Quickstart: Deploy Azure IoT Operations Preview to an Arc-enabled Kubernetes cluster


Azure IoT Operations Preview – enabled by Azure Arc is currently in PREVIEW. You shouldn't use this preview software in production environments.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

In this quickstart, you deploy a suite of IoT services to an Azure Arc-enabled Kubernetes cluster so that you can remotely manage your devices and workloads. Azure IoT Operations is a digital operations suite of services that includes Azure IoT Orchestrator Preview. This quickstart guides you through using Orchestrator to deploy these services to a Kubernetes cluster. At the end of the quickstart, you have a cluster that you can manage from the cloud that generates sample data to use in the following quickstarts.

The services deployed in this quickstart include:

The following quickstarts in this series build on this one to define sample assets, data processing pipelines, and visualizations. If you want to deploy Azure IoT Operations to run your own workloads, see Prepare your Azure Arc-enabled Kubernetes cluster and Deploy Azure IoT Operations Preview extensions to a Kubernetes cluster.

Before you begin

This series of quickstarts is intended to give you an opportunity to evaluate an end-to-end scenario with Azure IoT Operations. In a true development or production environment, these tasks would be performed by multiple teams working together and some tasks might require elevated permissions.

For the best new user experience, we recommend using an Azure free account so that you have owner permissions over the resources in these quickstarts. We also recommend using GitHub Codespaces as a virtual environment in which you can quickly begin deploying resources and running commands without installing new tools on your own machines. For more information about these options, continue to the prerequisites.

Once you're ready to learn more about the individual roles and tasks, the how-to guides provide more specific implementation and permissions details.


Review the prerequisites based on the environment you use to host the Kubernetes cluster.

For this quickstart, we recommend using a virtual environment (GitHub Codespaces) as a quick way to get started without installing new tools.

As part of this quickstart, you create a cluster in either GitHub Codespaces, AKS Edge Essentials, or K3s on Ubuntu Linux. If you want to rerun this quickstart with a cluster that already has Azure IoT Operations deployed to it, refer to the steps in Clean up resources to uninstall Azure IoT Operations before continuing.

What problem will we solve?

Azure IoT Operations is a suite of data services that run on Kubernetes clusters. You want these clusters to be managed remotely from the cloud, and able to securely communicate with cloud resources and endpoints. We address these concerns with the following tasks in this quickstart:

  1. Connect a Kubernetes cluster to Azure Arc for remote management.
  2. Create an Azure Key Vault to manage secrets for your cluster.
  3. Configure your cluster with a secrets store and service principal to communicate with cloud resources.
  4. Deploy Azure IoT Operations to your cluster.

Connect a Kubernetes cluster to Azure Arc

Azure IoT Operations should work on any Kubernetes cluster that conforms to the Cloud Native Computing Foundation (CNCF) standards. For this quickstart, use GitHub Codespaces, AKS Edge Essentials on Windows, or K3s on Ubuntu Linux.

In this section, you create a new cluster and connect it to Azure Arc. If you want to reuse a cluster that you've deployed Azure IoT Operations to before, refer to the steps in Clean up resources to uninstall Azure IoT Operations before continuing.

Use GitHub Codespaces to try Azure IoT Operations on a Kubernetes cluster without installing anything on your local machine. The Azure-Samples/explore-iot-operations codespace is preconfigured with:

  • K3s running in K3d for a lightweight Kubernetes cluster
  • Azure CLI
  • Kubectl for managing Kubernetes resources
  • Other useful tools like Helm and k9s


Codespaces are easy to set up quickly and tear down later, but they're not suitable for performance evaluation or scale testing. Use GitHub Codespaces for exploration only.

To get started with your codespace:

  1. Create a codespace in GitHub Codespaces.

    Create an explore-iot-operations codespace

    You don't have to provide the recommended secrets at this step. If you do, they get saved on your GitHub account to be used in this and future codespaces. They're also added as environment variables in the codespace terminal, and you don't have to run the CLI commands in the next section that configure the subscription, resource group, or location variables.

    Parameter Value
    SUBSCRIPTION_ID Your Azure subscription ID.
    RESOURCE_GROUP A name for a new Azure resource group where your cluster will be created.
    LOCATION An Azure region close to you. The following regions are supported in public preview: eastus, eastus2, westus, westus2, westus3, westeurope, or northeurope.
  2. Select Create new codespace.

  3. Once the codespace is ready, select the menu button at the top left, then select Open in VS Code Desktop.

    Open VS Code desktop

  4. If prompted, install the GitHub Codespaces extension for Visual Studio Code and sign in to GitHub.

  5. In Visual Studio Code, select View > Terminal.

    Use this terminal to run all of the command line and CLI commands for managing your cluster.

To connect your cluster to Azure Arc:

  1. On the machine where you deployed the Kubernetes cluster or your codespace terminal, sign in with Azure CLI:

    az login


    If you're using a GitHub codespace in a browser, az login returns a localhost error in the browser window after logging in. To fix, either:

    • Open the codespace in VS Code desktop, and then return to the browser terminal and rerun az login.
    • Or, after you get the localhost error on the browser, copy the URL from the browser and run curl "<URL>" in a new terminal tab. You should see a JSON response with the message "You have logged into Microsoft Azure!."
  2. Set an environment variable for the cluster name as it will show up in your resource group.

    # Name of the Arc-enabled cluster to create in your resource group
  3. Set environment variables for your Azure subscription, location, and a new resource group. If you're using GitHub Codespaces and set these secrets when creating your codespace, you can skip this step.

    # Id of the subscription where your resource group and Arc-enabled cluster will be created
    # Azure region where the created resource group will be located
    # Currently supported regions: "eastus", "eastus2", "westus", "westus2", "westus3", "westeurope", or "northeurope"
    export LOCATION=<REGION>
    # Name of a new resource group to create which will hold the Arc-enabled cluster and Azure IoT Operations resources
  4. Set the Azure subscription context for all commands:

    az account set -s $SUBSCRIPTION_ID
  5. Register the required resource providers in your subscription:

    az provider register -n "Microsoft.ExtendedLocation"
    az provider register -n "Microsoft.Kubernetes"
    az provider register -n "Microsoft.KubernetesConfiguration"
    az provider register -n "Microsoft.IoTOperationsOrchestrator"
    az provider register -n "Microsoft.IoTOperationsMQ"
    az provider register -n "Microsoft.IoTOperationsDataProcessor"
    az provider register -n "Microsoft.DeviceRegistry"
  6. Use the az group create command to create a resource group in your Azure subscription to store all the resources:

    az group create --location $LOCATION --resource-group $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID
  7. Use the az connectedk8s connect command to Arc-enable your Kubernetes cluster and manage it as part of your Azure resource group:

    az connectedk8s connect -n $CLUSTER_NAME -l $LOCATION -g $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID
  8. Get the objectId of the Microsoft Entra ID application that the Azure Arc service uses and save it as an environment variable.

    export OBJECT_ID=$(az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query id -o tsv)
  9. Use the az connectedk8s enable-features command to enable custom location support on your cluster. This command uses the objectId of the Microsoft Entra ID application that the Azure Arc service uses. Run this command on the machine where you deployed the Kubernetes cluster:

    az connectedk8s enable-features -n $CLUSTER_NAME -g $RESOURCE_GROUP --custom-locations-oid $OBJECT_ID --features cluster-connect custom-locations

Verify cluster

Use the Azure IoT Operations extension for Azure CLI to verify that your cluster host is configured correctly for deployment by using the verify-host command on the cluster host:

az iot ops verify-host

This helper command checks connectivity to Azure Resource Manager and Microsoft Container Registry endpoints.

Deploy Azure IoT Operations Preview

In this section, you use the az iot ops init command to configure your cluster so that it can communicate securely with your Azure IoT Operations components and key vault, then deploy Azure IoT Operations.

  1. Create a key vault. Replace the placeholder parameters with your own information.

    Placeholder Value
    RESOURCE_GROUP The name of your resource group that contains the connected cluster.
    KEYVAULT_NAME A name for a new key vault.
    az keyvault create --enable-rbac-authorization false --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP


    You can use an existing key vault for your secrets, but verify that the Permission model is set to Vault access policy. You can check this setting in the Azure portal in the Access configuration section of an existing key vault. Or use the az keyvault show command to check that enableRbacAuthorization is false.

  2. Run the following CLI command on your development machine or in your codespace terminal. Replace the placeholder parameters with your own information.

    Placeholder Value
    CLUSTER_NAME The name of your connected cluster.
    RESOURCE_GROUP The name of your resource group that contains the connected cluster.
    KEYVAULT_NAME The name of your key vault.
    az iot ops init --simulate-plc --cluster <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --kv-id $(az keyvault show --name <KEYVAULT_NAME> -o tsv --query id)

    If you get an error that says Your device is required to be managed to access your resource, run az login again and make sure that you sign in interactively with a browser.


    If you've run az iot ops init before, it automatically created an app registration in Microsoft Entra ID for you. You can reuse that registration rather than creating a new one each time. To use an existing app registration, add the optional parameter --sp-app-id <APPLICATION_CLIENT_ID>.

  3. These quickstarts use the OPC PLC simulator to generate sample data. To configure the simulator for the quickstart scenario, run the following command:


    Don't use the following example in production, use it for simulation and test purposes only. The example lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.

    az k8s-extension update --version 0.3.0-preview --name opc-ua-broker --release-train preview --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --cluster-type connectedClusters --auto-upgrade-minor-version false --config opcPlcSimulation.deploy=true --config opcPlcSimulation.autoAcceptUntrustedCertificates=true

View resources in your cluster

While the deployment is in progress, you can watch the resources being applied to your cluster. You can use kubectl commands to observe changes on the cluster or, since the cluster is Arc-enabled, you can use the Azure portal.

To view the pods on your cluster, run the following command:

kubectl get pods -n azure-iot-operations

It can take several minutes for the deployment to complete. Continue running the get pods command to refresh your view.

To view your cluster on the Azure portal, use the following steps:

  1. In the Azure portal, navigate to the resource group that contains your cluster.

  2. From the Overview of the resource group, select the name of your cluster.

  3. On your cluster, select Extensions from the Settings section of the menu.

    Screenshot that shows the deployed extensions on your Arc-enabled cluster.

    You can see that your cluster is running extensions of the type microsoft.iotoperations.x, which is the group name for all of the Azure IoT Operations components and the orchestration service.

    There's also an extension called akvsecretsprovider. This extension is the secrets provider that you configured and installed on your cluster with the az iot ops init command. You might delete and reinstall the Azure IoT Operations components during testing, but keep the secrets provider extension on your cluster.

How did we solve the problem?

In this quickstart, you configured your Arc-enabled Kubernetes cluster so that it could communicate securely with your Azure IoT Operations components. Then, you deployed those components to your cluster. For this test scenario, you have a single Kubernetes cluster that's probably running locally on your machine. In a production scenario, however, you can use the same steps to deploy workloads to many clusters across many sites.

Clean up resources

If you're continuing on to the next quickstart, keep all of your resources.

If you want to delete the Azure IoT Operations deployment but plan on reinstalling it on your cluster, be sure to keep the secrets provider on your cluster.

  1. In your resource group in the Azure portal, select your cluster.

  2. On your cluster resource page, select Extensions.

  3. Select all of the extensions of type microsoft.iotoperations.x and microsoft.deviceregistry.assets, then select Uninstall. You don't need to uninstall the secrets provider extension:

    Screenshot that shows the extensions to uninstall.

  4. Return to your resource group and select the custom location resource, then select Delete.

If you want to delete all of the resources you created for this quickstart, delete the Kubernetes cluster that you deployed Azure IoT Operations to and remove the Azure resource group that contained the cluster.

Next step