Microsoft Azure IoT
When dealing with the IoT world, you have to consider what happens when devices are offline – because it's likely that remote actuators and sensors will be in that state often.
Microsoft Azure IoT tools are built from the ground up with the concept of a "device twin" that allows cloud services to keep track of, and continue working with, the last-known data and status received and the most recent command successfully sent. The architecture re-synchronizes and recovers cleanly when the device again comes online.
ARTIK and Azure IoT together provide the ideal way of keeping your IoT devices "in sync" securely. It works like this.
Azure IoT Hub allows you to "enroll" a device type as a group using a single CA certificate
Device certificates are self-generated on each device unit deployed, dynamically at first customer start-up, using ARTIK SEE features
Without ever having seen the device, Azure can verify that the device certificate is legitimate and proceeds to enroll the individual unit certificate
Code running in the cloud further checks the certificate revocation status before registering the device.
Once registered, the device is online and can be configured on-the-fly from its device twin in the cloud. Loading of firmware, software packages, and personalized settings is performed automatically.
What it means: A secure auto-enrollment ecosystem, with configuration plus updating of the device happening at connect time instead of during manufacturing.
PHASE 1 – Production Process
Pre-enroll your CA certificate with Azure IoT Hub using an Azure IoT validation code
Install board software to generate a device-unique key/certificate chained to that CA certificate, all contained safely within the ARTIK SEE
PHASE 2 – Customer Site
Upon initial power-up at the customer site, the board generates its own key and device certificate
Upon initial connection to the Internet and customer sign-in to their Microsoft account, the board uses TLS-secured MQTT to contact Azure IoT Hub.
TLS handshake proceeds as follows.
- Azure transmits its Server Certificate
- ARTIK checks validity and confirms against the Azure Root CA Certificate
- Azure requests Client Certificate from ARTIK (mutual authentication)
- ARTIK responds with
– CA-signed certificate with Azure IoT validation code
– Device-generated unique certificate chained to the CA-signed cert
Azure IoT now knows the device and customer connected to it, and can either enable the device or revoke its certificate.
Azure device twin service installs updated firmware, and makes configuration settings applicable to the specific customer.
Microsoft Azure offers an array of cloud-based tools and services. In this article series we'll use them to allow registration and monitoring of ARTIK gateway devices in the Azure cloud. The article below describes how to get started by:
Setting up your account
Setting up cloud services.
As with any ecosystem designed for secure IoT device connections, we'll need to first focus on how to provision and register the ARTIK board with the target cloud. Parameters of interest:
ID scope – used to identify registration IDs, and provides a guarantee that the registration ID is unique
Service endpoint – the target address for cloud accesses in a given region.
You'll need to copy and hold onto both of these for use in later procedures.
Sign up for Microsoft Azure Account
Follow the Microsoft Azure sign-up instructions to be able to access the various services we'll need. All are free for introductory use.
For the purposes of these tutorials, choose the same geographic area in all your Azure services to guarantee interoperability among them.
A feature of Azure Cosmos DB is that it scales throughput and storage across geographic areas – easing interoperability of services that need deployment world-wide.
Set up services
You can set everything up using the GUI as described here. You might instead choose to use the CLI.
Start by opening a browser window to the Azure portal.
Follow the Microsoft Azure Device Provisioning Service article to get started.
The article will walk you through these steps. In each case, when you find and click on the service, you need to click [Create] at the bottom of the window to proceed.
Setting up the IoT Hub Device Provisioning Service – the cloud service that handles device credential creation. For our tutorials you can name it
artik-provisionin resource group
artik-groupwith a location of
West USand then click [Create] to finish. You should see "deployment succeeded". If the Overview page doesn't come up, just go back to the dashboard and you'll see
artik-provisionthat you can click on.
Creating an IoT hub instance – the core service that enables communications between devices and the cloud. Everything should be populated except for the name, which you can enter as
artik-huband then click [Next: Size and scale]. On the next page select "F1: Free tier". Click [Review and create] and if everything looks okay click [Create].
Once it's ready you'll see [Go to resource]. Click on it. Then click "Shared access policies" and click
iothubowner. You'll now see the Shared access keys. Copy them to a text file for later use in this tutorial series.
Linking the IoT hub to the Device Provisioning Service
You can now create devices with tokens in the IoT Hub. Start by enrolling one device or a group in our next article.
Optional: Install Microsoft Azure CLI
While most operations can be done through the Web portal, you may find that using the CLI is much more convenient both for setup and for scripting on the factory floor.
Following the CLI-based auto-provision article takes care of the same setup as shown in "Set up services".
Once you have set the CLI up initially, you can open a new instance at any time.
Azure Cloud Service Articles
You're ready to begin! We recommend following the articles below in the order shown.
|IoT Enrollment by Certificate||Register a fleet of devices automatically on initial connection by enrolling an X.509 certificate|
|IoT Registration||Register a new ARTIK device|
|IoT Edge||Stream data to Azure cloud via ARTIK gateway|
Come back often – we add more material to the tutorials regularly.