One of the requirements for doing the custom alexa setup is to have an internet exposed HA instance. I feel pretty safe exposing my HA instance to the internet either through my on prem DMZ or Cloudflare tunnels, not sure which I was going to go with yet. But then I noticed that there’s an option to connect a VPC to a lambda when creating it. I haven’t connected my AWS to my on prem network yet but I have connected Azure so I should be able to do the same tricks to do it for pretty cheap. Does anyone know if this would even work though? Does all the alexa communication happen between the Lambda and the endpoint of the HA instance? If so, are there any reasons I couldn’t have this traffic go through my VPN instead of over the public internet?
Success! Mostly.
After taking a couple hours to learn AWS VPC (it’s not as similar to Azure as you would expect), this is mostly working. The only part that has to be exposed to the internet is the token exchange endpoint. That endpoint can only be used for exchanging an auth you already have and cannot be used to control anything or get a new auth. I also put it behind Cloudflare tunnels for extra security. Nothing directly exposed to the internet from my network and the L7 security Cloudflare is known for protecting a single API endpoint. It’s near perfect. In a nutshell if anyone wants to know how I did it:
- Connect AWS VPC to home network. Many ways to do this, I used Tailscale.
- Configure Lambda to connect to the VPC. Make sure to update the DNS settings in your VPC to make sure that the Lambda can find your internal DNS record of your HA.
- Configure cloudflare tunnel with a separate domain (like token.home.com) at the path /auth/token. This is the only endpoint that needs to be reachable from the public Alexa service.
- Configure the Alexa skill with the separate domain for the Access Token URI and your regular (private) login uri for the Authorization URI.
You need to be on your home network to complete setup. The alexa app sends you to the login screen of your HA instance to let you login. This should resolve to a private IP so you can login while connected to your home network and not allow login attempts from the internet by not exposing your login page to the internet at all. When you complete authentication, your authorization gets passed back to the Alexa service which then sends it to the separate domain you configured at /auth/token to exchange it for a token. While I’m writing this I realize in theory you could configure the Cloudflare tunnel to use the same subdomain and still configure it to only accept requests to /auth/token but using a separate subdomain can also be helpful in denoting that the endpoint is only useful for token exchange. Once the Alexa service obtains a token through the only API endpoint that is exposed to the internet, through the added security of Cloudflare, it is passed to the Lambda when needed which does all commands through the private network.
If you want to excel in the field of AWS You can enroll in one of the best AWS classes in Pune which is provided by a very renowned institute, SevenMentor. It is considered as one of the best training providers in Pune