# Using AWS IoT Core with interface VPC endpoints
With AWS IoT Core, you can create [IoT control plane endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/connect-to-iot.html#iot-service-endpoint-intro) and [IoT data endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/iot-connect-devices.html) within your virtual private cloud (VPC) by using [interface VPC endpoints](https://docs.aws.amazon.com//vpc/latest/userguide/vpce-interface.html#create-interface-endpoint). Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that you can use to access services running on AWS by using private IP addresses. For more information, see [Amazon Virtual Private Cloud](https://docs.aws.amazon.com//AmazonVPC/latest/UserGuide/VPC_Introduction.html).
To connect devices in the field on remote networks, such as a corporate network to your Amazon VPC, refer to the options listed in the [Network-to-Amazon VPC connectivity matrix](https://docs.aws.amazon.com//whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html).
**Topics**
+ [Creating VPC endpoints for AWS IoT Core control plane](#Create-VPC-endpoints-CP)
+ [Creating VPC endpoints for AWS IoT Core data plane](#Create-VPC-endpoints)
+ [Creating VPC endpoints for AWS IoT Core credential provider](#Create-VPC-endpoints-credential-provider)
+ [Creating an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc)
+ [Configure a private hosted zone](#connect-iot-core-create-phz-lns)
+ [Controlling Access to AWS IoT Core over VPC endpoints](#Control-VPC-access)
+ [Limitations](#VPC-limitations)
+ [Scaling VPC endpoints with AWS IoT Core](#Scaling-VPC-endpoints)
+ [Using custom domains with VPC endpoints](#VPC-custom-domains)
+ [Availability of VPC endpoints for AWS IoT Core](#VPC-availability)
+ [Using AWS IoT Device Management secure tunneling with interface VPC endpoints](IoTCore-ST-VPC.md)
## Creating VPC endpoints for AWS IoT Core control plane
You can create a VPC endpoint for AWS IoT Core control plane API to connect your devices to AWS IoT services and other AWS services. To get started with VPC endpoints, [create an interface VPC endpoint](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) and select AWS IoT Core as the AWS service. If you are using the CLI, first call [describe-vpc-endpoint-services](https://docs.aws.amazon.com//cli/latest/reference/ec2/describe-vpc-endpoint-services.html) to ensure that you are choosing an Availability Zone where AWS IoT Core is present in your particular AWS Region. For example, in us-east-1, this command would look like:
```
aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.iot.api
```
See the detailed instructions below to [Create an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc) for AWS IoT Core control plane.
## Creating VPC endpoints for AWS IoT Core data plane
You can create a VPC endpoint for AWS IoT Core data plane API to connect your devices to AWS IoT services and other AWS services. To get started with VPC endpoints, [create an interface VPC endpoint](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) and select AWS IoT Core as the AWS service. If you are using the CLI, first call [describe-vpc-endpoint-services](https://docs.aws.amazon.com//cli/latest/reference/ec2/describe-vpc-endpoint-services.html) to ensure that you are choosing an Availability Zone where AWS IoT Core is present in your particular AWS Region. For example, in us-east-1, this command would look like:
```
aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.iot.data
```
**Note**
The VPC feature for automatically creating a DNS record is disabled. To connect to these endpoints, you must manually create a Private DNS record. For more information about Private VPC DNS records, see [Private DNS for interface endpoints](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-interface.html#vpce-private-dns). For more information about AWS IoT Core VPC limitations, see [Limitations](#VPC-limitations) .
To connect MQTT clients to the VPC endpoint interfaces:
+ You must manually create DNS records in a private hosted zone that is attached to your VPC. To get started, see [Creating a private hosted zone](https://docs.aws.amazon.com//Route53/latest/DeveloperGuide/hosted-zone-private-creating.html).
+ Within your private hosted zone, create an alias record for each elastic network interface IP for the VPC endpoint. If you have multiple network interface IPs for multiple VPC endpoints, create weighted DNS records with equal weights across all the weighted records. These IP addresses are available from the [DescribeNetworkInterfaces](https://docs.aws.amazon.com//AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html) API call when filtered by the VPC endpoint ID in the description field.
See the detailed instructions below to [Create an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc) and [Configure private hosted zone](#connect-iot-core-create-phz-lns) for AWS IoT Core data plane.
## Creating VPC endpoints for AWS IoT Core credential provider
You can create a VPC endpoint for AWS IoT Core [credential provider](https://docs.aws.amazon.com//iot/latest/developerguide/authorizing-direct-aws.html) to connect devices using client certificate-based authentication and get temporary AWS credentials in [AWS Signature Version 4 format](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_aws-signing.html). To get started with VPC endpoints for AWS IoT Core credential provider, run the [create-vpc-endpoint](https://docs.aws.amazon.com//cli/latest/reference/ec2/create-vpc-endpoint.html) CLI command to [create an interface VPC endpoint](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) and select AWS IoT Core credential provider as the AWS service. To ensure that you are choosing an Availability Zone where AWS IoT Core is present in your particular AWS Region, your first run the [describe-vpc-endpoint-services](https://docs.aws.amazon.com//cli/latest/reference/ec2/describe-vpc-endpoint-services.html) command. For example, in us-east-1, this command would look like:
```
aws ec2 describe-vpc-endpoint-services --service-name com.amazonaws.us-east-1.iot.credentials
```
**Note**
The VPC feature for automatically creating a DNS record is disabled. To connect to these endpoints, you must manually create a Private DNS record. For more information about Private VPC DNS records, see [Private DNS for interface endpoints](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-interface.html#vpce-private-dns). For more information about AWS IoT Core VPC limitations, see [Limitations](#VPC-limitations) .
To connect HTTP clients to the VPC endpoint interfaces:
+ You must manually create DNS records in a private hosted zone that is attached to your VPC. To get started, see [Creating A private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html).
+ Within your private hosted zone, create an alias record for each elastic network interface IP for the VPC endpoint. If you have multiple network interface IPs for multiple VPC endpoints, create weighted DNS records with equal weights across all the weighted records. These IP addresses are available from the [DescribeNetworkInterfaces](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html) API call when filtered by the VPC endpoint ID in the description field.
See the detailed instructions below to [Create an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc) and [Configure private hosted zone](#connect-iot-core-create-phz-lns) for AWS IoT Core credential provider.
## Creating an Amazon VPC interface endpoint
You can create an interface VPC endpoint to connect to AWS services powered by AWS PrivateLink. Use the following procedure to create an interface VPC endpoint that connects to AWS IoT Core data plane or AWS IoT Core credential provider. For more information, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com//vpc/latest/privatelink/create-interface-endpoint.html).
**Note**
The processes to create an Amazon VPC interface endpoint for AWS IoT Core data plane and AWS IoT Core credential provider are similar, but you must make endpoint specific changes to make the connection work.
**To create an interface VPC endpoint using [VPC](https://console.aws.amazon.com/vpc/home#/endpoints) **Endpoints** console**
1. Navigate to the [VPC](https://console.aws.amazon.com/vpc/home#/endpoints) **Endpoints** console, under **Virtual private cloud** on the left menu, choose **Endpoints** then **Create Endpoint**.
1. In the **Create endpoint** page, specify the following information.
+ Choose **AWS services** for **Service category**.
+ For **Service Name**, search by entering the keyword `iot`. In the list of `iot` services displayed, choose the endpoint.
If you create a VPC endpoint for AWS IoT Core control plane, choose the AWS IoT Core control plane API endpoint for your AWS Region. The endpoint will be of the format `com.amazonaws.region.iot.api`.
If you create a VPC endpoint for AWS IoT Core data plane, choose the AWS IoT Core data plane API endpoint for your Region. The endpoint will be of the format `com.amazonaws.region.iot.data`.
If you create a VPC endpoint for AWS IoT Core credential provider, choose the AWS IoT Core credential provider endpoint for your Region. The endpoint will be of the format `com.amazonaws.region.iot.credentials`.
If you create a VPC endpoint for Federal Information Processing Standard (FIPS) regions, choose the FIPS API endpoint for your AWS Region. The endpoint will be of the format `com.amazonaws.region.iot-fips.api`. This is only for control plane.
**Note**
The service name for AWS IoT Core data plane in China Region will be of the format `cn.com.amazonaws.region.iot.data`. The service name for AWS IoT Core control plane in China Region will be of the format `com.amazonaws.region.iot.api`.
+ For **VPC** and **Subnets**, choose the VPC where you want to create the endpoint, and the Availability Zones (AZs) in which you want to create the endpoint network.
+ For **Enable DNS name**, make sure that **Enable for this endpoint** is not selected for AWS IoT Core data plane and AWS IoT Core credential provider. Neither AWS IoT Core data plane nor AWS IoT Core credential provider supports private DNS names yet.
For AWS IoT Core control plane, **Enable DNS name** is selected by default. This ensures that any requests to the AWS IoT Core control plane public endpoints will route through the VPC endpoints instead. When this is enabled, you do not need to configure a privated hosted zone.
+ For **Security group**, choose the security groups you want to associate with the endpoint network interfaces.
+ Optionally, you can add or remove tags. Tags are name-value pairs that you use to associate with your endpoint.
1. To create your VPC endpoint, choose **Create endpoint**.
After you create the AWS PrivateLink endpoint, in the **Details** tab of your endpoint, you'll see a list of DNS names. You can use one of these DNS names you created in this section to [configure your private hosted zone](#connect-iot-core-create-phz-lns). If you are using AWS IoT Core control plane, you do not need to configure a private hosted zone.
## Configure a private hosted zone
**Note**
If you are using AWS IoT Core control plane and have **Enable DNS name** selected, you do not need to configure a private hosted zone. If you disable it, you must follow this procedure to configure a private hosted zone.
You can use one of these DNS names you created in the previous section to configure your private hosted zone.
**For AWS IoT Core data plane**
The DNS name must be your domain configuration name or your `IoT:Data-ATS` endpoint. An example DNS name can be: ` xxx-ats.data.iot.region.amazonaws.com`.
**For AWS IoT Core credential provider**
The DNS name must be your `iot:CredentialProvider` endpoint. An example DNS name can be: ` xxxx.credentials.iot.region.amazonaws.com`.
**For AWS IoT Core control plane**
The DNS name must be your AWS IoT Core control plane endpoint. An example DNS name for AWS IoT Core control plane is ` xxxx.api.iot.region.amazonaws.com`.
**Note**
The processes to configure private hosted zone for AWS IoT Core data plane and AWS IoT Core credential provider are similar, but you must make endpoint specific changes to make the connection work.
### Create a private hosted zone
**To create a private hosted zone using Route 53 console**
1. Navigate to the [RouteĀ 53](https://console.aws.amazon.com/route53/v2/hostedzones#/) **Hosted zones** console and choose **Create hosted zone**.
1. In the **Create hosted zone** page, specify the following information.
+ For **Domain name**, enter the endpoint address for your `iot:Data-ATS` or `iot:CredentialProvider` endpoint. The following AWS CLI command shows how to get the endpoint through a public network: `aws iot describe-endpoint --endpoint-type iot:Data-ATS`, or `aws iot describe-endpoint --endpoint-type iot:CredentialProvider`.
**Note**
If you're using custom domains, see [ Using custom domains with VPC endpoints](https://docs.aws.amazon.com/iot/latest/developerguide/IoTCore-VPC.html#VPC-custom-domains). Custom domains are not supported for AWS IoT Core credential provider.
+ For **Type**, choose **Private hosted zone**.
+ Optionally, you can add or remove tags to associate with your hosted zone.
1. To create your private hosted zone, choose **Create hosted zone**.
For more information, see [Creating a private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html).
### Create a record
After you have created a private hosted zone, you can create a record that tells the DNS how you want traffic to be routed to that domain.
**To create a record**
1. In the list of hosted zones displayed, choose the private hosted zone that you created earlier and choose **Create record**.
1. Use the wizard method to create the record. If the console presents you the **Quick create** method, choose **Switch to wizard**.
1. Choose **Simple Routing** for **Routing policy** and then choose **Next**.
1. In the **Configure records** page, choose **Define simple record**.
1. In the **Define simple record** page:
+ For **Record name**, enter `iot:Data-ATS` endpoint or `iot:CredentialProvider` endpoint. This must be the same as the private hosted zone name.
+ For **Record type**, if you want only IPv4 support, keep the value as `A - Routes traffic to an IPv4 address and some AWS resources`. If you want only IPv6 support, keep the value as `AAAA - Routes traffic to an IPv6 address and some AWS resources`. If you want dual-stack support (both IPv4 and IPv6), create two records (`A` and `AAAA` in the hosted zone with the same **Record name** and **Value/Route traffic to**.
+ For **Value/Route traffic to**, choose **Alias to VPC endpoint**. Then choose your **Region** and then choose the endpoint that you created previously, as described in [Creating an Amazon VPC interface endpoint](#Create-VPC-endpoints-core-create-vpc) from the list of endpoints displayed.
1. Choose **Define simple record** to create your record.
## Controlling Access to AWS IoT Core over VPC endpoints
You can restrict device access to AWS IoT Core to be allowed only through VPC endpoint by using VPC [condition context keys](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html). AWS IoT Core supports the following VPC related context keys:
+ [SourceVpc](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)
+ [SourceVpce](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce)
+ [VPCSourceIp](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpcsourceip)
**Note**
AWS IoT Core doesn't support [Endpoints policies for VPC endpoints](https://docs.aws.amazon.com//vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoint-policies).
For example, the following policy grants permission to connect to AWS IoT Core using a client ID that matches the thing name, and to publish to any topic prefixed by the thing name, conditional on the device connecting to a VPC endpoint with a particular VPC Endpoint ID. This policy would deny connection attempts to your public IoT data endpoint.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"
],
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-1a2b3c4d"
}
}
},
{
"Effect": "Allow",
"Action": [
"iot:Publish"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:topic/${iot:Connection.Thing.ThingName}/*"
]
}
]
}
```
## Limitations
VPC endpoints are currently supported for [AWS IoT Core control plane endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/connect-to-iot.html#iot-service-endpoint-intro), [AWS IoT Core data endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/iot-connect-devices.html#iot-connect-device-endpoints), and [AWS IoT Core credential provider](https://docs.aws.amazon.com//iot/latest/developerguide/authorizing-direct-aws.htm) endpoints. VPC endpoints are only supported for [Federal Information Processing Standard (FIPS) endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/iot-connect-fips.html) when using the AWS IoT Core control plane.
### Limitations of IoT control plane VPC endpoints
This section covers the limitations of IoT control plane VPC endpoints.
+ VPC endpoints will serve ATS certificates only.
+ Custom domains are not supported for control plane endpoints.
+ For information regarding FIPS security policies, see [FIPS security policies](https://docs.aws.amazon.com//elasticloadbalancing/latest/application/describe-ssl-policies.html#fips-security-policies).
### Limitations of IoT data VPC endpoints
This section covers the limitations of IoT data VPC endpoints.
+ MQTT keep alive periods are limited to 230 seconds. Keep alive periods longer than that will be automatically reduced to 230 seconds.
+ Each VPC endpoint supports 100,000 total concurrent connected devices. If you require more connections see [Scaling VPC endpoints with AWS IoT Core](#Scaling-VPC-endpoints) .
+ VPC endpoints will serve [ATS certificates](https://docs.aws.amazon.com//iot/latest/developerguide/server-authentication.html) only, except for custom domains.
+ [VPC endpoint policies](https://docs.aws.amazon.com//vpc/latest/privatelink/vpc-endpoints-access.html) are not supported.
+ For VPC endpoints that are created for the AWS IoT Core data plane, AWS IoT Core doesn't support using zonal or regional public DNS records.
### Limitations of credential provider endpoints
This section covers the limitations of credential provider VPC endpoints.
+ VPC endpoints will serve [ATS certificates](https://docs.aws.amazon.com//iot/latest/developerguide/server-authentication.html) only.
+ [VPC endpoint policies](https://docs.aws.amazon.com//vpc/latest/privatelink/vpc-endpoints-access.html) are not supported.
+ Custom domains are not supported for credential provider endpoints.
+ For VPC endpoints that are created for the AWS IoT Core credential provider, AWS IoT Core doesn't support using zonal or regional public DNS records.
## Scaling VPC endpoints with AWS IoT Core
AWS IoT Core Interface VPC endpoints are limited to 100,000 connected devices over a single interface endpoint. If your use case calls for more concurrent connections to the broker, then we recommend using multiple VPC endpoints and manually routing your devices across your interface endpoints. When creating private DNS records to route traffic to your VPC endpoints, make sure to create as many weighted records as you have VPC endpoints to distribute traffic across your multiple endpoints.
## Using custom domains with VPC endpoints
If you want to use custom domains with VPC endpoints, you must create your custom domain name records in a private hosted zone and create routing records in Route53. For more information, see [Creating A private hosted zone](https://docs.aws.amazon.com//Route53/latest/DeveloperGuide/hosted-zone-private-creating.html).
**Note**
Custom domains are only supported for AWS IoT Core data endpoints.
## Availability of VPC endpoints for AWS IoT Core
AWS IoT Core Interface VPC endpoints are available in all [AWS IoT Core supported regions](https://aws.amazon.com//about-aws/global-infrastructure/regional-product-services/). AWS IoT Core Interface VPC endpoints for AWS IoT Core credential provider are not supported in China Region and AWS GovCloud (US) Regions.
# Using AWS IoT Device Management secure tunneling with interface VPC endpoints
AWS IoT Device Management secure tunneling supports interface VPC endpoints. You can use VPC endpoints to keep traffic between your VPC and AWS IoT Secure Tunneling within the AWS network, without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
Interface VPC endpoints are powered by [AWS PrivateLink](https://docs.aws.amazon.com//vpc/latest/privatelink/what-is-privatelink.html), a technology that enables you to privately access services by using private IP addresses. For more information, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com//vpc/latest/privatelink/create-interface-endpoint.html) in the AWS PrivateLink Guide.
**Topics**
+ [Prerequisites](#Create-ST-VPC-endpoints-prereq)
+ [Receiving tunnel notifications through VPC endpoints](#ST-VPC-Receive-notifications)
+ [Creating VPC endpoints for secure tunneling](#Create-ST-VPC-endpoints-Create)
+ [Configuring VPC endpoint policies on Proxy Server](#Create-ST-VPC-endpoints-Configure)
+ [Next steps](#Create-ST-VPC-endpoints-Next)
## Prerequisites
Before you create VPC endpoints for AWS IoT Secure Tunneling, verify that you have the following:
+ An AWS account with the necessary permissions to create VPC endpoints.
+ A VPC in your AWS account.
+ Understanding of AWS IoT Device Management secure tunneling concepts.
+ Familiarity with VPC endpoint policies and AWS Identity and Access Management (IAM)
## Receiving tunnel notifications through VPC endpoints
To receive tunnel notifications through a VPC endpoint, your devices can connect to the AWS IoT Core data plane through a VPC endpoint and subscribe to the secure tunneling reserved MQTT topic.
For instructions on how to create and configure a VPC endpoint in the AWS IoT Core data plane, see [Using AWS IoT Core with interface VPC endpoints](https://docs.aws.amazon.com/iot/latest/developerguide/IoTCore-VPC.html) in the AWS IoT Developer Guide.
## Creating VPC endpoints for secure tunneling
You can create VPC endpoints for both secure tunneling control plane and proxy server.
**To create a VPC endpoint for secure tunneling**
1. Follow the steps in [Creating an interface endpoint](https://docs.aws.amazon.com//vpc/latest/privatelink/create-interface-endpoint.html) in the Amazon VPC Developer Guide
1. For **Service name**, choose one of the following options based on your endpoint type:
**Control plane**
+ Standard: `com.amazonaws..iot.tunneling.api`
+ FIPS (available in FIPS regions): `com.amazonaws..iot-fips.tunneling.api`
**Proxy server**
+ Standard: `com.amazonaws..iot.tunneling.data`
+ FIPS (available in FIPS regions): `com.amazonaws..iot-fips.tunneling.data`
Replace ** with your AWS Region. For example, `us-east-1`.
1. Complete the remaining steps in the VPC endpoint creation process according to your network requirements.
## Configuring VPC endpoint policies on Proxy Server
In addition to client access token-based authorization that is used to authorize connections to tunnels, you can use VPC endpoint policies to further restrict how devices can use a VPC endpoint to connect to the Secure Tunneling Proxy Server. VPC endpoint policies follow an IAM-like syntax and are configured on the VPC endpoint itself.
Note that the only supported IAM action for proxy server VPC endpoint policies is `iot:ConnectToTunnel`.
Below are examples of different VPC endpoint policies.
### Proxy server VPC endpoint policy examples
The following examples show Proxy Server VPC endpoint policy configurations for common use cases.
**Example - Default policy**
This policy allows devices within your VPC to connect to any tunnel in the same AWS Region where the endpoint is created, across any AWS account.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*"
}
]
}
```
**Example - Restrict access to specific AWS accounts**
This policy allows the VPC endpoint to connect only to tunnels in specific AWS accounts.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "iot:ConnectToTunnel",
"Resource": [
"arn:aws:iot:us-east-1:111122223333:tunnel/*",
"arn:aws:iot:us-east-1:444455556666:tunnel/*"
]
}
]
}
```
**Example - Restrict connections by tunnel endpoint**
You can restrict VPC endpoint access to only allow devices to connect to the source or destination end of a tunnel.
Source only:
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "iot:ConnectToTunnel",
"Resource": "*",
"Condition": {
"StringEquals": {
"iot:ClientMode": "source"
}
}
}
]
}
```
Destination only:
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "iot:ConnectToTunnel",
"Resource": "*",
"Condition": {
"StringEquals": {
"iot:ClientMode": "destination"
}
}
}
]
}
```
**Example - Restrict access based on resource tags**
This policy allows the VPC endpoint to connect only to tunnels that are tagged with a specific key-value pair.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "iot:ConnectToTunnel",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Environment": "Production"
}
}
}
]
}
```
**Example - Combined policy conditions**
This policy demonstrates combining multiple policy elements. It allows connections to any tunnel in a specific AWS account, but only if the tunnel is tagged with `AllowConnectionsThroughPrivateLink` set to `true` and the client is not connecting to the destination end of the tunnel.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "iot:ConnectToTunnel",
"Resource": [
"arn:aws:iot:us-east-1:111122223333:tunnel/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/AllowConnectionsThroughPrivateLink": "true"
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "iot:ConnectToTunnel",
"Resource": [
"arn:aws:iot:us-east-1:111122223333:tunnel/*"
],
"Condition": {
"StringEquals": {
"iot:ClientMode": "destination"
}
}
}
]
}
```
## Next steps
After you create and configure your VPC endpoints for AWS IoT Secure Tunneling, consider the following:
+ Test your VPC endpoint configuration by connecting devices through the endpoint.
+ Monitor VPC endpoint usage through Amazon CloudWatch metrics.
+ Review and update your VPC endpoint policies as needed for your security requirements.
For more information about AWS IoT Device Management secure tunneling, see [AWS IoT Secure Tunneling](https://docs.aws.amazon.com//iot/latest/developerguide/secure-tunneling.html).