Nóta
Aðgangur að þessari síðu krefst heimildar. Þú getur prófað aðskrá þig inn eða breyta skráasöfnum.
Aðgangur að þessari síðu krefst heimildar. Þú getur prófað að breyta skráasöfnum.
When you deploy Azure IoT Operations, you install a suite of services on an Azure Arc-enabled Kubernetes cluster. This article provides an overview of the different deployment options to consider for your scenario.
Supported environments
Supported Windows environments
Microsoft supports the following Kubernetes distributions for Azure IoT Operations deployments on Windows. The table below details their support levels and the versions Microsoft uses to validate deployments:
| Kubernetes distribution | Architecture | Support level | Minimum validated version |
|---|---|---|---|
| AKS Edge Essentials | x86_64 | Public preview | AksEdge-K3s-1.29.6-1.8.202.0 |
| AKS on Azure Local | x86_64 | Public preview | Azure Stack HCI OS, version 23H2, build 2411 |
- The minimum validated version is the lowest version of the Kubernetes distribution that Microsoft uses to validate Azure IoT Operations deployments.
Supported Linux environments
Microsoft supports the following Kubernetes distributions for Azure IoT Operations deployments in Linux environments. The table below lists their support levels and the versions Microsoft uses to validate deployments:
| Kubernetes distribution | Architecture | Support level | Minimum validated version | Minimum validated OS |
|---|---|---|---|---|
| K3s | x86_64 | General availability | 1.31.1 | Ubuntu 24.04 |
| Tanzu Kubernetes release (TKr) | x86_64 | General availability | 1.28.11 | Tanzu Kubernetes Grid 2.5.2 |
- The minimum validated version is the lowest version of the Kubernetes distribution that Microsoft uses to validate Azure IoT Operations deployments.
- The minimum validated OS is the lowest operating system version that Microsoft uses to validate deployments.
Important
Support for Azure IoT Operations deployments is only available on version 1.28.11 of TKr.
Note
Billing usage records are collected on any environment where Azure IoT Operations is installed, regardless of support or availability levels.
To install Azure IoT Operations, have the following hardware requirements available for Azure IoT Operations. If you're using a multi-node cluster that enables fault tolerance, scale up to the recommended capacity for better performance.
| Spec | Minimum | Recommended |
|---|---|---|
| Hardware memory capacity (RAM) | 16-GB | 32-GB |
| Available memory for Azure IoT Operations (RAM) | 10-GB | Depends on usage |
| CPU | 4 vCPUs | 8 vCPUs |
Note
The minimum configuration is appropriate when running Azure IoT Operations only.
Choose your features
Azure IoT Operations offers two deployment modes. You can choose to deploy with test settings, a basic subset of features that are simpler to get started with for evaluation scenarios. Or, you can choose to deploy with secure settings, the full feature set.
Test settings deployment
A deployment with only test settings has the following characteristics:
- It doesn't configure secrets or user-assigned managed identity capabilities.
- It's designed to enable the end-to-end quickstart sample for evaluation purposes, so it supports the OPC PLC simulator and connects to cloud resources by using system-assigned managed identity.
- You can upgrade it to use secure settings.
For a quickstart experience, you can use the Quickstart: Run Azure IoT Operations in GitHub Codespaces with K3s scenario. This scenario uses a lightweight Kubernetes distribution (K3s) and runs in GitHub Codespaces, so you don't need to set up a cluster or install any tools locally.
To deploy Azure IoT Operations with test settings, follow these articles:
- Start with Prepare your Azure Arc-enabled Kubernetes cluster to configure and Arc-enable your cluster.
- Then, follow the steps in Deploy Azure IoT Operations to a test cluster.
Tip
At any point, you can upgrade an Azure IoT Operations instance to use secure settings by following the steps in Enable secure settings.
Secure settings deployment
A deployment with secure settings has the following characteristics:
- It's designed for production-ready scenarios.
- It enables secrets and user-assigned managed identity, both of which are important capabilities for developing a production-ready scenario. Secrets are used whenever Azure IoT Operations components connect to a resource outside of the cluster, such as an OPC UA server or a data flow endpoint.
To deploy Azure IoT Operations with secure settings, follow these articles:
- Start with Prepare your Azure Arc-enabled Kubernetes cluster to configure and Arc-enable your cluster.
- Then, follow the steps in Deploy Azure IoT Operations to a production cluster.
Required permissions
The following table describes Azure IoT Operations deployment and management tasks that require elevated permissions. For information about assigning roles to users, see Steps to assign an Azure role.
| Task | Required permission | Comments |
|---|---|---|
| Deploy Azure IoT Operations | Azure IoT Operations Onboarding role | This role has all required permissions to read and write Azure IoT operations and Azure Device Registry resources. This role has Microsoft.Authorization/roleAssignments/write permissions. |
| Register resource providers | Contributor role at subscription level | Only required to do once per subscription. You need to register the following resource providers: Microsoft.ExtendedLocation, Microsoft.SecretSyncController, Microsoft.Kubernetes, Microsoft.KubernetesConfiguration, Microsoft.IoTOperations, and Microsoft.DeviceRegistry. |
| Create secrets in Key Vault | Key Vault Secrets Officer role at the resource level | Only required for secure settings deployment to synchronize secrets from Azure Key Vault. |
| Create and manage storage accounts | Storage Account Contributor role | Required for Azure IoT Operations deployment. |
| Create a resource group | Resource Group Contributor role | Required to create a resource group for storing Azure IoT Operations resources. |
| Onboard a cluster to Azure Arc | Kubernetes Cluster - Azure Arc Onboarding role | Arc-enabled clusters are required to deploy Azure IoT Operations. |
| Manage deployment of Azure resource bridge | Azure Resource Bridge Deployment role | Required to deploy Azure IoT Operations. |
| Provide permissions to deployment | Azure Arc Enabled Kubernetes Cluster User role | Required to grant permission of deployment to the Azure Arc-enabled Kubernetes cluster. |
Tip
You must enable resource sync on the Azure IoT Operations instance to use the automatic asset discovery capabilities of the Akri services. To learn more, see What is OPC UA asset discovery?.
If you use the Azure CLI to assign roles, use the az role assignment create command to give permissions. For example, az role assignment create --assignee sp_name --role "Role Based Access Control Administrator" --scope subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup
If you use the Azure portal to assign privileged admin roles to a user or principal, you're prompted to restrict access using conditions. For this scenario, select the Allow user to assign all roles condition in the Add role assignment page.
Organize instances by using sites
Azure IoT Operations supports Azure Arc sites for organizing instances. A site is a cluster resource in Azure like a resource group, but sites typically group instances by physical location and make it easier for OT users to locate and manage assets. An IT administrator creates sites and scopes them to a subscription or resource group. Then, any Azure IoT Operations deployed to an Arc-enabled cluster is automatically collected in the site associated with its subscription or resource group
For more information, see What is Azure Arc site manager (preview)?
Azure IoT Operations endpoints
If you use enterprise firewalls or proxies to manage outbound traffic, configure the following endpoints before deploying Azure IoT Operations.
Endpoints in the Azure Arc-enabled Kubernetes endpoints.
Note
If you use Azure Arc Gateway to connect your cluster to Arc, you can configure a smaller set of endpoints based on the Arc Gateway guidance.
Endpoints in Azure CLI endpoints.
You need
graph.windows.net,*.azurecr.io,*.blob.core.windows.net, and*.vault.azure.netfrom this endpoint list.The following endpoints are required specifically for Azure IoT Operations:
Endpoints (DNS) Description <customer-specific>.blob.core.windows.netStorage for schema registry. Refer to storage account endpoints for identifying the customer specific subdomain of your endpoint. To push data to the cloud, enable the following endpoints based on your choice of data platform.
- Microsoft Fabric OneLake: Add Fabric URLs to your allowlist.
- Event Hubs: Troubleshoot connectivity issues - Azure Event Hubs.
- Event Grid: Troubleshoot connectivity issues - Azure Event Grid.
- Azure Data Lake Storage Gen 2: Storage account standard endpoints.
Data residency
Azure Resource Manager lets you manage and control your Azure IoT Operations instance in your Kubernetes cluster from the cloud using the Azure portal or Azure CLI. While you must deploy the Azure Resource Manager resources for Azure IoT Operations to a currently supported region, you choose where your operational workloads and data physically reside. The Azure IoT Operations runtime and compute remain on your premises and under your control.
This architecture ensures the following characteristics of the deployment:
- All operational processes and workloads run on your own local infrastructure.
- To comply with your data residency requirements, choose the Azure region for any data storage or data processing resources your solution uses.
- Data transfers directly between your local infrastructure and your Azure storage and processing resources. Your data doesn't pass through the Azure IoT Operations resources in the cloud.
- The location of the Azure Resource Manager for your Azure IoT Operations instance is a logical reference for management and orchestration.
- No customer production data is relocated. Some system telemetry, such as metrics and logs, used for service improvement and proactive identification of infrastructure issues might flow to the Azure region where your Azure IoT Operations resources are located.
The following diagram shows an example deployment that illustrates how to maintain data sovereignty on your local infrastructure while optionally using a different Azure region for data storage and processing. In this example:
- Azure IoT Operations management resources are deployed in the US West region. This region is one of the supported regions for Azure IoT Operations.
- Operational workloads and data remain on-premises at the edge under your complete control to ensure data residency and data sovereignty.
- Data storage and processing resources are deployed in the Canada Central region to meet specific regional data residency requirements.
Next steps
Prepare your Azure Arc-enabled Kubernetes cluster to configure and Arc-enable a cluster for Azure IoT Operations.