Creating Custom Managed Domains on AWS IoT Core

Creating Custom Managed Domains on AWS IoT Core

Large companies such as Volkswagen, Carrier, and Traeger Grills ingest data and manage their fleet of devices using AWS IoT with great flexibility. One such feature that aids flexibility is custom domain configuration. Custom domains for AWS IoT Core offer significant benefits for managing IoT device fleets. They simplify multi-tenant management, allowing companies to support multiple customers or device types efficiently. Additionally, custom domains enable seamless migration by eliminating the need for OTA updates when changing service endpoints; updating DNS records is all that’s needed and this can also assist with maintaining business or brand identity.

Pre-requisites

  • An AWS account with appropriate permissions to create and manage AWS services

  • A registered domain in route53

  • Familiarity with AWS IoT Core

Steps to Set Up a Custom Domain for AWS IoT Core

This tutorial assumes that you already have a domain registered. A sub-domain will be configured to serve as the custom domain in this use case.

Step 1: Create your custom sub-domain

As stated in the pre-requisite, you should already have a domain registered in Amazon Route 53. To create a custom subdomain for AWS IoT go to Route53.

  1. In Route 53, go to the Hosted Zones section.

  2. Select your existing domain (e.g., electra.ng).

  3. Create a CNAME record for a subdomain (e.g., devices.electra.ng) and point this subdomain to your AWS IoT endpoint, which typically looks like xxxxxxxxxxxxxx-ats.iot.region.amazonaws.com. Set the TTL to 300 seconds though you will need to pay more attention to this once your initial configuration is successful. Check this documentation out to gain more insights into setting TTL. A simple routing policy is used since traffic is being routed to a single AWS IoT endpoint.

  4. The newly created sub-domain should appear under the existing registered domain records as shown below.

Step 2: Generate and validate SSL certificates

Now that the subdomain is configured, you need to secure it using SSL/TLS certificates:

  1. Go to AWS Certificate Manager (ACM) and request a public SSL certificate for the subdomain. In my case, it’s devices.electra.ng. Currently, AWS IoT customer managed domain registration requires two certificates. A server certificate and a validation so two certificates will be requested here.

  2. Choose DNS validation for quick and automatic validation.

  3. After validation, ACM will issue the SSL certificate, making it ready for use and you should get something similar to the image below with an issued successfully status.

Step 3: Attach the SSL certificate to the Subdomain

  1. In AWS IoT Core Console, navigate to Settings. The settings page has a new look and the default AWS IoT endpoint is not directly available on the settings page.

  2. Select View Domain Configuration and enter select create domain configuration.

  3. Enter the domain configuration name, select the Customer managed domain option and enter the domain name. The two certificates issues earlier by ACM should also be issued at this stage.

  4. Select the authentication configuration which is x509 certificate in this case and the application protocol which is Secure MQTT. You can also select HTTPS if that’s your preferred application protocol.

  5. Once all the settings are in place, click on Create Configuration. You should get a success response prompt.

Step 4: Test and Verify

Once you have the domain created:

  1. Test the subdomain by ensuring devices connect successfully.

  2. The MQTTX application is used to test connection to AWS IoT core via the newly created endpoint. Create a thing in AWS IoT core and retrieve the necessary certificates. Enter the newly created endpoint as the host and also the certificates. If you configured your domain properly, the MQTTX application should connect successfully.

  3. Test publish functionality by setting the topic of choice and enter sample data into the box dedicated to payload.

You should get data in AWS IoT broker once you subscribe to the topic.

Reference: https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html