC](https://console.aws.amazon.com/vpc/home#/endpoints) **Endpoints** console and choose **Create Endpoint**.

1. In the **Create Endpoint** page, specify the following information.
   + Choose **AWS services** for **Service category**.
   + For **Service Name**, search by entering the keyword **iotwireless**. In the list of `iotwireless` services displayed, choose the control plane API endpoint for your Region. The endpoint will be in the format `com.amazonaws.region.iotwireless.api`.
   + For **VPC** and **Subnets**, choose the VPC where you want to create the endpoint, and the Availability Zones (AZs) in which you want to create the endpoint network.
**Note**  
The `iotwireless` service might not support all Availability Zones.
   + For **Enable DNS name**, choose **Enable for this endpoint**. 

     Choosing this option will automatically resolve the DNS and create a route in Amazon Route 53 Public Data Plane so that the APIs you use later to test the connection will go through the privatelink endpoints.
   + For **Security group**, choose the security groups you want to associate with the endpoint network interfaces.
   + Optionally, you can add or remove tags. Tags are name-value pairs that you use to associate with your endpoint. 

1. To create your VPC endpoint, choose **Create endpoint**.

## Test your connection to the interface endpoint
<a name="connect-vpc-endpoint"></a>

You can use an SSH to access your Amazon EC2 instance and then use the AWS CLI to connect to the privatelink interface endpoints.

Before you connect to the interface endpoint, download the most recent AWS CLI version by following the instructions described in [Installing, updating, and uninstalling AWS CLI version 2 on Linux](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html).

The following examples show how you can test your connection to the interface endpoint using the CLI.

```
aws iotwireless create-service-profile \ 
    --endpoint-url https://api.iotwireless.region.amazonaws.com  \ 
    --name='test-privatelink'
```

The following shows a sample response of running the command.

```
{
    "Arn": "arn:aws:iotwireless:region:acct_number:ServiceProfile/1a2345ba-4c5d-67b0-ab67-e0c8342f2857",
    "Id": "1a2345ba-4c5d-67b0-ab67-e0c8342f2857"
}
```

Similarly, you can run the following commands to get the service profile information or list all service profiles.

```
aws iotwireless get-service-profile \ 
    --endpoint-url https://api.iotwireless.region.amazonaws.com  
    --id="1a2345ba-4c5d-67b0-ab67-e0c8342f2857"
```

The following shows an example for the list-device-profiles command.

```
aws iotwireless list-device-profiles \ 
    --endpoint-url https://api.iotwireless.region.amazonaws.com
```

# Onboard AWS IoT Core for LoRaWAN data plane API endpoints
<a name="onboard-lns-cups-endpoints"></a>

AWS IoT Core for LoRaWAN data plane endpoints consist of the following endpoints. You get these endpoints when adding your gateway to AWS IoT Core for LoRaWAN. For more information, see [Add a gateway to AWS IoT Core for LoRaWAN](lorawan-onboard-gateway-add.md).
+ 

**LoRaWAN Network Server (LNS) endpoints**  
The LNS endpoints are of the format `account-specific-prefix.lns.lorawan.region.amazonaws.com`. You can use this endpoint to establish a connection for exchanging LoRa uplink and downlink messages.
+ 

**Configuration and Update Server (CUPS) endpoints**  
The CUPS endpoints are of the format `account-specific-prefix.cups.lorawan.region.amazonaws.com`. You can use this endpoint for credentials management, remote configuration, and firmware update of gateways.

For more information, see [Using CUPS and LNS protocols](lorawan-manage-gateways.md#lorawan-cups-lns-protocols).

To find the Data Plane API endpoints for your AWS account and Region, use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iotwireless/get-service-endpoint.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iotwireless/get-service-endpoint.html) CLI command shown here, or the [https://docs.aws.amazon.com//iotwireless/latest/apireference/API_GetServiceEndpoint.html](https://docs.aws.amazon.com//iotwireless/latest/apireference/API_GetServiceEndpoint.html) REST API. For more information, see [AWS IoT Core for LoRaWAN Data Plane API Endpoints](https://docs.aws.amazon.com/general/latest/gr/iot-core.html#iot-core.html#iot-wireless-data-plane-endpoints).

You can connect your LoRaWAN gateway on premises to communicate with AWS IoT Core for LoRaWAN endpoints. To establish this connection, first connect your on premises gateway to your AWS account in your VPC by using a VPN connection. You can then communicate with the data plane interface endpoints in the AWS IoT Core for LoRaWAN VPC that are powered by privatelink.

**Topics**
+ [

# Create VPC interface endpoint and private hosted zone
](create-vpc-lns-cups.md)
+ [

# Use VPN to connect LoRa gateways to your AWS account
](lorawan-vpc-vpn-connection.md)

# Create VPC interface endpoint and private hosted zone
<a name="create-vpc-lns-cups"></a>

AWS IoT Core for LoRaWAN has two data plane endpoints, Configuration and Update Server (CUPS) endpoint and LoRaWAN Network Server (LNS) endpoint. The setup process to establish a privatelink connection to both endpoints is the same, so we can use the LNS endpoint for illustration purposes.

For your data plane endpoints, the LoRa gateways first connect to your AWS account in your Amazon VPC, which then connects to the VPC endpoint in the AWS IoT Core for LoRaWAN VPC.

When connecting to the endpoints, the DNS names can be resolved within one VPC but can't be resolved across multiple VPCs. To disable private DNS when creating the endpoint, disable the **Enable DNS name** setting. You can use private hosted zone to provide information about how you want Route 53 to respond to DNS queries for your VPCs. To share your VPC with an on-premises environment, you can use a Route 53 Resolver to facilitate hybrid DNS.

**Topics**
+ [

## Create an Amazon VPC and subnet
](#lns-create-vpc)
+ [

## Create an Amazon VPC interface endpoint
](#lns-create-vpc-endpoint)
+ [

## Configure private hosted zone
](#create-phz-lns)
+ [

## Configure Route 53 inbound resolver
](#configure-route53-resolver)
+ [

## Next steps
](#lns-cups-next-steps)

## Create an Amazon VPC and subnet
<a name="lns-create-vpc"></a>

You can reuse your Amazon VPC and subnet that you created when onboarding your control plane endpoint. For information, see [Create your Amazon VPC and subnet](lorawan-onboard-control-endpoint.md#create-vpc).

## Create an Amazon VPC interface endpoint
<a name="lns-create-vpc-endpoint"></a>

You can create a VPC endpoint for your VPC, which is similar to how you would create one for your control plane endpoint.

1. Navigate to the [VPC](https://console.aws.amazon.com/vpc/home#/endpoints) **Endpoints** console and choose **Create Endpoint**.

1. In the **Create Endpoint** page, specify the following information.
   + Choose **AWS services** for **Service category**.
   + For **Service Name**, search by entering the keyword **lns**. In the list of `lns` services displayed, choose the LNS data plane API endpoint for your Region. The endpoint will be of the format `com.amazonaws.region.lorawan.lns`.
**Note**  
If you're following this procedure for your CUPS endpoint, search for `cups`. The endpoint will be of the format `com.amazonaws.region.lorawan.cups`.
   + For **VPC** and **Subnets**, choose the VPC where you want to create the endpoint, and the Availability Zones (AZs) in which you want to create the endpoint network.
**Note**  
The `iotwireless` service might not support all Availability Zones.
   + For **Enable DNS name**, make sure that **Enable for this endpoint** is not selected.

     By not selecting this option, you can disable private DNS for the VPC endpoint and use private hosted zone instead.
   + For **Security group**, choose the security groups you want to associate with the endpoint network interfaces.
   + Optionally, you can add or remove tags. Tags are name-value pairs that you use to associate with your endpoint. 

1. To create your VPC endpoint, choose **Create endpoint**.

## Configure private hosted zone
<a name="create-phz-lns"></a>

After you create the privatelink endpoint, in the **Details** tab of your endpoint, you'll see a list of DNS names. You can use one of these DNS names to configure your private hosted zone. The DNS name will be of the format `vpce-xxxx.lns.lorawan.region.vpce.amazonaws.com`.

**Topics**
+ [

### Create the private hosted zone
](#create-phz-how)
+ [

### Create a record
](#create-phz-record)

### Create the private hosted zone
<a name="create-phz-how"></a>

To create the private hosted zone:

1. Navigate to the [Route 53](https://console.aws.amazon.com/route53/v2/hostedzones#/) **Hosted zones** console and choose **Create hosted zone**.

1. In the **Create hosted zone** page, specify the following information.
   + For **Domain name**, enter the full service name for your LNS endpoint, **lns.lorawan.region.amazonaws.com**.
**Note**  
If you're following this procedure for your CUPS endpoint, enter **cups.lorawan.region.amazonaws.com**.
   + For **Type**, choose **Private hosted zone**.
   + Optionally, you can add or remove tags to associate with your hosted zone.

1. To create your private hosted zone, choose **Create hosted zone**.

For more information, see [Creating a private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html).

After you have created a private hosted zone, you can create a record that tells the DNS how you want traffic to be routed to that domain.

### Create a record
<a name="create-phz-record"></a>

After you have created a private hosted zone, you can create a record that tells the DNS how you want traffic to be routed to that domain. How you create the record depends on whether you want to route the traffic to an IPv4 or an IPv6 address. When routing traffic to an IPv4 address, choose the record type A. When routing traffic to an IPv6 address, choose the record type AAAA.

The following steps show how you how to create a record for both A and AAAA record types.

**Topics**
+ [

#### Create record of type A (for IPv4 traffic)
](#create-phz-record-typeA)
+ [

#### Create record of type AAAA (for IPv6 traffic)
](#create-phz-record-typeAAAA)

#### Create record of type A (for IPv4 traffic)
<a name="create-phz-record-typeA"></a>

To create a record of type A, perform the following steps.

1. In the list of hosted zones displayed, choose the private hosted zone that you created earlier and choose **Create record**.

1. Use the wizard method to create the record. If the console presents you the **Quick create** method, choose **Switch to wizard**.

1. Choose **Simple Routing** for **Routing policy** and then choose **Next**.

1. In the **Configure records** page, choose **Define simple record**.

1. In the **Define simple record** page:
   + For **Record name**, enter the alias of your AWS account number. You get this value when onboarding your gateway or by using the [https://docs.aws.amazon.com//iotwireless/latest/apireference/API_GetServiceEndpoint.html](https://docs.aws.amazon.com//iotwireless/latest/apireference/API_GetServiceEndpoint.html) REST API.
   + For **Record type**, keep the value as `A - Routes traffic to an IPv4 address and some AWS resources`.
   + For **Value/Route traffic to**, choose **Alias to VPC endpoint**. Then choose your **Region** and then choose the endpoint that you created previously, as described in [Create an Amazon VPC interface endpoint](#lns-create-vpc-endpoint) from the list of endpoints displayed.

1. Choose **Define simple record** to create your record.

#### Create record of type AAAA (for IPv6 traffic)
<a name="create-phz-record-typeAAAA"></a>

When you use the record type AAAA, you'll not be able to use the **Alias to VPC endpoint** option for the **Value/Route traffic to** field. Instead, you can perform the following steps when creating a record of type AAAA.

1. Create an EC2 instance in a subnet that has access to the VPC endpoint.
**Note**  
You must make sure that the VPC and subnet that you created supports routing of IPv6 traffic. For information about the steps to be performed, see [Create your Amazon VPC and subnet](lorawan-onboard-control-endpoint.md#create-vpc).

1. Create an EC2 instance in a subnet that has access to the VPC endpoint. For information about the steps to be performed, see [Launch an Amazon EC2 instance in your subnet](lorawan-onboard-control-endpoint.md#launch-ec2-instance).

1. Create an Amazon VPC interface endpoint for the VPC that you created. For information about the steps to be performed, see [Create Amazon VPC interface endpoint](lorawan-onboard-control-endpoint.md#create-vpc-endpoint).

1. SSH into the EC2 instance and run the following command. In this command, replace *<vpce\$1domain\$1name>* with the domain name for your VPC interface endpoint. You can obtain this information from the **DNS names** section in the details page of the endpoint that you created.

   ```
   nslookup <vpce_domain_name>
   ```

   Running this command will generate information about the domain, such as the IP address, DNS record, and nameservers.

1. In the response obtained from the `nslookup` command, copy the IP address returned from the **Non-authoritative answer** section. Store this information securely as you'll need to use it when creating the record.

1. Go to the [Route 53](https://console.aws.amazon.com/route53/v2/hostedzones#/)**Hosted zones** console, and in the list of hosted zones displayed, choose the private hosted zone that you created earlier and choose **Create record**.

1. Use the wizard method to create the record. If the console presents you the **Quick create** method, choose **Switch to wizard**.

1. Choose **Simple Routing** for **Routing policy** and then choose **Next**.

1. In the **Configure records** page, choose **Define simple record**.

1. In the **Define simple record** page:
   + For **Record name**, enter the alias of your AWS account number. You get this value when onboarding your gateway or by using the [https://docs.aws.amazon.com//iotwireless/latest/apireference/API_GetServiceEndpoint.html](https://docs.aws.amazon.com//iotwireless/latest/apireference/API_GetServiceEndpoint.html) REST API.
   + For **Record type**, keep the value as `AAAA - Routes traffic to an IPv6 address and some AWS resources`.
   + For **Value/Route traffic to**, choose **IP address or another value, depending on the record type** and then enter the IP address that you obtained using the `nslookup` command.

1. Choose **Define simple record** to create your record.

## Configure Route 53 inbound resolver
<a name="configure-route53-resolver"></a>

To share a VPC endpoint to an on-premises environment, a Route 53 Resolver can be used to facilitate hybrid DNS. The inbound resolver will enable you to route traffic from the on-premises network to the data plane endpoints without going over the public internet. To return the private IP address values for your service, create the Route 53 Resolver in the same VPC as the VPC endpoint.

When you create the inbound resolver, you only have to specify your VPC and the subnets that you created previously in your Availability Zones (AZs). The Route 53 Resolver uses this information to automatically assigns an IP address to route traffic to each of the subnets.

To create the inbound resolver:

1. Navigate to the [Route 53](https://console.aws.amazon.com/route53/v2/inbound-endpoints#/) **Inbound endpoints** console and choose **Create inbound endpoint**.
**Note**  
Make sure that you're using the same AWS Region that you used when creating the endpoint and private hosted zone.

1. In the **Create inbound endpoint** page, specify the following information.
   + Enter a name for **Endpoint name** (for example, **VPC\$1A\$1Test**).
   + For **VPC in the region**, choose the same VPC that you used when creating the VPC endpoint.
   + Configure the **Security group for this endpoint** to allow incoming traffic from the on premises network.
   + For IP address, choose **Use an IP address that is selected automatically.**

1. Choose **Submit** to create your inbound resolver.

For this eample, let's assume that the IP addresses `10.100.0.145` and `10.100.192.10` were assigned for the inbound Route 53 Resolver for routing traffic.

## Next steps
<a name="lns-cups-next-steps"></a>

You've created the private hosted zone and an inbound resolver to route traffic for your DNS entries. You can now use either a Site-to-Site VPN or a Client VPN endpoint. For more information, see [Use VPN to connect LoRa gateways to your AWS account](lorawan-vpc-vpn-connection.md). 

# Use VPN to connect LoRa gateways to your AWS account
<a name="lorawan-vpc-vpn-connection"></a>

To connect your gateways on premises to your AWS account, you can use either a Site-to-Site VPN connection or a Client VPN endpoint.

Before you can connect your on premises gateways, you must have created the VPC endpoint, and configured a private hosted zone and inbound resolver so that traffic from the gateways don't go over the public internet. For more information, see [Create VPC interface endpoint and private hosted zone](create-vpc-lns-cups.md).

## Site-to-Site VPN endpoint
<a name="vpc-site-vpn"></a>

If you don't have the gateway hardware or want to test the VPN connection using a different AWS account, you can use a Site-to-Site VPN connection. You can use Site-to-Site VPN to connect to the VPC endpoints from the same AWS account or another AWS account that you might be using in a different AWS Region.

**Note**  
If you've the gateway hardware with you and want to set up a VPN connection, we recommend that you use Client VPN instead. For instructions, see [Client VPN endpoint](#vpc-client-vpn).

To set up a Site-to-Site VPN:

1. Create another VPC in the site from which you want to set up the connection. For `VPC-A`, you can reuse the VPC that you created previously. To create another VPC (for example, `VPC-B`), use a CIDR block that doesn't overlap with the CIDR block of the VPC you created previously.

   For information about setting up the VPCs, follow the instructions described in [AWS setup Site-to-Site VPN connection](samples/Setup_Site_to_Site_VPN.zip).
**Note**  
The Site-to-Site VPN VPN method described in the document uses OpenSWAN for the VPN connection, which supports only one VPN tunnel. If you use a different commercial software for the VPN, you might be able to set up two tunnels bettween the sites.

1. After you set up the VPN connection, update the `/etc/resolv.conf` file by adding the inbound resolver's IP address from your AWS account. You use this IP address for the nameserver. For information about how to obtain this IP address, see [Configure Route 53 inbound resolver](create-vpc-lns-cups.md#configure-route53-resolver). For this example, we can use the IP address `10.100.0.145` that was assigned when you created the Route 53 Resolver.

   ```
   options timeout:2 attempts:5
   ; generated by /usr/sbin/dhclient-script
   search region.compute.internal
   nameserver 10.100.0.145
   ```

1. We can now test whether the VPN connection uses the AWS PrivateLink endpoint instead of going over the public internet by using an `nslookup` command. The following shows an example of running the command.

   ```
   nslookup account-specific-prefix.lns.lorawan.region.amazonaws.com
   ```

   The following shows an example output of running the command, which shows a private IP address indicating that the connection has been established to the AWS PrivateLink LNS endpoint.

   ```
   Server: 10.100.0.145
   Address: 10.100.0.145
   
   Non-authoritative answer:
   Name: https://xxxxx.lns.lorawan.region.amazonaws.com
   Address: 10.100.0.204
   ```

For information about using a Site-to-Site VPN connection, see [How Site-to-Site VPN works](https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html).

## Client VPN endpoint
<a name="vpc-client-vpn"></a>

AWS Client VPN is a managed client-based VPN service that enables you to securely access AWS resources and resources in your on-premises network. The following shows the architecture for the client VPN service.

![\[Image showing how you can use AWS Client VPN to connect your LoRa gateway on premises.\]](http://docs.aws.amazon.com/iot-wireless/latest/developerguide/images/lorawan-privatelink-client-vpn.png)


To establish a VPN connection to a Client VPN endpoint:

1. Create a Client VPN endpoint by following the instructions described in [ Getting started with AWS Client VPN](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html).

1. Log in to your on-premises network (for example, a Wi-Fi router) by using the access URL for that router (for example, `192.168.1.1`), and find the root name and password.

1. Set up your LoRaWAN gateway by following the instructions in the gateway's documentation and then add your gateway to AWS IoT Core for LoRaWAN. For information about how to add your gateway, see [Onboard your gateways to AWS IoT Core for LoRaWAN](lorawan-onboard-gateways.md).

1. Check whether your gateway's firmware is up to date. If the firmware is out of date, you can follow the instructions provided in the on-premises network to update your gateway's firmware. For more information, see [Update gateway firmware using CUPS service with AWS IoT Core for LoRaWAN](lorawan-update-firmware.md).

1. Check whether OpenVPN has been enabled. If it has been enabled, skip to the next step to configure the OpenVPN client inside the on-premises network. If it hasn't been enabled, follow the instructions in [Guide to install OpenVPN for OpenWrt](https://www.ovpn.com/en/guides/openwrt).
**Note**  
For this example, we use OpenVPN. You can use other VPN clients such as Site-to-Site VPN or AWS Direct Connect to set up your Client VPN connection.

1. Configure the OpenVPN client based on information from the client configuration and how you can use [OpenVPN client using LuCi](https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci).

1. SSH to your on-premises network and update the `/etc/resolv.conf` file by adding the IP address of the inbound resolver in your AWS account (`10.100.0.145`).

1. For the gateway traffic to use AWS PrivateLink to connect to the endpoint, replace the first DNS entry for your gateway to the inbound resolver's IP address.

For information about using a Site-to-Site VPN connection, see [Getting started with Client VPN](https://docs.aws.amazon.com/vpn/latest/clientvpn-user/user-getting-started.html).

## Connect to LNS and CUPS VPC endpoints
<a name="vpc-vpn-connect"></a>

The following shows how you can test your connection to the LNS and CUPS VPC endpoints.

**Test CUPS endpoint**  
To test your AWS PrivateLink connection to the CUPS endpoint from your LoRa gateway, run the following command:

```
curl -k -v -X POST https://xxxx.cups.region.iotwireless.iot:443/update-info 
     --cacert cups.trust --cert cups.crt --key cups.key --header "Content-Type: application/json" 
     --data '{ 
              "router": "xxxxxxxxxxxxx", 
              "cupsUri": "https://xxxx.cups.lorawan.region.amazonaws.com:443",
              "cupsCredCrc":1234, "tcCredCrc":552384314
             }' 
      —output cups.out
```

**Test LNS endpoint**  
To test your LNS endpoint, first provision a LoRaWAN device that will work with your wireless gateway. You can then add your device and perform the *join* procedure after which you can start sending uplink messages.