Here is an example of the test we can run to determine connectivity.
Here is the rule:
Source is our internal network. And this is what we have for this specific application defined inside of the Everybody_Allowed application group.
I tried multiple things, first of which was to add a service defined for TCP-8883 to the Web Browsing services in the Application Contol and URL Filtering advanced settings. That didn't appear to help. I couldn't find an application for MQTT over TLS but I did see one for MQTT (port 1883) with an application signature. I tried to clone that and specify a different port, but that didn't work likely because it wasn't matching the original application signature.
As this is not normal HTTP/s traffic but is a separate protocol for IoT devices wrapped in a TLS connection (at least that is my understanding of how you can secure MQTT). I wasn't sure if I could define this in a custom application as I've seen other people post on defining an app that doesn't use the default Web Services. Are you suggesting I try adding the port 8889 to the end of the AWS URL in my URL list?
I'm trying to determine how to open all the IPs behind this first AWS Iot URL in the list above, but without having to use some form of dynamic name which requires a reverse lookup. I also don't want to just open the port 8883 to all destinations, which I know will work but seems like the brute method.