Connect devices securely to AWS VPC without using public Internet


EMnify is a cellular cloud provider and the mobile network and management platform resides on AWS. Based on this, EMnify already secures the data path up to AWS and customers with application servers on AWS can have a secure connection to their device by directly peering their VPCs with the one from EMnify. 

How the integration looks like

 

AWS Page Elements-11-1

Prerequisites

The setup of CloudConnect with the Transit Gateway attachment requires: 

    • device with an active EMnify SIM
    • the device sends data to application in VPC/EC2 instance (e.g. Python, Node.js, Java application / MQTT broker) 
    • in the EMnify Portal, the service profile of the device has a local breakout configured to have the same region as the application server (can be configured during setup steps below)

Benefits

  • devices and the application infrastructure reside within the same private network
  • remotely access devices from AWS infrastructure via telnet / SSH
  • device data does not traverse public internet
  • VPC / EC2 instances do not need public IP
  • fully scalable and managed AWS service

Remarks:

The secure connection is associated with a specific VPC - for example when hosting an own MQTT server or utilzing a VM for remote access. When only ASW IoT is intended to be used - a seperate guide is provided in the AWS IoT Core setup page.

Configuration Steps

The following steps illustrate how to create an attachment using CloudConnect to peer with your VPC:

  1. In the EMnify platform, navigate to the tech settings page. In the CloudConnect panel, click + Create:
  2. Select Transit Gateway as the attachment type:
  3. Enter the destination account details and private CIDRs addresses. The CIDRs should be existing VPC or subnet IPV4 address ranges with a prefix between /32 and /22. If the IP address range is already taken you will be prompted to select a new one:
  4. An optional step presents the option to modify existing service profiles so that they use the CloudConnect attachment for their breakout connectivity:
  5. In the AWS console, accept the pending resource share in Resource Share Manager:

6. In the VPC dashboard, navigate to Transit Gateways in the menu item and select Transit Gateways Attachments (ensuring you are in the correct region as specified in the previous steps). Create a Transit Gateway Attachment and attach the VPC where the Application Servers are located to the shared Transit Gateway. During the process, the Transit Gateway can be configured to attach to one or multiple subnets of the VPC.

7. The final steps for setup is to configure the VPC Routing Table and the Security Group to allow routing data through the transit gateway.
In the VPC dashboard, navigate to Route Tables and edit the routes that are used by your application server. Click Add Route and add a shared address space like 100.64.0.0/16 and select the newly-created Transit Gateway as the target.

Tip: an explanation of these route tables and how they should be configured can be found in the AWS documentation for Route Tables.

8. Existing security groups need to be updated or you may create a new security which allow traffic from the transit gateway. A good security practice would be to limit the inbound and outbound rules of the security groups to only the ports and protocols that your application is using. Exactly which ports and protocols will depend on the use case and the type of application you are running in your VPC.

Verifying the attachment

If everything is correctly configured, the CloudConnect panel in the EMnify portal will show Active attachments.

Some basic connectivity checks can be performed using the ping network utility. The static private IP address of a device Endpoint is visible within the EMnify portal, so given an example IP address of 1.2.3.4 and that the Endpoint is showing online (has an active PDP context), the following check can be performed:

  • A response is expected from an EC2 instance within your VPC toward the EMnify device IP:
    PING 1.2.3.4
    PING 1.2.3.4: 56 data bytes
    64 bytes from 1.2.3.4: icmp_seq=0 ttl=56 time=16.225 ms
    ...

    Troubleshooting

    For in-depth details and troubleshooting tips for AWS CloudConnect attachments, see the EMnify Knowledgebase article on CloudConnect via AWS Transit Gateway.