How to Publish/Subscribe an event to IOT through VPC endpoint(AWS)

Question

I tried to publish an event from Lambda function to IOT, which execution environment resides in VPC private subnets but it is not working.

• I have an IOT device which policy is configured to allow all connections.
• Created a VPC with two private subnets and configured Lambda function to run inside them
• Lambda function has required permissions to access IOT and also security group is configured to allow all the outbound traffic to any port and any type of protocal (0.0.0.0/0)
• Created a VPC endpoint(com.amazonaws.eu-central-1.iot.data)(selected both privatesubnets) and assigned a security group which has rule to allow any traffic from Lambda function security group

Tried to publish an event using public endpoint without adding NAT gateway and it was not working(Getting timeout error) Note:- Working fine if I add NAT gateway.

please find the following sample piece of code tried to connect to IOT for the reference

const region = 'eu-central-1';
const endpoint = 'xxxx'; //public endpoint;
const clientId = 'test' //random string;

const {IotData} = require('aws-sdk')
const params = {
        topic: 'test_topic', /* required, subscribed to this topic */
        payload: 'STRING_VALUE' /* Strings will be Base-64 encoded on your behalf */,
        qos: 1
    };
const iotdata = new IotData({endpoint, region});
iotdata.publish(params, (res, err) => {
    console.log('res', res)
    console.log('err', err)
});

Answer 1

IoT Core VPC Endpoints do not support Private DNS Name and therefore need to manually create a Private Hosted Zone in Route53 to use the default AWS IoT default endpoint or a IoT Custom domain.

1. Create a Route53 Private hosted zone in the same VPC. The Domain name of the private hosted zone needs to match the default IoT endpoint or, if you are using an IoT configurable endpoint, the name of your custom domain

xxxxxxxxxx-ats.iot.us-east-1.amazonaws.com

Above IoT Data-ATS endpoint should be used as the Domain name for the Private Hosted zone.

2. After creating the private hosted zone, navigate to see its records, and then click on "Create Record". The configure as follows:

• Alias: enable it by using the sliding button on the right.

• Record name: (blank)

• Record type: A - Routes traffic to an IPV4 (...)

• Route traffic to: "Alias to VPC endpoint" and then choose region (us-east-1) and VPC endpoint (vpce-xxxx.data.iot.us-east-1.vpce.amazonaws.com).