How to transfer > 8K sensitive binary information to Azure IoT Device - azure

How can an IoT device which connects to an IoT Hub using the Azure IoT Hub SDK retrieve larger amounts of sensitive data which is part of the device configuration?
I know i can use Device Twins as configuration documents per Device, but those are limited to 8K in total.
I need larger amounts of data in binary format to be transfered to the device when i a device - for example - gets reset to factory defaults or somehow loses it's local storage as part of a hardware fault.
I was thinking about using a D2C method triggering a request which results in a series of C2D or direct method calls to the requesting device transmitting the information in question (basically mimiking request/response behavior). However this feels like a workaround.
My other thought was about transmitting urls to a storage account as part of the device twin properties allowing the device to download the binary information using the Storage SDK, however given the sensitive nature of the information downloaded i can't directly expose this information to the internet using a public accessible container in Azure Storage.
So my last thought was to access a REST API which controls access to the information. However my concern is, that i break out of the secure communication channel, the IoT Hub SDK provides with it's build in communication methods and i have to secure the communication between device and the REST API using some kind of rotating secret anyway which could expose other risks along with a complicated custom implementation.
What is the suggested way of providing access to this kind of device-specific data for Azure IoT Clients?

I do recommend to use a new feature (still in the preview) of the Azure IoT Hub such as a Device Streams.
You can test this new preview feature using my updated tool Azure IoT Hub Tester (see Appendix A2)

Related

How should I link a backend solution to an IoT Hub

So, I am working on an IoT solution on Azure, we have been using a partner solution where we had the partner's devices linked to his cloud solution that exposes the data to us Via REST services. Right now we want to have our own IoT Cloud Solution on Azure.
At first, I am planning to build a Bridge between our IoT Solution and the partner's cloud solution via its REST Services that will link to our IoT Hub in order to ingest the data to our cloud.
Also, the data will not be only telemetry data but we'll have to send commands as well to those devices.
My question: I would like to know what would be the appropriate technology/solution to use a gateway (Data Grid, Azure Function, Azure WebJob)
The numbers in the picture represent the step that I am considering to tackle this problem.
1- First we are implementing an Application gateway that will have to get the data from the partner's system and sending commands to their system. It will allow us to first build the other components of our system and make sure that it can handle what is in place right now.
2- Second, the partner's devices will connect directly to a device gateway that is connected to our IoT Hub. In this case, we will not be using the gateway made in 1 anymore.
3- Finally, we will have our own devices connected to our IoT Hub, the partner's devices will always be connected to our IoT Hub via the gateway built in 2.
Let me try to answer your questions in the order you have asked.
For application gateway, where you are trying to pull data through
REST, you can use Azure functions and then you use Cosmos DB or any
storage to save data. I see , after getting device data from Partner
network, you are routing it to IoT-Hub (I would not say, its
incorrect), however once we pull data through Rest, we can directly
put into DB. So my Answer is to use Azure functions to pull data
from Partner solutions and put into DB.
If partner device is capable of running Azure IoT sdks or can be
provisioned to send data to IoT Hub directly, this will ease lot of
things and you would be able to send D2C and C2D messages easily.
further, here you can route data to DB by using configuration from
IoT Hub.
For your devices you can use IoT Hub Directly or can use Azure
IoT Edge (device gateway as you pointed ), both are fine , depends
on use case and also if we want to do some edge computation or
analytics at device side. And one important suggestions, use Azure
functions where ever you find that you have to integrate devices
data through Rest. Most cost effective in such scenarios.
Let me know if it clears your doubts.
After some time working on the subject, I did implement an AZURE Function app for the following reasons :
Supports Continuous Deployment and Integration Even though Azure Functions is serverless architecture, it still supports Continuous Deployment and Continuous Integration
Capabilities for implementing code - Being event-driven, the application platform has capabilities to implement code triggered by events occurring in any third-party service or on-premise system.
Compute-on-demand: This delivery model ensures that computing resources are available to the users as per their demand.
I have also used Azure Table Storage as database storage technology.

How to send events to a device in Azure IoT Hub using shared key for authentication

Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.

Can Azure IOT hub be used to read(Get) data from some devices?

In my case I have 1000+ of devices that stores activity inside. I need to send a http get request to this device to get those data in csv or json format and save it in a storage hosted on azure.
Cab IOT hub require data using get request and can it be scheduled to read daily/weekly?
What other azure services would you suggest to facilitated this scheduled reads?
You have not mentioned which the Azure IoT Hub scale tier is used. Basically there are two price groups such as Basic and Standard with a significant different cost and capabilities. The Basic tier offers only services for one-way communications between the devices and Azure IoT Hub.
Based on that, the following scenarios can be used for your business case:
1. Basic Tier (non event-driven solution)
The device pushs periodicaly a telementry and non-telemetry messages based on the needs to the Azure IoT Hub, where the non-telemetry messages are routed to the Azure Function via the Service Bus Queue/Topic. Responsibility for this non-telemetry pipe is to persist a real device state in the database. Note, that the 6M messages will cost only $50/month. The back-end application can any time to query this database for devices state.
2. Standard Tier (event-driven solution) In this scenario you can use a Device Twin of the Azure IoT Hub to enable storing a real-device state in the cloud-backend (described by #HelenLo). The device can be triggered by C2D message, changing a desired property, invoking a method or based on the device edge trigger to the action for updating a state (reported properties).
The Azure IoT Hub has a capabilities to run your scheduled jobs for multiple devices.
In this solution, the back-end application can call any time a job for ExportDevicesAsync to the blob storage, see more details here. Note, that the 6M messages will cost $250/month.
As you can see the above each scenario needs to build a different device logic model based on the communications capabilities between the devices and Azure IoT Hub and back. Note, there are some limitations for these communications, see more details here.
You can consider using Device Twin of IoT Hub
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-device-twins
Use device twins to:
Store device-specific metadata in the cloud. For example, the deployment location of a vending machine.
Report current state information such as available capabilities and conditions from your device app. For example, a device is connected to your IoT hub over cellular or WiFi.
Synchronize the state of long-running workflows between device app and back-end app. For example, when the solution back end specifies the new firmware version to install, and the device app reports the various stages of the update process.
Query your device metadata, configuration, or state.
IoT Hub provides you with the ability to connect your devices over various protocols. Preferred protocols are messaging protocols, such as MQTT or AMQP, but HTTPS is also supported. Using IoT hub, you do not request data from the device, though. The device will send the data to the IoT Hub. You have to options to implement that with IoT Hub:
The device connects to the IoT Hub whenever it has some data to be sent, and pushes the data up to IoT Hub
The device does not send any data on its own, but stays always or at least regularly connected to IoT Hub. You then can send a cloud to device message over IoT Hub to the device, requesting the data to be sent. The device then sends the data the same way it would in the first option.
When the data then has been sent to IoT Hub, you need to push it somewhere where it is persistently stored - IoT Hub only keeps messages for 1 day by default. Options for this are:
Create a blob storage account and push to that directly from IoT Hub using a custom endpoint This would probably be the easiest and cheapest. Dependening on how you need to access your data, a blob might not be the best option, though
Create a function app, create a function with an EventHubTrigger, connect it to IoT Hub and let the function process incoming data by outputting it into any kind of data sink, such as SQL, CosmosDB, Table Storage...

Are IoT Hub Device Twin properties secure for things like connecting strings?

I am currently thinking about a solution where an IoT device would have more than one possible endpoint to talk to. Like an API for some calls that do not concern telemetry or device twin data.
The connection to the IoT Hub can be secured very well (we will use certificates), and I want to awoid adding a different way of authentication to the architecture.
So my idea right now would be to have a back-end service generate device specific SAS tokens for my APIs, possibly on-demand if requested by the device.
The Cloud-to-device communications guidance mentions configuration data, so it feels like a good way to go. Would it be safe to write these tokens in the desired properties? Would it be safer to use the payload of a cloud-to-device-message? Or should it be done completely differently?
You can create a custom cloud service as a token service that uses an IoT Hub shared access policy with DeviceConnect permissions to create device-scoped tokens.
For more detailed information you can reference "Custom device authentication".

Minimum requirements Azure IoT Hub

Does someone know the bare minimum required for a device to connect to the Azure IoT Hub and to send and receive messages (in terms of memory usage, processing power etc.). Or is this really case-specific?
I couldn't find a conclusive answer on the web. Does someone have experience with this?
Many thanks!
Does someone know the bare minimum required for a device to connect to
the Azure IoT Hub and to send and receive messages (in terms of memory
usage, processing power etc.).
As #juunas pointed out, it is hard to say precisely.
But you can check from the following two aspects(I assume you mean devices that communicate directly with Azure IoT Hub):
Using Azure IoT SDKs, the device needs to be capable of establishing an IP connection, support TLS, have at least 64KB of RAM ...
Using REST api, the device can connect to the Azure IoT Hub and to send and receive messages directly over the Internet from any application that can send an HTTPS request and receive an HTTPS response.
There's nothing like system/set-up requirements for Azure IoT Hub so there's no specific document from Microsoft talking about this topic. Depending on your target application you can pick the device, as all descent embedded devices can act as IoT device for Azure.
You can take a look at Azure Certified IoT device catalogue and find out whether particular device is listed under that.
MS has published 2 Whitepapers on this. You may find this useful
Evaluating Your IOT Security
The right secure hardware for your IoT deployment

Resources