← Back to Dashboard

Design 40: IoT Edge (Internet of Things)

Summary

This design implements Azure IoT Hub to manage millions of devices.

Topology: IoT Hub sits in the Spoke VNet (Private Link). Devices connect via the Internet (Public Endpoint) or VPN (Private Endpoint).

1. Key Design Decisions (ADR)

ADR-01: Connectivity

  • Decision: Public + Private.
  • Rationale: Real-world devices (sensors) are on the internet. Backend services (Stream Analytics) are in Azure and should use Private Link.

ADR-02: Protocol

  • Decision: MQTT.
  • Rationale: Lightweight, standard for IoT.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  IoT Device  |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Sensor)    |           |      (DNS Resolver)      |           |  (Processor) |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v (MQTT)                         | (Peering)                      |
+------+-------+                        v                                v
|  IoT Hub     |           +------------+-------------+           +------+-------+
|  (Gateway)   |---------->| Private DNS Zone         |<----------|  Stream      |
+--------------+           | (privatelink.azure-devices)|         |  Analytics   |
                           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Private DNS Zone      |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-iot-spoke (10.1.0.0/16)                              |
|   +-----------------------+       +-----------------------+           |
|   | Subnet: Stream        |       | Subnet: PrivateLink   |           |
|   | [Stream Analytics]    |------>| [Private Endpoint]    |           |
|   |                       |       | (10.1.1.5)            |           |
|   +-----------------------+       +-----------|-----------+           |
+-----------------------------------------------|-----------------------+
                                                |
                                                v
                                    +-----------------------+
                                    | IoT Hub               |
                                    | (PaaS)                |
                                    +-----------------------+

                                      |
                                      | (Failover)
                                      v

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR SPOKE VNet                                                         |
|   +-----------------------+                                           |
|   | IoT Hub (DR)          |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • IoT Hub: Bi-directional communication.
  • Stream Analytics: Real-time processing (e.g., "Temp > 100? Alert!").

5. Strategy: High Availability (HA)

  • SLA: 99.9%.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Manual Failover.
  • Process:

* IoT Hub supports cross-region failover.

* Initiate failover in Portal.

* Devices reconnect to the same hostname (DNS updates to West US IP).

7. Strategy: Backup

  • N/A: IoT Hub is a stream. Data should be stored in Data Lake.

8. Strategy: Security

  • Auth: X.509 Certificates (Best) or SAS Tokens.
  • Defender for IoT: Scans devices for anomalies.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High.
  • Cost Optimization: Medium. Pay per message.
  • Operational Excellence: High.
  • Performance Efficiency: High.

10. Detailed Traffic Flow

1. Device: Sends MQTT message {"temp": 105}.

2. IoT Hub: Acknowledges receipt.

3. Route: Routes message to "Hot Path" (Stream Analytics).

4. Process: Stream Analytics sees value > 100.

5. Action: Writes alert to SQL DB.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create IoT Hub

1. Search: "IoT Hub" -> + Create.

2. Resource Group: rg-iot-spoke.

3. IoT Hub Name: iothub-corp-[uniqueid].

4. Region: East US.

5. Tier: S1: Standard (Required for Private Link).

6. Daily message limit: 400,000 (Default).

7. Create.

Phase 2: Register a Device

1. Go to the IoT Hub -> Devices (Left Menu).

2. + Add Device.

3. Device ID: sensor-01.

4. Authentication type: Symmetric Key.

5. Save.

6. Click on sensor-01.

7. Copy the Primary Connection String.

Phase 3: Simulate Device (Cloud Shell)

1. Open Cloud Shell (Bash).

2. Install extension: az extension add --name azure-iot.

3. Run simulation:

* az iot device simulate -d sensor-01 -n iothub-corp-[uniqueid]

4. Output: You should see "Sending message: {"temperature": 25.5...}".

5. Keep this running.

Phase 4: Secure with Private Link

1. Go to IoT Hub -> Networking.

2. Public network access: Select Disabled (or Selected networks if you want to keep Cloud Shell working).

* *Note: If you Disable, the Cloud Shell simulation will fail unless Cloud Shell is VNet integrated.*

3. Private endpoint connections -> + Private endpoint.

4. Name: pe-iothub.

5. Resource Group: rg-iot-spoke.

6. Target sub-resource: iotHub.

7. Virtual Network: vnet-iot-spoke.

8. Subnet: snet-privatelink.

9. Integrate with private DNS zone: Yes.

* Zone: privatelink.azure-devices.net.

10. Create.

Phase 5: Verify Private Access

1. Login to a VM in the Spoke VNet.

2. Nslookup: nslookup iothub-corp-[uniqueid].azure-devices.net.

* Result: 10.1.x.x (Private IP).

3. Run Simulation: Run a python script or the az iot command from *inside* the VM. It will connect via Private Link.