How it works

In AWS IoT secure tunneling you have a source device and a destination device.

Both devices have a local proxy installed. The local proxy relays a data stream between the Secure Tunneling service and the device application. The local proxy can be run in source- or destination mode.

In the workshop your source device is your AWS Cloud9 instance and the destination device is your Amazon EC2 instance.

On the destination device (EC2) a listener agent has been deployed and started already. The listener agent is a device that holds an MQTT connection to AWS IoT Core and subscribed to its shadow topics. The device name of the listener agent is tunneling-listener-agent. The listener agent publishes states about running local proxy to the topic cmd/sectunnel/tunneling-listener-agent/resp.

Do you remember how you can find a device - in this example the listener agent - in the registry? Hint: aws iot list-th... or aws iot search-i... --query-s... "thingN...:tunnel..."

On the source device you will use the tunnel manager to open a tunnel. When the tunnel manager is started it creates a tunnel. When a tunnel is created a pair of tokens - client access token (CAT) - is generated. The tunnel manager publishes a token and the desired service to connect to on the destination device to the shadow of the listener agent.

When the listener agent receives the CAT it starts the local proxy to establish a connection the AWS IoT secure tunneling.

The tunnal manager also starts the local proxy on the source device. A port is opened on the local device which is used to connect to the tunnel.