software update 7.0.11

mwunderl · mwunderl · commit fb82811ac8fc · 2023-11-09T09:39:15.000-08:00
diff --git a/cloudformation-templates/vpc-appliance.yml b/cloudformation-templates/vpc-appliance.yml
@@ -150,7 +150,14 @@ Resources:
       # first DNS entry, split on :, second value
       ResourceRecords: 
       - !Select [1, !Split [":", !Select [0, !GetAtt s3Endpoint.DnsEntries ] ] ]
-  iotEndpoint:
+  iotHostedZone:
+    Type: AWS::Route53::HostedZone
+    Properties:
+      Name: !Sub iot.${AWS::Region}.amazonaws.com
+      VPCs:
+        - VPCId: !Ref vpc
+          VPCRegion: !Ref AWS::Region
+  iotDataEndpoint:
     Type: AWS::EC2::VPCEndpoint
     Properties:
       ServiceName: !Sub com.amazonaws.${AWS::Region}.iot.data
@@ -162,25 +169,66 @@ Resources:
       SubnetIds:
       - !Ref privateSubnetA
       - !Ref privateSubnetB
-  iotHostedZone:
-    Type: AWS::Route53::HostedZone
-    Properties:
-      Name: !Sub iot.${AWS::Region}.amazonaws.com
-      VPCs: 
-        - VPCId: !Ref vpc
-          VPCRegion: !Ref AWS::Region
-  iotRecords:
+  iotDataRecords:
     Type: AWS::Route53::RecordSet
     Properties:
       HostedZoneId: !Ref iotHostedZone
       Name: !Sub "*.iot.${AWS::Region}.amazonaws.com"
       Type: A
       AliasTarget:
         # first DNS entry, split on :, second value
-        DNSName: !Select [1, !Split [":", !Select [0, !GetAtt iotEndpoint.DnsEntries ] ] ]
+        DNSName: !Select [1, !Split [":", !Select [0, !GetAtt iotDataEndpoint.DnsEntries ] ] ]
         # hosted zone of the endpoint, not in this account
-        HostedZoneId: !Select [0, !Split [":", !Select [0, !GetAtt iotEndpoint.DnsEntries ] ] ]
+        HostedZoneId: !Select [0, !Split [":", !Select [0, !GetAtt iotDataEndpoint.DnsEntries ] ] ]
         EvaluateTargetHealth: true
+  iotCredentialsEndpoint:
+    Type: AWS::EC2::VPCEndpoint
+    Properties:
+      ServiceName: !Sub com.amazonaws.${AWS::Region}.iot.credentials
+      VpcId: !Ref vpc
+      VpcEndpointType: Interface
+      SecurityGroupIds:
+      - !GetAtt vpc.DefaultSecurityGroup
+      PrivateDnsEnabled: false
+      SubnetIds:
+      - !Ref privateSubnetA
+      - !Ref privateSubnetB
+  iotCredentialsRecords:
+    Type: AWS::Route53::RecordSet
+    Properties:
+      HostedZoneId: !Ref iotHostedZone
+      Name: !Sub "*.credentials.iot.${AWS::Region}.amazonaws.com"
+      Type: A
+      AliasTarget:
+        # first DNS entry, split on :, second value
+        DNSName: !Select [1, !Split [":", !Select [0, !GetAtt iotCredentialsEndpoint.DnsEntries ] ] ]
+        # hosted zone of the endpoint, not in this account
+        HostedZoneId: !Select [0, !Split [":", !Select [0, !GetAtt iotCredentialsEndpoint.DnsEntries ] ] ]
+        EvaluateTargetHealth: true
+  ecrServiceEndpoint:
+    Type: AWS::EC2::VPCEndpoint
+    Properties:
+      ServiceName: !Sub com.amazonaws.${AWS::Region}.ecr.api
+      VpcId: !Ref vpc
+      VpcEndpointType: Interface
+      SecurityGroupIds:
+      - !GetAtt vpc.DefaultSecurityGroup
+      PrivateDnsEnabled: true
+      SubnetIds:
+      - !Ref privateSubnetA
+      - !Ref privateSubnetB
+  ecrDockerEndpoint:
+    Type: AWS::EC2::VPCEndpoint
+    Properties:
+      ServiceName: !Sub com.amazonaws.${AWS::Region}.ecr.dkr
+      VpcId: !Ref vpc
+      VpcEndpointType: Interface
+      SecurityGroupIds:
+      - !GetAtt vpc.DefaultSecurityGroup
+      PrivateDnsEnabled: true
+      SubnetIds:
+      - !Ref privateSubnetA
+      - !Ref privateSubnetB
   publicSubnet1:
     Type: AWS::EC2::Subnet
     Properties:
@@ -246,4 +294,4 @@ Outputs:
     Description: Public Subnet A ID
     Value: !Ref publicSubnet1
     Export:
-      Name: !Sub  ${AWS::StackName}-subnet-public
+      Name: !Sub  ${AWS::StackName}-subnet-public
diff --git a/resources/appliance-changelog.md b/resources/appliance-changelog.md
@@ -2,6 +2,26 @@
 
 The following sections detail updates to the AWS Panorama Appliance software, including changes to the operation system, AWS Panorama libraries, the application SDK, and the application container image.
 
+# Device software version 7.0.11
+
+**Release date**: 2023-11-08
+
+**Type**: Optional
+
+## Network requirements
+
+With this update, the appliance uses additional AWS services to manage software updates. If you restrict network communication outbound from the appliance, or connect it to a private VPC subnet, you must allow access to additional endpoints and ports before applying the update.
+
+- Amazon ECR service and Docker registry endpoints
+- AWS IoT Core credential provider endpoints
+- AWS IoT Core data plane endpoints (additional ports)
+
+For details on ports and endpoints used by the AWS Panorama Appliance, see [Network setup](https://docs.aws.amazon.com/panorama/latest/dev/appliance-network.html).
+
+If you connect your appliance to a private VPC subnet, create VPC endpoints for these services and, for IoT Core, add an additional Route53 record set for subdomains of the credentials endpoint. For more information, see [Using VPC endpoints](https://docs.aws.amazon.com/panorama/latest/dev/api-endpoints.html).
+
+This repo provides a CloudFormation template that demonstrates how to configure VPC endpoints, hosted zones, and record sets in your private subnets: [vpc-appliance.yml](https://github.com/awsdocs/aws-panorama-developer-guide/blob/main/cloudformation-templates/vpc-appliance.yml)
+
 # Application base image 1.2.0-py3.8
 
 **Release date**: 2023-10-17
