Clarification on the development structure of an IoT solution + smartphone application

Mattia Maldini 26 Reputation points

Hello everyone,
I have been studying the services offered by Azure IoT Hub to develop an IoT solution. I am inexperienced in the field of Cloud based applications, and to be honest I believe the documentation about Azure IoT Hub to be confused to say the least.
Nevertheless, I have reached a decent level of understanding backed by some examples I managed to put to work. I would like to ask for a confirmation about my understanding and some help for the last required step.

The solution I'm working towards involves several autonomous IoT devices powered by the ESP32 module. Each device should have internet access and register itself with IoT Hub.
For this part I have successfully compiled azure-iot-sdk-c for the ESP32 and generated a Plug-and-Play application that communicates with IoT Central - although I ultimately plan to use IoT Hub.
Each device should automatically be provisioned with an ID by the cloud, and for this purpose I believe the x.509 CA route the most ideal: I will generate or purchase a root Certificate and use it to sign each individual device certificate.
Up until now everything is more or less clear, with some details left to be ironed out - for example, I have not yet tried x.509 authentication in a practical example.
Please correct me if anything I have said does not make sense or can be done better.

The next part is still unclear to me. The final consumer of my product should be able to read telemetry data and issue commands from a remote location with an android app.
I would like to avoid keeping track of a user database: when first installed and to a network, the IoT devices should advertise themselves; the application should be able to register them and then read data and issue commands to the corresponding Azure IoT Hub device.
I imagine the devices could advertise on the local network (assumed to be secure) their ID, which can be used to identify them for Cloud requests.
However, I have yet to understand how to query Azure for device information or send commands. Specifically, I have seen some examples (like this one that rely on symmetric keys for secure communication (using a connectionstring).
How would the communication between the application and the Cloud be secured with x.509 based automatic provisioning (if at all)?
What is the preffered way to send a command from a user interface to an IoT Device?

As a general experience I have seen a lot of simple demo examples for Azure functionalities, but the documentation inevitably falls short when I try to understand how to translate them into a practical solution. I need someone to confirm whether my understanding is correct, and eventually point me in the right direction.

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,153 questions
{count} vote

Accepted answer
  1. QuantumCache 20,261 Reputation points

    Hello @Mattia Maldini , Thanks for reaching out to us!

    Please let us know the document on which we can help you further to get unblocked. We can always discuss Ideas/Feedbacks/Issues on Microsoft Q&A forum with other members as well. Looks like your are working on an exciting project! we would love to hear more on your experience with IoT projects so far!

    Each device should automatically be provisioned with an ID by the cloud, and for this purpose I believe the x.509 CA route the most ideal:

    Yes, This method is recommended for production environments. Get X.509 CA certificates

    for example, I have not yet tried x.509 authentication in a practical example.

    We recommend to get started with
    a) How to implement IoT DPS x509 on device (Q&A)
    b) Device Authentication using X.509 CA Certificates
    c) Supported X.509 certificates
    d) Announcing support for X.509 CA on Azure IoT Hub
    e) X.509 CA certificate security overview
    f) X.509 CA certificate security concepts
    g) Set up X.509 security in your Azure IoT hub

    • Let us know if you need more help in this matter.

    Please refer to these qucikstarts to get started on with Android apps.
    Send Telemetry: Android
    Quickstart: Send IoT telemetry from an Android deviceQuickstart: Control a device connected to an IoT hub (.NET)
    Control a device: Android
    Quickstart: Control a device connected to an IoT hub (Android)

    Query Azure IoT Hub

    Adding to what you have mentioned , similar we would recommend to make use of Understand and use Azure IoT Hub SDKs or REST API.

    Example Stack overflow threads on Get iothub registered devices via REST API , Get all devices from IoT Azure Hub.

    To be more specific we can say like this,
    • Device app/Module app to Azure IoT Hub
    • Back-end application to Azure IoT Hub
    Please visit Build end-to-end IoT solutions recorded webinar, and Devices and device communication. Please let us know if you need further document help with a specific area or topic.

    What is the preffered way to send a command from a user interface to an IoT Device?

    Please visit Understand and invoke direct methods from IoT Hub, which gives you the ability to invoke direct methods on devices from the cloud. Direct methods represent a request-reply interaction with a device similar to an HTTP call in that they succeed or fail immediately.

    Azure IoT support and learn options
    Please visit Azure Internet of Things which gives a landing page on IoT and choose your interested area.
    Microsoft’s learning paths on IoT
    Support and help options

1 additional answer

Sort by: Most helpful
  1. Mattia Maldini 26 Reputation points

    Hello @SatishBoddu-MSFT,
    Thank you for your assistance. What I was missing before was the concept of Azure Service as a counterpart to the IoT Device - and the corresponding ConnectionString as secret to secure the communication.
    The Android example you have provided uses the service directly from the smartphone, but the tutorial mentions it is preferrable to avoid this and rely on a back end instead.

    So, to recap:

    • My IoT devices can refer to the IoT Hub and be automatically provisioned a Device ID via a unique x.509 certificates, validated by a second root certificate that I have previously loaded on Azure in the context of an Enrollment Group.
    • I then have to create an Azure Service to read telemetry and send commands to the devices. In the example, this service is queried directly from the smartphone application, but this is bad practice (I guess that's because the connection string is hardcoded in the APK).
      Instead, the ideal way would be to rely on a back end that queries the Service (maybe an Azure Function), secured by other means.
    • The application can address the specific device my customer has purchased by locally reading its the Device ID, plus maybe some other secure token to authorize the commands it wants to send.

    If this description sounds reasonable then I've properly understood all the tools I would need to work with, and I'll promptly confirm my question as answered.