- What is Microsoft Azure IoT Hub:
Welcome to Azure IoT Hub. This article provides an overview of Azure IoT Hub and describes why you should use this service to implement an Internet of Things (IoT) solution. Azure IoT Hub is a fully managed service that enables reliable and secure bidirectional communications between millions of IoT devices and a solution back end.
Azure IoT Hub:
- Provides multiple device-to-cloud and cloud-to-device communication options. These options include one-way messaging, file transfer, and request-reply methods.
- Provides built-in declarative message routing to other Azure services.
Provides a query able store for device metadata and synchronized state information
- Azure IoT:
Microsoft Azure provides several services allowing devices to be connected in a simple and safe way. Azure maintains server infrastructure all over the world, including China, allowing data to be kept where it’s most needed. Azure also supports on-premise deployments.
- Azure IoT Hub:
For the Internet of Things (IoT), Azure provides the Azure IoT Hub. It provides an easy to use, reliable, bi-directional communications framework that’s scalable to millions of devices.
It supports several protocols including HTTP, Advanced Message Queuing Protocol (AMQP), and MQ Telemetry Transport (MQTT) and is extendable via protocol gateways. Support for per-device authentication ensures devices remain secure.
The Azure IoT Suite provides predefined solutions for common use cases.
Currently Remote Monitoring and Predictive Maintenance are supported scenarios.
It builds on the technology of the IoT Hub and extends it to complete use cases.
· Why use Azure IoT Hub?
Azure IoT Hub offers a rich set of device-to-cloud and cloud-to-device communication options. Additionally, Azure IoT Hub addresses the challenges that come with reliably and securely connecting to devices in the following ways:
- Device twins:
Using Device twins, you can store, synchronize, and query device metadata and state information. Device twins are JSON documents that store device state information like metadata, configurations, and conditions. IoT Hub maintains a device twin for each device that you connect to IoT Hub.
- Per-device authentication and secure connectivity:
You can provision each device with its own security key to enable it to connect to IoT Hub. The IoT Hub identity registry stores device identities and keys in a solution. A solution back end can add individual devices to allow or deny lists to enable complete control over device access.
- Route device-to-cloud messages to Azure services based on declarative rules:
IoT Hub enables you to define message routes based on routing rules to control where your hub sends device-to-cloud messages. Routing rules do not require you to write any code, and can take the place of custom post-ingestion message dispatchers.
- Integrate IoT Hub events into your business applications:
IoT Hub integrates with Azure Event Grid. Use this integration to configure other Azure services or third-party applications to listen for IoT Hub events. Azure Event Grid enables you to react quickly to critical events in a reliable, scalable, and secure manner.
- Monitoring of device connectivity operations:
You can receive detailed operation logs about device identity management operations and device connectivity events. This monitoring capability enables your IoT solution to identify connectivity issues. Use these logs to identify devices that provide wrong credentials, send messages too frequently, or reject all cloud-to-device messages.
- An extensive set of device libraries:
- IoT protocols and extensibility:
If your solution cannot use the device libraries, IoT Hub exposes a public protocol that enables devices to natively use the MQTT v3.1.1, HTTPS 1.1, or AMQP 1.0 protocols. You can also extend IoT Hub to support custom protocols by:
- Creating a field gateway with Azure IoT Edge that converts your custom protocol to a protocol understood by IoT Hub.
- Customizing the Azure IoT protocol gateway, an open-source component that runs in the cloud.
Azure IoT Hub scales to millions of simultaneously connected devices and millions of events per second.
- Device provisioning:
The IoT Hub Device Provisioning Service is a helper service for IoT Hub that enables zero-touch, just-in-time device provisioning to the right IoT hub without requiring human intervention, enabling you to provision millions of devices in a secure and scalable manner.
· How does IoT Hub work?
Azure IoT Hub implements the service-assisted communication pattern to mediate the interactions between your devices and your solution back end. The intent of the pattern is to establish trustworthy, bidirectional communication paths between a control system, such as IoT Hub, and special-purpose devices in untrusted physical space. The pattern establishes the following principles:
- Security takes precedence over all other capabilities.
- Devices do not accept unsolicited network information. A device establishes all connections and routes in an outbound-only fashion. For a device to receive a command from the solution back end, the device must regularly initiate a connection to check for any pending commands to process.
- Devices should only connect to or establish routes to well-known services they are peered with, such as IoT Hub.
- The communication path between the device and the service or gateway is secured at the application protocol layer.
- System-level authorization and authentication are based on per-device identities. They make access credentials and permissions nearly instantly revocable.
- For devices that connect sporadically due to power or connectivity concerns, bidirectional communication works by holding commands and notifications until a device connects to receive them. IoT Hub maintains device-specific queues for the commands it sends.
- Application payload data is secured separately for protected transit through gateways to a particular service.
The mobile industry has used the service-assisted communication pattern to implement push notification services such as Windows Push Notification Services, Google Cloud Messaging, and Apple Push Notification Service.
IoT Hub is supported over Express Route’s public peering path.
· Device-to-cloud and cloud-to-device messaging with IoT Hub
Use IoT Hub messaging to communicate with your devices by:
- Sending device-to-cloud messages from your devices to your solution back end.
- Sending cloud-to-device messages from the solution back end to your devices.
Core properties of IoT Hub messaging functionality are the reliability and durability of messages. These properties enable resilience to intermittent connectivity on the device side, and to load spikes in event processing on the cloud side. IoT Hub implements at least once delivery guarantees for both device-to-cloud and cloud-to-device messaging.
· Microsoft Azure – secure IoT infrastructure for your business
Microsoft’s systems provide continuous intrusion detection and prevention, service attack prevention, regular penetration testing, and forensic tools that help identify and mitigate threats. Multi-factor authentication provides an extra layer of security for end users to access the network. And for the application and the host provider, Microsoft offers access control, monitoring, anti-malware, vulnerability scanning, patches, and configuration management.
The Microsoft Azure IoT Suite takes advantage of the security and privacy built into the Azure platform along with the SDL and OSA processes for secure development and operation of all Microsoft software. These procedures provide infrastructure protection, network protection, and identity and management features fundamental to the security of any solution.
The Azure IoT Hub within the IoT Suite offers a fully-managed service that enables reliable and secure bi-directional communication between IoT devices and Azure services such as Azure Machine Learning and Azure Stream Analytics by using per-device security credentials and access control.
To best communicate security and privacy features built into the Azure IoT Suite, this article breaks down the suite into the three primary security areas.
· Secure device provisioning and authentication
The Azure IoT Suite secures devices while they are out in the field by providing a unique identity key for each device, which can be used by the IoT infrastructure to communicate with the device while it is in operation. The process is quick and easy to set up. The generated key with a user-selected device ID forms the basis of a token used in all communication between the device and the Azure IoT Hub.
Device IDs can be associated with a device during manufacturing (that is, flashed in a hardware trust module) or can use an existing fixed identity as a proxy (for example CPU serial numbers). Since changing this identifying information in the device is not simple, it is important to introduce logical device IDs in case the underlying device hardware changes but the logical device remains the same. In some cases, the association of a device identity can happen at device deployment time (for example, an authenticated field engineer physically configures a new device while communicating with the solution backend). The Azure IoT Hub identity registry provides secure storage of device identities and security keys for a solution. Individual or groups of device identities can be added to an allow list, or a block list, enabling complete control over device access.
Azure IoT Hub access control policies in the cloud enable activation and disabling any device identity, providing a way to disassociate a device from an IoT deployment when required. This association and disassociation of devices is based on each device identity.
Additional device security features include:
- Devices do not accept unsolicited network connections. They establish all connections and routes in an outbound-only fashion. For a device to receive a command from the backend, the device must initiate a connection to check for any pending commands to process. Once a connection between the device and IoT Hub is securely established, messaging from the cloud to the device and device to the cloud can be sent transparently.
- Devices only connect to or establish routes to well-known services with which they are peered, such as an Azure IoT Hub.
- System-level authorization and authentication use per-device identities, making access credentials and permissions near-instantly revocable.
· Secure connectivity
Durability of messaging is an important feature of any IoT solution. The need to durably deliver commands and/or receive data from devices is underlined by the fact that IoT devices are connected over the Internet, or other similar networks that can be unreliable. Azure IoT Hub offers durability of messaging between cloud and devices through a system of acknowledgments in response to messages. Additional durability for messaging is achieved by caching messages in the IoT Hub for up to seven days for telemetry and two days for commands.
Efficiency is important to ensure conservation of resources and operation in a resource-constrained environment. HTTPS (HTTP Secure), the industry-standard secure version of the popular http protocol, is supported by Azure IoT Hub, enabling efficient communication. Advanced Message Queuing Protocol (AMQP) and Message Queuing Telemetry Transport (MQTT), supported by Azure IoT Hub, are designed not only for efficiency in terms of resource use but also reliable message delivery.
Scalability requires the ability to securely interoperate with a wide range of devices. Azure IoT hub enables secure connection to both IP-enabled and non-IP-enabled devices. IP-enabled devices are able to directly connect and communicate with the IoT Hub over a secure connection. Non-IP-enabled devices are resource-constrained and connect only over short distance communication protocols, such as Zwave, ZigBee, and Bluetooth. A field gateway is used to aggregate these devices and performs protocol translation to enable secure bi-directional communication with the cloud.
Additional connection security features include:
- The communication path between devices and Azure IoT Hub, or between gateways and Azure IoT Hub, is secured using industry-standard Transport Layer Security (TLS) with Azure IoT Hub authenticated using X.509 protocol.
- In order to protect devices from unsolicited inbound connections, Azure IoT Hub does not open any connection to the device. The device initiates all connections.
- Azure IoT Hub durably stores messages for devices and waits for the device to connect. These commands are stored for two days, enabling devices connecting sporadically, due to power or connectivity concerns, to receive these commands. Azure IoT Hub maintains a per-device queue for each device.
· Comparison of Azure IoT Hub and Azure Event Hubs
One of the main use cases for IoT Hub is to gather telemetry from devices. For this reason, IoT Hub is often compared to Azure Event Hubs. Like IoT Hub, Event Hubs is an event processing service that enables event and telemetry ingress to the cloud at massive scale, with low latency and high reliability.
However, the services have many differences, which are detailed in the following table:
|Area||IoT Hub||Event Hubs|
|Communication patterns||Enables device-to-cloud communications (messaging, file uploads, and reported properties) and cloud-to-device communications (direct methods, desired properties, messaging).||Only enables event ingress (usually considered for device-to-cloud scenarios).|
|Device state information||Device twins can store and query device state information.||No device state information can be stored.|
|Device protocol support||Supports MQTT, MQTT over WebSockets, AMQP, AMQP over WebSockets, and HTTPS. Additionally, IoT Hub works with the Azure IoT protocol gateway, a customizable protocol gateway implementation to support custom protocols.||Supports AMQP, AMQP over WebSockets, and HTTPS.|
|Security||Provides per-device identity and revocable access control. See the Security section of the IoT Hub developer guide.||Provides Event Hubs-wide shared access policies, with limited revocation support through publisher’s policies. IoT solutions are often required to implement a custom solution to support per-device credentials and anti-spoofing measures.|
|Operations monitoring||Enables IoT solutions to subscribe to a rich set of device identity management and connectivity events such as individual device authentication errors, throttling, and bad format exceptions. These events enable you to quickly identify connectivity problems at the individual device level.||Exposes only aggregate metrics.|
|Scale||Is optimized to support millions of simultaneously connected devices.||Meters the connections as per Azure Event Hubs quotas. On the other hand, Event Hubs enables you to specify the partition for each message sent.|
|Device SDKs||Provides device SDKs for a large variety of platforms and languages, in addition to direct MQTT, AMQP, and HTTPS APIs.||Is supported on .NET, Java, and C, in addition to AMQP and HTTPS send interfaces.|
|File upload||Enables IoT solutions to upload files from devices to the cloud. Includes a file notification endpoint for workflow integration and an operations monitoring category for debugging support.||Not supported.|
|Route messages to multiple endpoints||Up to 10 custom endpoints are supported. Rules determine how messages are routed to custom endpoints. For more information, see Send and receive messages with IoT Hub.||Requires additional code to be written and hosted for message dispatching.|
In summary, even if the only use case is device-to-cloud telemetry ingress, IoT Hub provides a service that is designed for IoT device connectivity. It continues to expand the value propositions for these scenarios with IoT-specific features. Event Hubs is designed for event ingress at a massive scale, both in the context of inter-datacenter and intra-datacenter scenarios.
It is not uncommon to use both IoT Hub and Event Hubs in the same solution. IoT Hub handles the device-to-cloud communication, and Event Hubs handles later-stage event ingress into real-time processing engines.
The Internet of Things starts with your things—the things that matter most to businesses. IoT can deliver amazing value to a business by reducing costs, increasing revenue, and transforming business. Success of this transformation largely depends on choosing the right IoT software and service provider. That means finding a provider that not only catalyzes this transformation by understanding business needs and requirements, but also provides services and software built with security, privacy, transparency, and compliance as major design considerations. Microsoft has extensive experience with developing and deploying secure software and services and continues to be a leader in this new age of Internet of Things.
The Microsoft Azure IoT Suite builds in security measures by design, enabling secure monitoring of assets to improve efficiencies, drive operational performance to enable innovation, and employ advanced data analytics to transform businesses. With its layered approach towards security, multiple security features, and design patterns, Azure IoT Suite helps deploy an infrastructure that can be trusted to transform any business.