Get Your IoT Devices Connected to Azure

Published on 2020-01-23.
“How can I get my device securely online?” – An introduction to Azure IoT Hub.

This article is about the Azure IoT Hub and the different types of authentication of IoT devices. It will give you a compact introduction into the general purpose and the features of this tremendous Azure resource. So, let’s start and see how you can use it.

In the world of Internet of Things (IoT) you will get to the point that you have a locally running device, which should be available for the outer world, even if it simply needs to be controlled remotely. And that’s the job of a cloud-based device gateway – in our case the Azure IoT Hub.

The Azure IoT Hub is a managed service and acts as a central message hub between connected IoT devices and the corresponding IoT applications.

IoT Hub

It can support a vast number of concurrently connected devices (millions) and IoT applications. The devices and applications will bi-directly communicate with the Azure IoT Hub to send and receive messages with low latency (few milliseconds).

Flexible Tiers

Since this managed service is available in different tiers, you can choose the best fitting one for you, but you’re still able to scale out (take more instances of a special tier) or scale up (take an instance providing additional features) depending on your needs.

There are three different tiers available (details about features in next chapter):

It is ready for connecting devices, receives and routes messages from the device, and also monitors the devices. There are three sub-tiers available from B1 - B3, which differs only in the total number of messages per day from 400 k – 300 M, and its pricing. The message meter size is 4 kB.

This tier offers the same capabilities as the basic version. Still, additionally you can send messages from the cloud to the devices, sync device states elegantly, and it offers extended management of devices. There are three sub-tiers available from S1 - S3, which differs only in the total number of messages per day from 400 k – 300 M, and its pricing. The message meter size is 4 kB.

It has the same capabilities as the standard tier, but is limited to 8.000 messages each day, and also the messages are much smaller (0.5 kB).

It is worth mentioning that the message meter sizes only are defined for calculation needs. That means that in case you want to send a message which is about 20 kB of size with standard tier, this message will count like 5 single messages. But there is a maximum limit of message size, which is 256 kB.

Features of IoT Hub

Following list provides a brief summary about the features of the Azure IoT Hub:

Device-to-cloud telemetry
This feature describes the capability of the IoT Hub to receive messages from the connected IoT devices. Afterward, the IoT Hub processes the messages variously.

Per-device identity
For properly running an IoT platform with a vast number of connected devices, it is crucial to identify each device. Therefore, every single registered device must own unique identity.

Message routing, message enrichments, and Event Grid integration
The IoT Hub offers different capabilities regarding the routing of messages, allows enriching of messages, and also integrated Event Grid if necessary.

HTTP, AMQP, and MQTT protocols
Between the Azure IoT Hub, the connected devices, and different IoT solutions, various communication protocols can be used.

Device Provisioning Service
As one of the additional services based on the IoT Hub, the Device Provisioning Service allows to provision devices elegantly. It provides, e.g. zero-touch provisioning without requiring hardcoded IoT Hub connection information in the factory, and connecting a device to the IoT hub with the nearest geo-location.

Monitoring and diagnostics
This feature provides the capabilities to monitor the health of the IoT Hub and enables diagnosing problems quickly.

Cloud-to-device messaging
Besides the capability to receive messages from the devices, the IoT Hub is also able to send messages towards a device to control it or to request its states.

Device twins, Module twins, and Device management
The Device Twin concept is about exchanging device state information including metadata, configurations, and conditions between the device and the Azure IoT Hub in a very easy way. This allows keeping the state of the device in sync on both sides.

Device streams (preview)
It offers secure bi-directional TCP tunnels for communication between devices and IoT applications via the IoT Hub. This feature is crucial in case the components exchange a stream of data, e.g. for video or voice streaming.

Azure IoT Edge
It is a fully managed service built on Azure IoT Hub which enables you to run your own business logic on IoT edge devices via standard containers.

IoT Plug and Play Preview
It will enable solution developers to integrate IoT devices with their solutions without the need of writing a single line of embedded code.

The Azure IoT Hub provides a REST API for most of its capabilities which can be utilized by devices and applications.

Since you now got a (hopefully) good overview about the Azure IoT Hub, we will now focus on the security aspects. The IoT Hub provides a great set of built-in security features in order to securely authenticate the devices and to establish a secure communication channel.

Types of Authentication

Every time a device starts to communicate with the IoT Hub, it must authenticate itself and this can be done in three different ways. During the registration of each device, you must choose one of following authentication options:

  • Symmetric Key
  • X.509 Self-Signed Certificate
  • X.509 CA-Signed Certificate

The Symmetric Key will be automatically generated or you can define one on your own, but ensure that you will provide a base-64 encoded key with a length between 16-64 bytes. This key must be stored on the device and every time the device connects to the IoT Hub, it needs to present it. In order to be able to exchange the primary key, the communication can also be started by utilizing the secondary key.

Symmetric Key

If you want to use a X.509 Self-Signed Certificate, you need to provide the certificate’s thumbprint during registration. The X.509 Self-Signed Certificate and its corresponding Private Key must be stored and utilized on the device. In order to be able to exchange the primary public key certificate (primary thumbprint on IoT Hub side), the communication can also be started by providing the secondary public key certificate.

Self-Signed Certificate

The third option is that the device will store and utilize a CA-Signed Certificate, which means that the Device Certificate must be signed with a Private Key from a CA. Furthermore, you must register the CA Certificate at the Azure IoT Hub.

CA-Signed Certificate

Communication between Device and IoT Hub

Based on the valid authentication, a secure communication channel can be established utilizing e.g. MQTT protocol. It is worth mentioning that the communication will always be started by the device, and not by the IoT Hub.

We considered the features of the IoT Hub and the different types of authentication, but there is still one more thing to consider:

Secure Storage of Secrets

Independent from which option regarding the authentication types you will choose, it is crucial to store the secrets (Symmetric Key or Private Key of Public Key Certificate) on the device in a secure fashion. That means that you should utilize hardware-based encryption capabilities of the IoT device to protect the device from identity theft. Secure chips like Hardware Secure Modules (HSM) can do the job.

Finally, I would also share interesting and essentials resources regarding the topics which has been covered in this article, such as:

Azure IoT Hub – Overview

Quick Introduction into Azure IoT Hub

Set up X.509 security in your Azure IoT Hub

Pricing of Azure IoT Hub Tiers

Jens Thirmeyer
Jens ThirmeyerSolution Architect