Last-minute reading for Azure IoT Solution (AZ-220) Certification
13 min readMar 3, 2021
using Azure CLI commands
[Q] How Azure IoT hub manages the devices?
Azure IoT hub manages devices using Azure IoT Hub Identity Registry by;
1. Listing IoT device Identities
2. Dictionary with Device ID as the Key
3. And, stores connection credentials[Q] What are the features of the Azure IoT Hub Identity Registry?
1. It can perform CRUD (create, update, delete and read) operations
2. It can manage secrecy using credential store
3. The access mechanism is at the Device level control
4. Import/Export from storage or any other cloud services can be achieved
5. The devices created or updated is notified or updated with help of Lifecycle notifications[Q] What is Azure IoT Hub Device Twin?
1. It's a JSON document stored in cloud against each IoT registered device.
2. Stores Device State, Conditions and Configurations
3. Synchronized between device & Cloud
4. Available in Free/Standard tire only
5. It can be set offline and sync when it's online[Q] What “Desired” and “Reported” functions in Device Twin?
Desired : It help's to pass the properties values from device twin to the IoT edge device. It synchronize sate and configuration between the IoT hub and device. Also, it can be set at the IoT hub and the device can receive change notifications. The IoT hub can read/Write whereas the device can read-only.Reported : It tracks the reported changes in the IoT edge device back to device twin.
[Q] How to decide which IoT hub editions we should go with? or Perform Sizing?
1. If our daily messages per unit per day is <= 400,000 then we should choose to go with Basic/Standard1 tier.
2. If our daily messages per unit per day is <= 6 million then we should choose to go with Basic/Standard2 tier.
3. If our daily messages per unit per day is <= 300 million then we should choose to go with Basic/Standard3 tier.[Q] Calculating the correct Size and Scale for IoT hub tier
Let's say we have the IoT message throughput as
- 1000 IoT devices
- 8640 messages per day per device
- i.e., 8.64 million messages per day
[If daily messages per unit per day is <= 6 million then we should choose to go with Basic/Standard2 tier.]- So, we estimate 2 Units of B2/S2
[Q] Which are Azure IoT Hub communication Protocols?
AMQP (Advanced Message Queueing Protocol)
- Listens on port 5671
- It has multiple device Identities per TLS connections
- Supports Push events from cloud to device
- It's a binary protocol
- it has a large memory footprintMQTT (Message Queueing Telemetry Transport protocol)
- Listens on port 8883
- It has single device Identity per TLS connections
- Supports Push events from cloud to device
- It's a binary protocol
- it has a small memory footprintHTTPS (Hyper Text Transport Secured protocol)
- Listens on port 443
- It has single device Identity per TLS connections
- No Support for Push events(Polling)
- It's a Text protocol
- it has a small memory footprint
[Q] Choosing a communication protocol based on device specifications
1. If the device is "Cloud/Field Gateway" where there is no resource constraints and provides IoT hub access to multiple devices.
--> We should go with AMQP protocol2. If it's a "Constrained device" with low power CPU, low memory like <1Mb and permanent IoT hub connection.
--> We should go with MQTT protocol3. If it's a "Offline Device" with lower power design with limited connectivity and limited CPU & memory with no SDK support.
--> We should go with HTTPS protocol
[Q] How many SDKs we can leverage to build messaging solutions?
1. IoT Hub device SDK
- On device client
- On module client
- Send telemetry
- Receive messages, jobs, twin updates
- Nuget: Microsoft.Azure.Devices.Client 2. IoT Hub Service SDK
- Manage IoT Hub
- Schedule jobs
- Invoke direct methods
- Send desired twin property updates
- NuGet: Microsoft.Azure.Devices3. Provisioning Device SDK
- Communicate with DPS
- Register device
- Received provisioned IoT Hub info
- Nuget: Microsoft.Azure.Device.Provisioning.Client4. Provisioning Service SDK
- Manage DPS enrollments
- Edit and query
- Group and Individual
- Nuget: Microsoft.Azure.Devices.Provisioning.Service
[Q] What are the benefits of Azure IoT Hub SDKs?
1. It's available in reduced cost
2. Comes in Multi-Platform toolset
3. Multiple Languages available in the format
4. Open source platform
5. Follows security best practices
6. Comes in long term support[Q] What are the features of Azure IoT Hub Device SDK?
1. Send Device-to-cloud Messages
2. Receive Cloud-to-device Messages
3. Receive Twin updates,
4. Accept Direct Method Invocations
5. MQTT, AMQP or HTTP[Q] What are the factors to be taken into consideration for Device-to-cloud messaging ?
1. Azure IoT Hub Device SDK
2. Registering a device on the IoT Hub
3. Attestation Mechanism
4. Sending telemetry Messages
5. Data send and messaged are in the binary format
6. IoT Hub routing on message properties[Q] What does the Telemetry Message consist of on device-to-cloud messaging?
The Telemetry Message consist of 3 Important properties1. System Properties
- Message Id
- Device Id &
- Authentication Method2. Application Properties
- Consist of anything set by IoT device firmware. These information are send as JSON info to IoT hub.3. Message Body
- Any information send by the device.
[Q] Which are the 2 ways to achieve Cloud-to-device messaging methods?
1. Message to Device method
- It's a one way notification
- we receive message confirmations
- works very well with single device only
- messages are retained by IoT Hub2. Direct Method
- Required when we have to perform important operations
- Contextual responses are received
- Works with single/multiple devices via jobs
- should opt-in when disconnected devices are not contacted
[Q] What is the sequence of events to be performed while uploading a file from an IoT device to an Azure storage account?
Step-1: Device should connect to IoT Hub by device client connection string
Step-2: Retrieve File upload SAS URI which consist of IoT Hub name, Device-ID and the blob storage name.
Step-3: Then File is uploaded to storage location with file upload URI commands
Step-4: Then Notification is send of completion with Correlation-ID and Success status.[Q] Why use the Device Provisioning Service?
1. Auto-provision of IoT devices is carried out by Zero-touch and just-in-time feature.
2. DPS is highly scalable and can scale upto millions of device.
3. DPS allows to connect multiple IoT Hubs with appropriate allocation policy and cross-region access.
4. DPS allows to set required permissions like Registry read, Registry write & Service connect. [Q] Security area focused on by DPS?
1. Data encrypted at rest with 256-bit AES standards.
2. Attestation methods carried out are symmetric key, X.509 certificate and TPM(Trusted Platform Module)[Q] What is the difference between Disenrollment & Deprovisioning
Disenrollment prevents a device from being provisioned again in the future whereas Deprovisioning disenroll a device and remove it from IoT Hub to prevent it sending data. [Q] Outline Device Provisioning Service Quotas
1. 10 DPS per subscription
2. 100 enrollment groups
3. 1 million enrollments
4. 1 million registrations
5. 200 registrations per minute
6. 50 linked IoT Hubs[Q] Explain the Auto-provisioning sequence of DPS
Step-1: The manufacturer encode the identity and registration URL and send it to device
Step-2: Also, the manufacturer provides the device identity to operator
Step-3: The operator configure and start auto-provisioning the DPS
Step-4: The developer build and deploy registration code on the device.
Step-5: The device register on bootup via DPS URL and ID scope
Step-6: The DPS determine the IoT Hub and register the device
Step-7: Then, the DPS returns IoT Hub endpoint and device ID to device.
Step-8: Last, the device get the device twin state and start sending telemetry[Q] Outline Allocation policies in DPS
1. Evenly weighted policies: It distribute devices evenly across all linked IoT Hubs (default)
2. Lowest Latency: Connects the device to the IoT Hub with the best response time
3. Static Configuration: Connect the device to the IoT Hub that is appointed in the enrollment list
4. Custom Allocation Policy: Use an Azure Function to assign to IoT Hubs. [Q] What are DPS responsibilities?
1. Manage enrollments
2. Apply attestation
3. Execute allocation policy
4. Register devices in IoT Hub
5. Return IoT Hub endpoint[Q] What are IoT Hub's responsibilities?
1. Maintain devices
2. Store device twins
3. Receive device telemetry and events
4. Apply routes and queries
5. Integrate with other services[Q] How can we troubleshoot and verify device telemetry is received by IoT Hub?
Azure Monitor helps us to detect, diagnose, and troubleshoot these issues at scale, using the monitoring capabilities IoT Hub provides through Azure Monitor. This includes setting up alerts to trigger notifications and actions when disconnects occur and configuring logs that we can use to discover the conditions that caused disconnects.Azure Event Grid can be used for critical infrastructure and per-device disconnects, using Azure Event Grid to subscribe to device connect and disconnect events emitted by IoT Hub.
[Q] Possible points of failure for IoT devices.
1. Application logic.
2. Physical networks
3. Protocols
4. Hardware
5. IoT Hub and other cloud services can all cause problems.[Q] How can we monitor and troubleshoot “device connect and disconnect” events?
To monitor and troubleshoot device connect and disconnect events in production environment, azure recommend subscribing to the DeviceConnected and DeviceDisconnected events in Event Grid to trigger alerts and monitor device connection state.Event Grid provides much lower event latency than Azure Monitor, and we can monitor on a per-device basis, rather than for the total number of connected devices.
[Q] What are the limitations for device-connected and device disconnected events in IoT solutions?
To receive device connection state events, a device must do either a 'D2C Send Telemetry' OR a 'C2D Receive Message' operation with Iot Hub. However, note that if a device is using AMQP protocol to connect with Iot Hub, it is recommended that they do a 'C2D Receive Message' operation otherwise their connection state notifications may be delayed by few minutes. If your device is using MQTT protocol, IoT Hub will keep the C2D link open.[Q] How can we validate device twin properties and tags?
A device twin is a JSON document that includes: tags, desired and reported properties.In order to validate and synchronize state information between a device and an IoT hub, we use device twins. A device twin is a JSON document, associated with a specific device, and stored by IoT Hub in the cloud where we can query them. A device twin contains desired properties, reported properties, and tags. A desired property is set by a back-end application and read by a device. A reported property is set by a device and read by a back-end application. A tag is set by a back-end application and is never sent to a device. we use tags to organize our devices.
[Q] How to invoke direct methods from IoT Hub to troubleshoot device communications?
Direct methods are implemented on the device and may require zero or more inputs in the method payload to correctly instantiate. We invoke a direct method through a service-facing URI ({iot hub}/twins/{device id}/methods/). A device receives direct methods through a device-specific MQTT topic ($iothub/methods/POST/{method name}/) or through AMQP links (the IoThub-methodname and IoThub-status application properties).Direct methods are HTTPS-only from the cloud side and MQTT, AMQP, MQTT over WebSockets, or AMQP over WebSockets from the device side.
[Q] Explain basics of IoT Edge
IoT Edge: Azure IoT Edge moves cloud analytics and custom business logic to devices.Benefits of IoT Edge;
- Quick response (Run anomaly detection workloads at the edge)
- Save bandwidth (Clean and aggregate the data locally then send the insights to the cloud for analysis)To qualify as an IoT Edge device, your device should support installing Linux or Windows containers.Provision an Azure IoT Edge Device;
- Create a device identity in IoT Hub
- Install the IoT edge runtime on our device(or virtual device)
- Deploy containerized modules to the device
[Q] IoT Edge runtime on IoT devices.
- The Moby engine is the only container engine officially supported with Azure IoT Edge
- Docker container images are compatible with the Moby runtime.[Q] List the components of IoT Edge Runtime
1. Edge Security Daemon: Provides and maintains security standards on the IoT Edge device
2. IoT Edge Agent: Instantiating modules, ensuring they continue to run , and reporting the status to IoT Hub
3. IoT Edge Hub: A local proxy for IoT Hub, also enables other modules to communicate.[Q] What are IoT Edge responsibilities?
1. Installs and updates workloads on the device.
2. Maintain IoT edge security standards on the device
3. Ensures that IoT Edge modules are always running
4. Reports module health to the cloud for remote monitoring.
5. Manage communications between Edge modules, and from modules to the cloud.[Q] What are Azure IoT Edge modules?
- Units of execution, implemented as Docker compatible containers
- They run our business logic at the edge
- Azure services, such as Azure Stream analytics, also custom code.[Q] What is Module Twins?
- Like device twins, module twins are JSON documents that store module state information including metadata, configurations, and conditions.[Q] What is Deployment Manifest?
1. It tells an IoT edge device(or a group of devices) which modules to install and how to configure them
2. Is a list of "module twins" (JSON documents) that are configured with their desired properties.
3. Using the deployment manifest to load your modules into your edge device[Q] What are IoT Edge Route and list the 3 important parameters?
- Declares how the message are passed from an IoT Edge device to the cloud or between multiple local modules. we can have multiple routes within the same device.- The three important parameters are;
1. Source: where the messages are coming from. could be edge modules or leaf devices.
2. Condition: only allow specific messages which match your condition(optional)
3. Sink: Where the messages are sent to. Only modules and IoT Hub can receive messages.
[Q] Sample IoT edge route…
FROM /messages/*
WHERE NOT IS_DEFINED($connectionModuleId)
INTO $upstream[Q] What are constrained devices and how we can deploy modules on it ?
Constrained Devices are devices with low storage, processing power or memory.
In order to deploy modules;
- Configure IoT edge hub to use less disk space. These configurations do limit the performance.
- Iot Edge Hub is optimized for performance by default, this results in consuming lots of memory. this can cause stability problems on smaller devices like the Rasberry Pi
- Set the optimizeForPerformance environment variable to false on the IoT Edge Hub.
- By disabling unused protocols on your device(MQTT, AMQP, and HTTPS)
- Reducing local storage time for messages
- Do not use the debug versions of the edge modules.[Q] What is the DPS device attestation?
- It is the method used for confirming a device's identity.
- 3 attestation methods
(1) Symmetric Key
(2) X.509 certificates
(3) TPMNote: TPM 2.0 is required when using TPM attestation with DPS and can only be used to create individual, not group, enrollments.
[Q] IoT Edge Automatic Deployment workflow
1. Specify which modules should be installed on which target devices (deployment manifest)
2. IoT Hub communicates with all the targeted devices and configures them with the declared modules
3. IoT Hub retrieves status from the IoT edge devices and makes them available for you.
4. This deployment will be automatically apply to new IoT Edge devices that meet the targeting conditions[Q] Automatic deployment Device Pre-requisites?
1. The base operating system (windows or Linux)
2. A container management system (Docker or Moby)
3. IoT edge runtime should be already Initialized[Q ] Properties should be defined in Module Configuration Metadata
1. Version
2. Type
3. Restart Policy
4. Image & container registry
5. Status
6. Routes for data Input and output[Q] How can we secure IoT Edge devices?
IoT Edge security manager is a security core for protecting the IoT Edge device and all its components.It basically works on 3 important parameters;
1. IoT edge security daemon
2. Optional but highly recommended hardware silicon root of trust or HSM
3. Hardware security module platform abstraction layer (HSM PAL)
[Q]
- Login to Azure with an authenticated account and Get & Select subscriptions that the current account can access.
az loginaz account show --output tableaz account set --subscription "<My subscription name>"
2. Create a new resource group in the Central India region.
az group create -l centralindia -n AZ220RG3. Create a Private DNS zone using a fully qualified domain name.
az network private-dns zone create -g AZ220RG -n www.cloudboydemo.com4. Create a virtual network with a specific address prefix and one subnet.
az network vnet create -g AZ220RG -n CBVNET --address-prefix 10.0.0.0/16 --subnet-name IOTSubnet01 --subnet-prefix 10.0.0.0/245. Create an IoT Hub with the free pricing tier F1, in the region of the resource group with public endpoint integration
az iot hub create --resource-group AZ220RG --name cb01IotHub --sku F1 --partition-count 26. Register device identities in IoT Hub
az iot hub device-identity create --hub-name cb02IotHub --device-id 004cbiotdevice7. Showing device twin then update desired properties and query against device twins
az iot hub device-twin show --hub-name "cb02IotHub" --device-id "004cbiotdevice"#passing the desired properties
az iot hub device-twin update --hub-name "cb02IotHub" --device-id "004cbiotdevice" --desired '{"tempLevel":18}'#Running query to fetch IoT device details
az iot hub query --hub-name "cb02IotHub" --query-command "select * from devices"
az iot hub query --hub-name "cb02IotHub" --query-command "select * from devices where properties.desired.tempLevel > 10"
8. How we can Monitor events happening on the IoT hub ?
az iot hub monitor-events -name "cb02IotHub"az iot hub monitor-events -name "cb02IotHub" -content-type application/jsonaz iot hub monitor-events -name "cb02IotHub" -content-type application/json --props all
9. Create a Device Provisioning Service & Delete a Device Provisioning Service
az iot dps create --resource-group AZ220RG --name cbdps01 --location southeastasia--unit 2az iot dps delete --resource-group AZ220RG -name cbdps01
10. Add a Linked IoT Hub to DPS service
az iot dps linked-iot-hub create --resource-group AZ220RG --dps-name cbdps01 --location centralindia --conection-string "Hostname=..."11. List all DPS and linked IoT Hubs
az iot dps list --resource-group AZ220RGaz iot dps linked-hub list --reosurce-group AZ220RG --dps-name cbdps01
12. Create Log Analytics Workspace
az monitor log-analytics workspace create --resource-group AZ220RG --workspace-name cblaw01 --location centralindia13. Create a Device Identity in IoT Hub
az iot hub device-identity create --device-id Edgedevice02 --edge-enabled --hub-name cb01IotHubFor more details;
- Please view this tutorial on youtube.
2. Recommended architecture for IoT applications on Azure;
3. Learn from Pluralsight;
