! az extension add –name azure-iot
az iot hub device-identity create –device-id simDevice –hub-name {YourIoTHubName}
az iot device simulate -d simDevice -n {YourIoTHubNameacs
The free tier does not support upgrading to basic or standard.
! 4kb message size
400k/day - 1.5GB - x200 unit available 1M /min
6M/day - 22.8GB - x200 unit available 16M /min
300M/day - 1114GB 800M /min
recommend an appropriate protocol based on device specifications
Under current HTTPS guidelines, each device should poll for messages every 25 minutes or more.
MQTT and HTTPS support only a single device identity (device ID plus credentials) per TLS connection
! The standard AMQP protocol uses port 5671, and MQTT listens on port 8883. Use of these ports could cause problems in networks that are closed to non-HTTPS protocols. Use MQTT over WebSockets, AMQP over WebSockets, or HTTPS in this scenario.
Once you have created an IoT hub in an Azure region, the IoT hub keeps the same IP address for the lifetime of that IoT hub. However, if Microsoft moves the IoT hub to a different scale unit to maintain quality of service, then it is assigned a new IP address.
MQTT
IoT Hub limits the maximum server-side timeout to 29.45 minutes (1767 seconds) because all Azure services are bound to the Azure load balancer TCP idle timeout, which is 29.45 minutes.
IoT Hub’s keep-alive ping interval is 1.5 times the client keep-alive value.
C,C# SDK configurable keep-alive
Custom device and module authentication (token service): If you have existing device registry
X509
A distinguishing attribute of the X.509 CA authentication is a one-to-many relationship a CA certificate has with its downstream devices. This relationship enables registration of any number of devices into IoT Hub by registering an X.509 CA certificate once, otherwise device unique certificates must be pre-registered for every device before a device can connect. This one-to-many relationship also simplifies device certificates life-cycle management operations.
Purchase: 3rd party services integration otherwise self-signed
Registartion: Proof of possession
Currently, modules can’t receive cloud-to-device messages or use the file upload feature.
No c2d message, only method
enriching device telemetry messages with a device twin tag can reduce load on customers to make device twin API calls for this information.
$iothubname $twin.tags.field
Event vs Message services Event Grid - React to status changes Event Hubs - Telemetry and distributed data streaming Service Bus - Order processing and financial transactions
storage account, eventhub, service bus queue (single consumer), service bus topic (publish-subscribe)
Paid SKU hubs may have 10 additional endpoints. Free SKU hubs may have one additional endpoint.
Paid SKU hubs may have 100 routing queries. Free SKU hubs may have five routing queries.
Telemetry events, Device twin change events,
Anomaly detection with Stream Analyitcs
10,000,000 events per second per region subject: devices/{deviceId}
advanced filtering: key-value
Stream Analytics guarantees exactly once event processing and at-least-once event delivery.
create ASA for data and stream processing of IoT data
process and filter IoT data by using Azure Functions
Tumbling, hopping, sliding,
Archive to Azure Storage Account Route to Eventhub Store in Log Analytics Workspace
C2D Command/Message - expired, abandoned, rejected, delivery completed C2D Method - failure, success, request size, response size C2DeviceTwin - read/updates failed/successful Configuration count - modify device twin counts (edge deployment, etc.) Daily total data, count D2C Telemetry - throttling, attempted, received D2C Twin Event Grid deliveries Routing metrics - delivery attempts, latency, save to blob, route to blob, built-in endpoint latency, delivered to fallback route telemetry message dropped, incompatible, orphaned (no fallback route)
Resource logs: connection events telemetry erros device identity operations Device-to-cloud twin operations cloud-to-device twin operations distribute tracing device to cloud log message (measure device to cloud latency, caller local time, callee local time egress log - write to endpoint ingress log - write to built-in endpoint (duration MS)
distributed tracing - only C sdk needs correlation id across multiple Azure services
// All distributed traces AzureDiagnostics | where Category == “DistributedTracing” | project TimeGenerated, Category, OperationName, Level, CorrelationId, DurationMs, properties_s | order by TimeGenerated asc
Azure Monitor vs Event Grid
Monitor: metric alerts, thresholds etc.
IoT Hub only supports one active MQTT connection per device. Any new MQTT connection on behalf of the same device ID causes IoT Hub to drop the existing connection. 400027 ConnectionForcefullyClosedOnNewConnection will be logged into IoT Hub Logs
X.509 certificates: external vendors, price, lifecycle management
TPM: difficult, can’t rotate EK
manage the X.509 certificates for a device
manage the symmetric keys for a device
When a device connects to the provisioning service, the service prioritizes more specific enrollment entries over less specific enrollment entries. If there is no individual enrollment for the device and an enrollment group for the first intermediate certificate in the device’s certificate chain exists, the service applies that entry, and so on, up the chain to the root.
Upload Proof of posession: Sign a cert for a random common name.
Built-in mode vs enhanced mode (with agents)
Agents:
C and C#
Authentication: Device mode(CA signed not supported) and module mode(symmetric only)
create security modules
process create/terminate, listenning ports, new connections
sudo apt-get install auditd audispd-plugins
edge deployment configuration
"Privileged": true,
"NetworkMode": "host",
"PidMode": "host",
"Binds": [
"/:/host"
]
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration"
schema:
https://github.com/Azure/Azure-IoT-Security/blob/master/security_module_twin/azureiotsecurity_schema.json
Validate! An agent will not launch if the configuration object does not match the schema.
set Edge Hub config (default)
set routes
“ASCForIoTRoute”: “FROM /messages/modules/azureiotsecurity/* INTO $upstream”