Every THING is Internet of Thing

Azure IoT Hub Device Provisioning Service Overview

 
  • Akhilesh Moghe
  • Mar 01, 2022
  • The Azure IoT Hub Device Provisioning Service is a helper service for IoT Hub. The device provisioning service enables customers to provision millions of devices in a secure and scalable manner.

Features of the Device Provisioning Service

  • Secure attestation support for both X.509 and TPM-based identities.
  • Enrollment list containing the complete record of devices/groups of devices that may at some point register. The enrollment list contains information about the desired configuration of the device once it registers, and it can be updated at any time.
  • Multiple allocation policies to control how the Device Provisioning Service assigns devices to IoT hubs in support of your scenarios.
  • Monitoring and diagnostics logging to make sure everything is working properly.
  • Multi-hub support allows the Device Provisioning Service to assign devices to more than one IoT hub. The Device Provisioning Service can talk to hubs across multiple Azure subscriptions.
  • Cross-region support allows the Device Provisioning Service to assign devices to IoT hubs in other regions.
  • Encryption for data at rest allows data in DPS to be encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
  • Cross-platform support:
    • The Device Provisioning Service, like all Azure IoT services, works cross-platform with several operating systems.
    • Azure offers open-source SDKs in various programming languages to facilitate connecting devices and managing the service.
    • The Device Provisioning Service supports the following protocols for connecting devices:
      • HTTPS
      • AMQP
      • AMQP over web sockets
      • MQTT
      • MQTT over web sockets

Use cases for Device Provisioning Service

  • Zero-touch provisioning to a single IoT solution without hardcoding IoT Hub connection information at the factory (initial setup).
  • Load-balancing devices across multiple hubs.
  • Connecting devices to their owner’s IoT solution based on sales transaction data (multitenancy)
  • Connecting devices to a particular IoT solution depending on use-case (solution isolation)
  • Connecting a device to the IoT hub with the lowest latency (geo-sharding)
  • Reprovisioning based on a change in the device
  • Rolling the keys used by the device to connect to IoT Hub (:x: when not using X.509 certificates to connect)

DPS service Concepts

  • Service operations endpoint
    • The service operations endpoint is the endpoint for managing the service settings and maintaining the enrollment list. This endpoint is only used by the service administrator; it is not used by devices.
  • Device provisioning endpoint
    • The device provisioning endpoint is the single endpoint all devices use for autoprovisioning.
    • The URL is the same for all provisioning service instances, to eliminate the need to reflash devices with new connection information in supply chain scenarios. The ID scope ensures tenant isolation.
  • Linked IoT hubs
    • The Device Provisioning Service can only provision devices to IoT hubs that have been linked to it.
    • Linking gives the service read/write permissions to the IoT hub’s device registry;
    • DPS can register a device ID and set the initial configuration in the device twin.
    • Linked IoT hubs may be in any Azure region or other subscriptions to your provisioning service.
  • Allocation policy
    • Determines how Device Provisioning Service assigns devices to an IoT hub.
      • Evenly weighted distribution:
        • Linked IoT hubs are equally likely to have devices provisioned to them.
        • default setting
        • If you are provisioning devices to only one IoT hub, you can keep this setting.
      • Lowest latency:
        • Devices are provisioned to an IoT hub with the lowest latency to the device.
        • If multiple linked IoT hubs would provide the same lowest latency, the provisioning service hashes devices across those hubs.
      • Static configuration via the enrollment list:
        • Specification of the desired IoT hub in the enrollment list takes priority over the service-level allocation policy.
      • Custom (Use Azure Function):
        • A custom allocation policy gives you more control over how devices are assigned to an IoT hub.
        • The device provisioning service calls your Azure Function code providing all relevant information about the device and the enrollment to your code. Your function code is executed and returns the IoT hub information used to provisioning the device.
Search