Last-minute reading for Azure IoT Solution (AZ-220) Certification

Azure IoT hub manages devices using Azure IoT Hub Identity Registry by;
1. Listing IoT device Identities
2. Dictionary with Device ID as the Key
3. And, stores connection credentials
1. It can perform CRUD (create, update, delete and read) operations
2. It can manage secrecy using credential store
3. The access mechanism is at the Device level control
4. Import/Export from storage or any other cloud services can be achieved
5. The devices created or updated is notified or updated with help of Lifecycle notifications
1. It's a JSON document stored in cloud against each IoT registered device.
2. Stores Device State, Conditions and Configurations
3. Synchronized between device & Cloud
4. Available in Free/Standard tire only
5. It can be set offline and sync when it's online
Desired : It help's to pass the properties values from device twin to the IoT edge device. It synchronize sate and configuration between the IoT hub and device. Also, it can be set at the IoT hub and the device can receive change notifications. The IoT hub can read/Write whereas the device can read-only.Reported : It tracks the reported changes in the IoT edge device back to device twin. 
1. If our daily messages per unit per day is <= 400,000 then we should choose to go with Basic/Standard1 tier.
2. If our daily messages per unit per day is <= 6 million then we should choose to go with Basic/Standard2 tier.
3. If our daily messages per unit per day is <= 300 million then we should choose to go with Basic/Standard3 tier.
Let's say we have the IoT message throughput as
- 1000 IoT devices
- 8640 messages per day per device
- i.e., 8.64 million messages per day
[If daily messages per unit per day is <= 6 million then we should choose to go with Basic/Standard2 tier.]
- So, we estimate 2 Units of B2/S2
AMQP (Advanced Message Queueing Protocol)
- Listens on port 5671
- It has multiple device Identities per TLS connections
- Supports Push events from cloud to device
- It's a binary protocol
- it has a large memory footprint
MQTT (Message Queueing Telemetry Transport protocol)
- Listens on port 8883
- It has single device Identity per TLS connections
- Supports Push events from cloud to device
- It's a binary protocol
- it has a small memory footprint
HTTPS (Hyper Text Transport Secured protocol)
- Listens on port 443
- It has single device Identity per TLS connections
- No Support for Push events(Polling)
- It's a Text protocol
- it has a small memory footprint
1. If the device is "Cloud/Field Gateway" where there is no resource constraints and provides IoT hub access to multiple devices.
--> We should go with AMQP protocol
2. If it's a "Constrained device" with low power CPU, low memory like <1Mb and permanent IoT hub connection.
--> We should go with MQTT protocol
3. If it's a "Offline Device" with lower power design with limited connectivity and limited CPU & memory with no SDK support.
--> We should go with HTTPS protocol
1. IoT Hub device SDK
- On device client
- On module client
- Send telemetry
- Receive messages, jobs, twin updates
- Nuget: Microsoft.Azure.Devices.Client
2. IoT Hub Service SDK
- Manage IoT Hub
- Schedule jobs
- Invoke direct methods
- Send desired twin property updates
- NuGet: Microsoft.Azure.Devices
3. Provisioning Device SDK
- Communicate with DPS
- Register device
- Received provisioned IoT Hub info
- Nuget: Microsoft.Azure.Device.Provisioning.Client
4. Provisioning Service SDK
- Manage DPS enrollments
- Edit and query
- Group and Individual
- Nuget: Microsoft.Azure.Devices.Provisioning.Service
1. It's available in reduced cost
2. Comes in Multi-Platform toolset
3. Multiple Languages available in the format
4. Open source platform
5. Follows security best practices
6. Comes in long term support
1. Send Device-to-cloud Messages
2. Receive Cloud-to-device Messages
3. Receive Twin updates,
4. Accept Direct Method Invocations
1. Azure IoT Hub Device SDK
2. Registering a device on the IoT Hub
3. Attestation Mechanism
4. Sending telemetry Messages
5. Data send and messaged are in the binary format
6. IoT Hub routing on message properties
The Telemetry Message consist of 3 Important properties1. System Properties
- Message Id
- Device Id &
- Authentication Method
2. Application Properties
- Consist of anything set by IoT device firmware. These information are send as JSON info to IoT hub.
3. Message Body
- Any information send by the device.
1. Message to Device method
- It's a one way notification
- we receive message confirmations
- works very well with single device only
- messages are retained by IoT Hub
2. Direct Method
- Required when we have to perform important operations
- Contextual responses are received
- Works with single/multiple devices via jobs
- should opt-in when disconnected devices are not contacted
Step-1: Device should connect to IoT Hub by device client connection string
Step-2: Retrieve File upload SAS URI which consist of IoT Hub name, Device-ID and the blob storage name.
Step-3: Then File is uploaded to storage location with file upload URI commands
Step-4: Then Notification is send of completion with Correlation-ID and Success status.
1. Auto-provision of IoT devices is carried out by Zero-touch and just-in-time feature.
2. DPS is highly scalable and can scale upto millions of device.
3. DPS allows to connect multiple IoT Hubs with appropriate allocation policy and cross-region access.
4. DPS allows to set required permissions like Registry read, Registry write & Service connect.
1. Data encrypted at rest with 256-bit AES standards.
2. Attestation methods carried out are symmetric key, X.509 certificate and TPM(Trusted Platform Module)
Disenrollment prevents a device from being provisioned again in the future whereas Deprovisioning disenroll a device and remove it from IoT Hub to prevent it sending data. 
1. 10 DPS per subscription
2. 100 enrollment groups
3. 1 million enrollments
4. 1 million registrations
5. 200 registrations per minute
6. 50 linked IoT Hubs
Step-1: The manufacturer encode the identity and registration URL and send it to device
Step-2: Also, the manufacturer provides the device identity to operator
Step-3: The operator configure and start auto-provisioning the DPS
Step-4: The developer build and deploy registration code on the device.
Step-5: The device register on bootup via DPS URL and ID scope
Step-6: The DPS determine the IoT Hub and register the device
Step-7: Then, the DPS returns IoT Hub endpoint and device ID to device.
Step-8: Last, the device get the device twin state and start sending telemetry
1. Evenly weighted policies: It distribute devices evenly across all linked IoT Hubs (default)
2. Lowest Latency: Connects the device to the IoT Hub with the best response time
3. Static Configuration: Connect the device to the IoT Hub that is appointed in the enrollment list
4. Custom Allocation Policy: Use an Azure Function to assign to IoT Hubs.
1. Manage enrollments
2. Apply attestation
3. Execute allocation policy
4. Register devices in IoT Hub
5. Return IoT Hub endpoint
1. Maintain devices
2. Store device twins
3. Receive device telemetry and events
4. Apply routes and queries
5. Integrate with other services
Azure Monitor helps us to detect, diagnose, and troubleshoot these issues at scale, using the monitoring capabilities IoT Hub provides through Azure Monitor. This includes setting up alerts to trigger notifications and actions when disconnects occur and configuring logs that we can use to discover the conditions that caused disconnects.Azure Event Grid can be used for critical infrastructure and per-device disconnects, using Azure Event Grid to subscribe to device connect and disconnect events emitted by IoT Hub.
1. Application logic.
2. Physical networks
3. Protocols
4. Hardware
5. IoT Hub and other cloud services can all cause problems.
To monitor and troubleshoot device connect and disconnect events in production environment, azure recommend subscribing to the DeviceConnected and DeviceDisconnected events in Event Grid to trigger alerts and monitor device connection state.Event Grid provides much lower event latency than Azure Monitor, and we can monitor on a per-device basis, rather than for the total number of connected devices.
To receive device connection state events, a device must do either a 'D2C Send Telemetry' OR a 'C2D Receive Message' operation with Iot Hub. However, note that if a device is using AMQP protocol to connect with Iot Hub, it is recommended that they do a 'C2D Receive Message' operation otherwise their connection state notifications may be delayed by few minutes. If your device is using MQTT protocol, IoT Hub will keep the C2D link open.
A device twin is a JSON document that includes: tags, desired and reported properties.In order to validate and synchronize state information between a device and an IoT hub, we use device twins. A device twin is a JSON document, associated with a specific device, and stored by IoT Hub in the cloud where we can query them. A device twin contains desired properties, reported properties, and tags. A desired property is set by a back-end application and read by a device. A reported property is set by a device and read by a back-end application. A tag is set by a back-end application and is never sent to a device. we use tags to organize our devices.
Direct methods are implemented on the device and may require zero or more inputs in the method payload to correctly instantiate. We invoke a direct method through a service-facing URI ({iot hub}/twins/{device id}/methods/). A device receives direct methods through a device-specific MQTT topic ($iothub/methods/POST/{method name}/) or through AMQP links (the IoThub-methodname and IoThub-status application properties).Direct methods are HTTPS-only from the cloud side and MQTT, AMQP, MQTT over WebSockets, or AMQP over WebSockets from the device side.
IoT Edge: Azure IoT Edge moves cloud analytics and custom business logic to devices.Benefits of IoT Edge;
- Quick response (Run anomaly detection workloads at the edge)
- Save bandwidth (Clean and aggregate the data locally then send the insights to the cloud for analysis)
To qualify as an IoT Edge device, your device should support installing Linux or Windows containers.Provision an Azure IoT Edge Device;
- Create a device identity in IoT Hub
- Install the IoT edge runtime on our device(or virtual device)
- Deploy containerized modules to the device
- The Moby engine is the only container engine officially supported with Azure IoT Edge
- Docker container images are compatible with the Moby runtime.
1. Edge Security Daemon: Provides and maintains security standards on the IoT Edge device
2. IoT Edge Agent: Instantiating modules, ensuring they continue to run , and reporting the status to IoT Hub
3. IoT Edge Hub: A local proxy for IoT Hub, also enables other modules to communicate.
1. Installs and updates workloads on the device.
2. Maintain IoT edge security standards on the device
3. Ensures that IoT Edge modules are always running
4. Reports module health to the cloud for remote monitoring.
5. Manage communications between Edge modules, and from modules to the cloud.
- Units of execution, implemented as Docker compatible containers
- They run our business logic at the edge
- Azure services, such as Azure Stream analytics, also custom code.
- Like device twins, module twins are JSON documents that store module state information including metadata, configurations, and conditions.
1. It tells an IoT edge device(or a group of devices) which modules to install and how to configure them
2. Is a list of "module twins" (JSON documents) that are configured with their desired properties.
3. Using the deployment manifest to load your modules into your edge device
- Declares how the message are passed from an IoT Edge device to the cloud or between multiple local modules. we can have multiple routes within the same device.- The three important parameters are;
1. Source: where the messages are coming from. could be edge modules or leaf devices.
2. Condition: only allow specific messages which match your condition(optional)
3. Sink: Where the messages are sent to. Only modules and IoT Hub can receive messages.
FROM /messages/*
WHERE NOT IS_DEFINED($connectionModuleId)
INTO $upstream
Constrained Devices are devices with low storage, processing power or memory. 
In order to deploy modules;
- Configure IoT edge hub to use less disk space. These configurations do limit the performance.
- Iot Edge Hub is optimized for performance by default, this results in consuming lots of memory. this can cause stability problems on smaller devices like the Rasberry Pi
- Set the optimizeForPerformance environment variable to false on the IoT Edge Hub.
- By disabling unused protocols on your device(MQTT, AMQP, and HTTPS)
- Reducing local storage time for messages
- Do not use the debug versions of the edge modules.
- It is the method used for confirming a device's identity.
- 3 attestation methods
(1) Symmetric Key
(2) X.509 certificates
(3) TPM
Note: TPM 2.0 is required when using TPM attestation with DPS and can only be used to create individual, not group, enrollments.
1. Specify which modules should be installed on which target devices (deployment manifest)
2. IoT Hub communicates with all the targeted devices and configures them with the declared modules
3. IoT Hub retrieves status from the IoT edge devices and makes them available for you.
4. This deployment will be automatically apply to new IoT Edge devices that meet the targeting conditions
1. The base operating system (windows or Linux)
2. A container management system (Docker or Moby)
3. IoT edge runtime should be already Initialized
1. Version
2. Type
3. Restart Policy
4. Image & container registry
5. Status
6. Routes for data Input and output
IoT Edge security manager is a security core for protecting the IoT Edge device and all its components.It basically works on 3 important parameters;
1. IoT edge security daemon
2. Optional but highly recommended hardware silicon root of trust or HSM
3. Hardware security module platform abstraction layer (HSM PAL)
  1. Login to Azure with an authenticated account and Get & Select subscriptions that the current account can access.
az loginaz account show --output tableaz account set --subscription "<My subscription name>"
az group create -l centralindia -n AZ220RG
az network private-dns zone create -g AZ220RG -n
az network vnet create -g AZ220RG -n CBVNET --address-prefix --subnet-name IOTSubnet01 --subnet-prefix
az iot hub create --resource-group AZ220RG --name cb01IotHub --sku F1 --partition-count 2
az iot hub device-identity create --hub-name cb02IotHub --device-id 004cbiotdevice
az iot hub device-twin show --hub-name "cb02IotHub" --device-id "004cbiotdevice"#passing the desired properties
az iot hub device-twin update --hub-name "cb02IotHub" --device-id "004cbiotdevice" --desired '{"tempLevel":18}'
#Running query to fetch IoT device details
az iot hub query --hub-name "cb02IotHub" --query-command "select * from devices"
az iot hub query --hub-name "cb02IotHub" --query-command "select * from devices where properties.desired.tempLevel > 10"
az iot hub monitor-events -name "cb02IotHub"az iot hub monitor-events -name "cb02IotHub" -content-type application/jsonaz iot hub monitor-events -name "cb02IotHub" -content-type application/json --props all
az iot dps create --resource-group AZ220RG --name cbdps01 --location southeastasia--unit 2az iot dps delete --resource-group AZ220RG -name cbdps01
az iot dps linked-iot-hub create --resource-group AZ220RG --dps-name cbdps01 --location centralindia --conection-string "Hostname=..."
az iot dps list --resource-group AZ220RGaz iot dps linked-hub list --reosurce-group AZ220RG --dps-name cbdps01
az monitor log-analytics workspace create --resource-group AZ220RG --workspace-name cblaw01 --location centralindia
az iot hub device-identity create --device-id Edgedevice02 --edge-enabled --hub-name cb01IotHub




Assisting Technical Community to help organizations to Transform, Migrate & Automate Services in Cloud.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DeFi9 is on Rinkeby Already!

What is Open Graph protocol and how to use it for your website?

Continuous Deployment via GitLab, Jenkins, Docker and Slack

Istio step-by-step Part 08 — Istio with Elastic Kubernetes Service (Amazon EKS)

Announcing Newton for Linux and M1 Macs!

Modern application in startup

Acad 2006 Keygen Cracking

Debugging Ad Delivery At Pinterest

Phone screen with insights of impressions, total audience, engagement, and engaged audience:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vijay Borkar (VBCloudboy)

Vijay Borkar (VBCloudboy)

Assisting Technical Community to help organizations to Transform, Migrate & Automate Services in Cloud.

More from Medium


GraphCMS Webhook API to Snowflake

How to deploy Azure Pipelines agent?

JMeter on Azure Kubernetes Service Cluster (AKS Cluster)