Hi and Welcome to Getting Started with AWS IoT secure tunneling. My name is Greg brain and I’m an IoT specialist Solutions Architect with AWS.
AWS IoT Device Management and secure tunneling make it easy to securely register, organize, monitor, and remotely manage IoT devices at scale. In this article, you will learn how to use the Secure AWS Tunneling and all feature, which provides a secure remote access solution that directly integrates with AWS IoT to allow you to remotely access your IoT devices from anywhere.
In this article, we’ll cover secure tunneling, a feature of AWS IoT device management. When devices are deployed behind firewalls at remote sites, you often need a way to gain access to those devices for troubleshooting configuration updates and other operational tasks. Secure tunneling helps customers establish bi-directional communication to remote devices over a secure connection that is managed by AWS IoT. Secure tunneling does not require updates to your existing inbound firewall rules, so you can maintain your existing security level.
What is IoT Secure Tunneling
You need a mechanism to get access to devices installed behind restricted firewalls at remote sites for troubleshooting, configuration updates, and other operational duties. Secure AWS IoT tunneling allows customers to communicate with remote devices in both directions using a secure connection managed by AWS IoT. Secure tunneling eliminates the need to alter your existing incoming firewall rule, allowing you to maintain the same level of protection at a remote location.
In this article (You can check in the attached video as well), I’ll present a demonstration of one particular use case of secure tunneling, namely an SSH connection to a Raspberry Pi. The prerequisites shown here are for this particular demo, not the secure tunneling feature more generally. First, you need a Linux-based device to use as your IoT thing. A Raspberry Pi or Linux PC is sufficient for the demo. Next, the device must have an SSH daemon running. If you wanted to, for example, use secure tunneling to access FTP, you would of course need an FTP server running. Likewise, for any other service, your firewall must allow the device to have outbound traffic on Port 443, you need to have created a corresponding IoT thing in the AWS IoT registry and save the keys in the certificates.
To use secure tunneling, your device needs to have AWS IoT secure tunneling local proxy. For this demo, I’ll be using AWS IoT device client. It’s an IoT reference implementation that includes support for secure tunneling. It has the AWS IoT secure tunneling local proxy baked in AWS IoT device client just makes it easy to get started with several AWS IoT device management and AWS IoT device Defender features, but it’s not required for using the secure tunneling feature in general. Nonetheless, to follow the demo, you’ll need to have downloaded the AWS IoT device client source code from GitHub, built it for your device and configured it with the appropriate thing name certificates and private key. We’ve provided a link to the GitHub repository in the video description. Finally, you need to have downloaded the AWS IoT secure tunneling local proxy source code from GitHub, and built it for your machine. We’ve are provided a link to that repository.
- See developer documentation at – https://amzn.to/33agg8t
- See the AWS IoT Device Client GitHub repository at – https://bit.ly/33dNeF5
- See the Secure Tunneling local proxy GitHub repository at – https://bit.ly/33fH7QE
Before we get started with the demo, let’s review how secure tunneling works. On the left (in the attached video), you’ll see a remote device or thing, which is considered the destination for the tunnel. In the middle, you have the AWS cloud with AWS IoT Core and AWS IoT device management. And on the right, you have the operator who wants to execute a remote SSH session into the IoT thing. The operator machine is considered the source of the tunnel. The local proxy command-line utility has been compiled and installed on the source of the operator machine. Additionally, in the case of our demo, the AWS IoT device client has been compiled and installed on the destination. The device client includes local proxy and the AWS IoT device SDK for C++. The device client connects to IoT Core and subscribes to the reserved topic for the secure tunneling notifications. This notification is an optional feature that provides a convenient way of getting the access token to the destination’s local proxy. If you have an out-of-band way of delivering that token to your device, then your device doesn’t need to connect to IoT Core nor use this notification just to create a secure tunnel.
A sensor device in a plant a few hundred miles distant, for example, is having problems measuring the factory temperature. To open and rapidly start a session with that sensor device, you can use secure tunneling. You can reset the file and restart the sensor device in the same session after you’ve detected the problem (for example, a faulty configuration file). Secure tunneling reduces incident response and recovery time as well as operational costs when compared to more traditional troubleshooting (for example, sending a specialist to the factory to inspect the sensor device).
Download PDF on Aws IoT Secure Tunneling
AWS IoT secure tunneling pricing
Loading content …
Introducing Secure Tunneling for AWS IoT Device Management
AWS IoT Device Management offers a diverse set of capabilities to help enterprises develop IoT applications for a variety of industries. When it comes to remote access to devices, however, customers have traditionally sent control messages via MQTT topics or by altering the device’s shadow, and the device agent has subsequently taken action on those messages. As a result, hardware development teams had to explicitly embed those specialized control features into the firmware of the devices.
When devices are behind a firewall, device management outside of these pre-configured flows has been particularly difficult. On a standard desktop computer, this would be a simple matter of installing a remote management application or using technology like VNC. However, this functionality has proven challenging to deploy on IoT devices until far.
What’s new in the IoT market today?
Secure Tunneling, a new feature in AWS IoT Device Management that provides a secure remote access solution that seamlessly connects with AWS IoT and allows you to remotely access your IoT devices from anywhere, is being released today. Identity and Access Management (IAM) protects the endpoint, and communication takes place across Transport Layer Security (TLS).
How does it Scure IoT Device Function?
I’ll begin by installing a proxy program on my device (a Raspberry Pi) that will allow me to connect to the Secure Tunneling service using a secure WebSocket connection. When the open-tunnel CLI command is used, authentication tokens are generated. These tokens are subsequently sent to the device’s proxy for processing. Because I’m using Thing Registry-managed devices, the distribution of the device token is taken care of for me. A token will be sent to both the user and the device after authentication to the Secure Tunneling service. When the IoT device receives the token, it starts the proxy. Let’s take a look at the AWS Command Line Interface for a high-level walkthrough (CLI). Before I begin, I’ll need to double-check that everything is set up correctly.
Start proxy on target device
I’ll install the gadget’s private key and certificate onto my device now that it’s in the Thing Registry. The device can subscribe to a reserved MQTT topic, $aws/things/thing-name>/tunnels/notify, using this key pair. This MQTT topic is utilized by Secure Tunneling to publish a token that will be used to create a tunnel to my Raspberry Pi.
I may utilize the AWS IoT Device SDKs to initialize the tunneling proxy now that my device can receive this token information. To do this, I modified the IoT Device SDK to listen for notifications on the MQTT topic for tunneling, and then I use the token to activate the proxy once it arrives on my device.
- First, the operator issues and open tunnel command to AWS IoT device management.
- This publishes a notification message through AWS IoT Core.
- The notification is received on the reserved topic that the thing is subscribed to. This notification message includes the destination access token.
- The AWS IoT device client uses the destination access token to initialize its embedded local proxy.
- This will initialize the local proxy in destination mode and connect the destination side of the tunnel.
- The operator downloads the source access token that is issued by the
- The AWS console when the tunnel was opened.
- Next, the operator uses that source access token to initialize the local proxy in source mode,
- and the source side of the tunnel is connected.
- With both sides of the tunnel connected, the operator can open the SSH session via the local proxy. Now I’ll show you how this works on the console.
- Okay, I’ll run device client on my Raspberry Pi.
- OK, device client is up and running, and is subscribing to the reserve topic for tunnel notifications.
- After you’ve logged into the management console, navigate to IoT Core.
- Then, device management and tunnels.
- Next, create a tunnel. Give it a description.
- Enter the service to be used, in this case SSH.
- Notice the add new service button, you can in fact use multiple services on the one tunnel.
- Select your thing, in my case Raspberry Pi four.
- Finally, enter a timeout. This is the duration the tunnel will be maintained before it is automatically disconnected. We’ll use 30 minutes, we’ll skip the resource tags and create the tunnel
- download the access token for source. This will be used by the local proxy on your operator machine shortly.
- Returning to the device client output, we can observe that it received an MQ TT tunnel notification in the destination connection part of the tunnel was established.
- If we click through to the new tunnel on the AWS console, we can see that it’s open
- and that the destination is connected.
- Open a pair of terminal sessions on your machine, one for local proxy and one for your SSH client.
- Notice the local proxy command line options the AWS region in which the secure tunnel is located. The port on which local proxy will listen for incoming connections. And finally, the source access token.
- We can refresh the AWS console and see that the secure tunnel has formed a connection on the source side now that local proxy is running.
- Next on my right hand terminal session, we’ll initialize the SSH session, we need to connect to the local proxy on port 5555. The port on which it’s listening. The username is a user on your IoT device, in this case, my Raspberry Pi and its default user pi.
- Now that I’ve established my SSH session, I can securely troubleshoot, configure updates or perform a number of other operational tasks. I’m also free to disconnect and reconnect multiple times within the one open tunneled session.
- When you’re done, you can exit your SSH session by returning to the AWS console to close or delete your tunnel.
So again, in this Getting Started demo, we walked through how to open a tunnel in the AWS Management Console. Initiate the tunnel using the local proxy and access token. Connect both the destination in the source sides of the secure tunnel and then initiate the SSH session using the local proxy.
To learn more, visit the AWS IoT device management webpage and also explore the secure tunneling developer documentation for a deeper dive on concepts and more advanced capabilities.