Inbound and outbound NSG rules for Iot edge Virtual Machine to connect with Azure iot hub

Question

Hi There!

I am trying to send "SimulatedTemperatureSensor" data from IoT edge running on (windows 10 Azure Virtual machine).

We are getting the following Iot edge health check status:

Connectivity checks

-------------------

× host can connect to and perform TLS handshake with IoT Hub AMQP port - Error
Could not connect to dte-iothub-dev.azure-devices.net:5671
√ host can connect to and perform TLS handshake with IoT Hub HTTPS / WebSockets port - OK
× host can connect to and perform TLS handshake with IoT Hub MQTT port - Error
Could not connect to dte-iothub-dev.azure-devices.net:8883
× container on the IoT Edge module network can connect to IoT Hub AMQP port - Error
Container on the nat network could not connect to dte-iothub-dev.azure-devices.net:5671
√ container on the IoT Edge module network can connect to IoT Hub HTTPS / WebSockets port - OK
× container on the IoT Edge module network can connect to IoT Hub MQTT port - Error
Container on the nat network could not connect to dte-iothub-dev.azure-devices.net:8883.

We cannot allow port 8883, 1883,5671 ports to be 'open for world'. PFA outbound NSG snippet.
Is there anyway to communicate with Iot hub using IP or any other means to avoid this ports issue?

Answer 1

Hello @Vivek Sagar Pandey

First, Azure IoT Edge support communicating MQTT of AMQP over Websockets (port 443).

Though, the firewall does not need to support inbound calls which makes it vulnerable to attack!

Opening an AMQP or MQTT port in the firewall towards the internet needs outbound connectivity only. This means the edge is in control and setting up two-way communication to the cloud gateway.

So, from a technical point of view, using AMQP or MQTT is secure. You can further reduce the attack vector by setting the IP filter ranges on the IoT Hub and the firewall. It's even possible to make the IoT Hub part of a VNET.