Azure IoT Central
An Azure hosted internet of things (IoT) application platform.
364 questions
IoT Central static IP address / ports
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 65%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
randomrabbit
121
Reputation points
I need to setup a static IP address / hostname combination that our devices from multiple premises and different networks can use to connect to IoT Central. This question has been asked previously but the answers seem incomplete or vague.
Root of the problem is that the IoT Central DPS address and hub addresses can change or are dynamic, so its not feasible to enable them in firewalls. Correct me though if this is no longer the case.
I found this: https://learn.microsoft.com/en-us/azure/iot-central/core/howto-create-private-endpoint which, as far as I understand, allows me to obtain a domain name for the dps service, and gives me control over who can connect to IoT central. The FQDN is only one part of the question though. Here's what I don't understand (and these may be simple networking configurations):
1. Is the public IP of the private endpoint's FQDN (saas-dps-9dbd74d4-00d5-413c-8c45-********.azure-devices-provisioning.net) static?
2. How to make the public IP of the that FQDN static?
3. How to change the hostname of that FQDN or map to it from an address name / ip that is under our control?
With IoT Central, is all that traffic going through the MQTT port 8883? If not, what ports are needed open for these addresses?
In summary, need to set a single hostname-ip-port combination for devices to connect to IoT Central, when devices are not in our network.
Thanks in advance.
Tagging the expert @Sander van de Velde | MVP
{count} votes
-
Sander van de Velde | MVP 32,736 Reputation points MVP2022-08-09T08:48:00.763+00:00 Hello @randomrabbit ,
Regarding the IP ranges, Microsoft uses for Azure (IoT) resources, these can changed by Microsoft when needed.
These changes are communicated well in advance (see this blog post) and you can program against these ranges.
So you can write your own logic to change firewall settings.
-
randomrabbit 121 Reputation points
2022-08-09T09:06:36.907+00:00 Thanks for the quick reply. I'm looking for a solution that eliminates the need to maintain a list of changing addresses. So what do I need to put in front of IoT Central to achieve that? What ports to allow? Does the private endpoint even bring anything useful for that? Thanks again.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 71%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Dom 1,631 Reputation points Microsoft Employee2022-08-10T10:33:36.747+00:00 Hi @randomrabbit ,
To expand a little on the response from @Sander van de Velde | MVP .
For scalability and reliability, every IoT Central application has at least two internal IoT hubs. This number scales automatically as the number of devices/traffic increases. All of these IoT hubs are assigned IP addresses from the available pool defined by the service-tags described in the blog post from @Sander van de Velde | MVP .
Each device that connects to your IoT Central application is allocated to one of the internal IoT hubs by the Device Provisioning Service (DPS) - for more information, see https://learn.microsoft.com/azure/iot-central/core/concepts-device-implementation#best-practices.
In summary, your firewall needs to allow a device to connect to the DPS endpoint and one of the IoT hub endpoints. Neither of these have fixed IP addresses.
The private endpoint doesn't help your scenario, as the IP address of the private endpoint is allocated from the pool of IP addresses made available to DPS. Your devices are still allocated to one of the IoT hubs in your application.
Some options to consider are:
- Programmatically managing the rules in your firewall as suggested by @Sander van de Velde | MVP
- Implementing a cloud gateway with a fixed IP address that can act as a proxy for your devices
-
randomrabbit 121 Reputation points
2022-08-11T06:06:08.9+00:00 Thanks, this is very useful. With regards to the gateway solution, if we're using the Python SDK, I don't see a way to tell the devices to use the address of our cloud gateway beyond the DPS hostname.. So if step one is put the DPS behind a proxy, that can be done. But how to tell the devices to use our proxy as the hub address?
-
Dom 1,631 Reputation points Microsoft Employee
2022-08-11T09:36:23.567+00:00 The typical use case for a cloud gateway is for protocol translation where the devices are unable to talk to an IoT hub endpoint directly. See for example:
- https://learn.microsoft.com/azure/architecture/example-scenario/iot/field-cloud-edge-gateways
- https://learn.microsoft.com/azure/iot-central/core/howto-transform-data#data-transformation-at-ingress
Does using IoT Edge as a transparent gateway help? In this scenario, all of your devices connect to a local IoT Edge device and so don't require internet access. Only the IoT Edge device needs to access the internet: https://learn.microsoft.com/azure/iot-central/core/how-to-connect-iot-edge-transparent-gateway?tabs=edge1-2
I still think the best approach is to programmatically manage your firewall as originally suggested by @Sander van de Velde | MVP
-
randomrabbit 121 Reputation points
2022-08-12T08:51:48.06+00:00 I think the IoT Edge gateway would anyway have to go through the firewall, so it alone will not help. Maybe we could chain these to have traffic from the local gateway into the cloud gateway, for which we control the hostname and ip-address? Thanks for the insights.
-
Sander van de Velde | MVP 32,736 Reputation points MVP
2022-08-12T10:02:59.097+00:00 Hi @randomrabbit ,
manipulating the IP address and hostname of the edge device is managed on device level.
Azure IoT Edge modules do not really care because these are sandboxed as containers.
There is a hostname configured in the Azure IoT Edge runtime configuration but this is used for parent-child configuration.
Sign in to comment
Sign in to answer