Seda brauserit enam ei toetata.
Uusimate funktsioonide, turbevärskenduste ja tehnilise toe kasutamiseks võtke kasutusele Microsoft Edge.
This article introduces the virtual network (VNET) connectivity pattern for IoT devices provisioning with IoT hubs using DPS. This pattern provides private connectivity between the devices, DPS, and the IoT hub inside a customer-owned Azure VNET.
In most scenarios where DPS is configured with a VNET, your IoT Hub is also configured in the same VNET. For more specific information on VNET support and configuration for IoT Hubs, see, IoT Hub virtual network support.
By default, DPS hostnames map to a public endpoint with a publicly routable IP address over the Internet. This public endpoint is visible to all customers. IoT devices over wide-area networks and on-premises networks can try to access the public endpoint.
For several reasons, customers may wish to restrict connectivity to Azure resources, like DPS. These reasons include:
Prevent connection exposure over the public Internet. Exposure can be reduced by introducing more layers of security via network level isolation for your IoT hub and DPS resources
Enabling a private connectivity experience from your on-premises network assets ensuring that your data and traffic is transmitted directly to Azure backbone network.
Preventing exfiltration attacks from sensitive on-premises networks.
Following established Azure-wide connectivity patterns using private endpoints.
Common approaches to restricting connectivity include DPS IP filter rules and Virtual networking (VNET) with private endpoints. The goal of this article is to describe the VNET approach for DPS using private endpoints.
Devices that operate in on-premises networks can use Virtual Private Network (VPN) or ExpressRoute private peering to connect to a VNET in Azure and access DPS resources through private endpoints.
A private endpoint is a private IP address allocated inside a customer-owned VNET by which an Azure resource is accessible. By having a private endpoint for your DPS resource, you can allow devices operating inside your VNET to request provisioning by your DPS resource without allowing traffic to the public endpoint. Each DPS resource can support multiple private endpoints, each of which may be located in a VNET in a different region.
Before proceeding ensure that the following prerequisites are met:
Your DPS resource is already created and linked to your IoT hubs. For guidance on setting up a new DPS resource, see, Set up IoT Hub Device Provisioning Service with the Azure portal
You have provisioned an Azure VNET with a subnet in which the private endpoint will be created. For more information, see, create a virtual network using Azure CLI.
For devices that operate inside of on-premises networks, set up Virtual Private Network (VPN) or ExpressRoute private peering into your Azure VNET.
Note the following current limitations for DPS when using private endpoints:
Private endpoints don't work when the DPS resource and the linked IoT hub are in different clouds. For example, Azure Government and global Azure.
Private endpoints in DPS use Azure Private Link, which are only supported in public regions. For more information, see Azure Private Link availability.
Currently, custom allocation policies with Azure Functions for DPS doesn't work when the Azure function is locked down to a VNET and private endpoints.
Current DPS VNET support is for data ingress into DPS only. Data egress, which is the traffic from DPS to IoT Hub, uses an internal service-to-service mechanism rather than a dedicated VNET. Support for full VNET-based egress lockdown between DPS and IoT Hub isn't currently available.
The lowest latency allocation policy is used to assign a device to the IoT hub with the lowest latency. This allocation policy is not reliable in a virtual network environment.
Enabling one or more private endpoints typically involves disabling public access to your DPS instance. Once public access is disabled, you can no longer use the Azure portal to manage enrollments. Instead you can manage enrollments using the Azure CLI, PowerShell, or service APIs from machines inside the VNET(s)/private endpoint(s) configured on the DPS instance.
When using private endpoints, we recommend deploying DPS in one of the regions that support Availability Zones. Otherwise, DPS instances with private endpoints enabled may see reduced availability in the event of outages.
Märkus
Data residency consideration:
DPS provides a Global device endpoint (global.azure-devices-provisioning.net). However, when you use the global endpoint, your data may be redirected outside of the region where the DPS instance was initially created. To ensure data residency within the initial DPS region, use private endpoints.
To set up a private endpoint, follow these steps:
In the Azure portal, open your DPS resource and select the Networking tab. Select Private endpoint connections and + Private endpoint.
On the Create a private endpoint Basics page, enter the information mentioned in the following table.
| Field | Value |
|---|---|
| Subscription | Choose the desired Azure subscription to contain the private endpoint. |
| Resource group | Choose or create a resource group to contain the private endpoint |
| Name | Enter a name for your private endpoint |
| Region | The region chosen must be the same as the region that contains the VNET, but it doesn't have to be the same as the DPS resource. |
Select Next : Resource to configure the resource that the private endpoint points to.
On the Create a private endpoint Resource page, enter the information mentioned in the following table.
| Field | Value |
|---|---|
| Subscription | Choose the Azure subscription that contains the DPS resource that your private endpoint points to. |
| Resource type | Choose Microsoft.Devices/ProvisioningServices. |
| Resource | Select the DPS resource that the private endpoint maps to. |
| Target sub-resource | Select iotDps. |
Näpunäide
Information on the Connect to an Azure resource by resource ID or alias setting is provided in the Request a private endpoint section in this article.
Select Next : Configuration to configure the VNET for the private endpoint.
On the Create a private endpoint Configuration page, choose your virtual network and subnet to create the private endpoint in.
Select Next : Tags, and optionally provide any tags for your resource.
Select Review + create and then Create to create your private endpoint resource.
To use private endpoints with device provisioning code, your provisioning code must use the specific Service endpoint for your DPS instance as shown on the overview page of your DPS instance in the Azure portal. The service endpoint has the following form.
<Your DPS Tenant Name>.azure-devices-provisioning.net
Most sample code demonstrated in our documentation and SDKs, use the Global device endpoint (global.azure-devices-provisioning.net) and ID Scope to resolve a particular DPS instance. Use the service endpoint in place of the global device endpoint when connecting to a DPS instance using private endpoints to provision your devices.
For example, the provisioning device client sample (pro_dev_client_sample) in the Azure IoT C SDK is designed to use the Global device endpoint as the global provisioning URI (global_prov_uri) in prov_dev_client_sample.c
MU_DEFINE_ENUM_STRINGS_WITHOUT_INVALID(PROV_DEVICE_RESULT, PROV_DEVICE_RESULT_VALUE);
MU_DEFINE_ENUM_STRINGS_WITHOUT_INVALID(PROV_DEVICE_REG_STATUS, PROV_DEVICE_REG_STATUS_VALUES);
static const char* global_prov_uri = "global.azure-devices-provisioning.net";
static const char* id_scope = "[ID Scope]";
}
PROV_DEVICE_RESULT prov_device_result = PROV_DEVICE_RESULT_ERROR;
PROV_DEVICE_HANDLE prov_device_handle;
if ((prov_device_handle = Prov_Device_Create(global_prov_uri, id_scope, prov_transport)) == NULL)
{
(void)printf("failed calling Prov_Device_Create\r\n");
To use the sample with a private endpoint, the highlighted code above would be changed to use the service endpoint for your DPS resource. For example, if your service endpoint was mydps.azure-devices-provisioning.net, the code would look as follows.
static const char* global_prov_uri = "global.azure-devices-provisioning.net";
static const char* service_uri = "mydps.azure-devices-provisioning.net";
static const char* id_scope = "[ID Scope]";
PROV_DEVICE_RESULT prov_device_result = PROV_DEVICE_RESULT_ERROR;
PROV_DEVICE_HANDLE prov_device_handle;
if ((prov_device_handle = Prov_Device_Create(service_uri, id_scope, prov_transport)) == NULL)
{
(void)printf("failed calling Prov_Device_Create\r\n");
}
You can request a private endpoint to a DPS instance by resource ID. In order to make this request, you need the resource owner to supply you with the resource ID.
The resource ID is provided on to the properties tab for DPS resource as shown below.
Ettevaatust!
Be aware that the resource ID does contain the subscription ID.
Once you have the resource ID, follow the steps above in Set up a private endpoint to step 3 on the Create a private endpoint Resource page. Select Connect to an Azure resource by resource ID or alias and enter the information in the following table.
| Field | Value |
|---|---|
| Resource ID or alias | Enter the resource ID for the DPS resource. |
| Target sub-resource | Enter iotDps |
| Request message | Enter a request message for the DPS resource owner. For example, Please approve this new private endpointfor IoT devices in site 23 to access this DPS instance |
Select Next : Configuration to configure the VNET for the private endpoint.
On the Create a private endpoint Configuration page, choose the virtual network and subnet to create the private endpoint in.
Select Next : Tags, and optionally provide any tags for your resource.
Select Review + create and then Create to create your private endpoint request.
The DPS owner sees the private endpoint request in the Private endpoint connections list on DPS networking tab. On that page, the owner can Approve or Reject the private endpoint request.
For pricing details, see Azure Private Link pricing.
Use the links below to learn more about DPS security features:
Koolitus
Moodul
Design and implement private access to Azure Services - Training
You learn to design and implement private access to Azure Services with Azure Private Link, and virtual network service endpoints.
Sertimine
Microsoft Certified: Azure Virtual Desktop Specialty - Certifications
Plan, deliver, manage, and monitor virtual desktop experiences and remote apps on Microsoft Azure for any device.
Dokumentatsioon
Diagnose and troubleshoot provisioning errors with DPS - Azure IoT Hub Device Provisioning Service
Learn to diagnose and troubleshoot common errors for Azure IoT Hub Device Provisioning Service (DPS)
Device lifecycle and reprovisioning concepts - Azure IoT Hub Device Provisioning Service
Describes device reprovisioning concepts and policies for the Azure IoT Hub Device Provisioning Service (DPS)
Terminology and glossary for Azure DPS - Azure IoT Hub Device Provisioning Service
This article describes common terminology used with the Device Provisioning Service (DPS) and IoT Hub.