Remote access to IoT devices using Azure IoT Hub — Device Streams

Remote access to IoT devices using Azure IoT Hub — Device Streams

Secure end-to-end connections to IoT devices

Industry 4.0 leads to an increased number of decentralized applications and services along with used IoT devices. The possibility to access these devices for support and maintenance tasks is often an essential requirement. Azure IoT Hub service from Microsoft now offers a simple way of establishing such connections.

What are Azure IoT Hub Device Streams?

Microsoft Azure IoT Hub — Device Streams is a new PaaS service that enables direct access to IoT devices.

Access can even be established if these devices are located behind firewalls or in private networks. The core element is a new streaming endpoint, enabling the establishment of bidirectional TCP tunnels between the service and IoT devices. At the time of writing the service is still in preview.

Overview Azure IoT Hub — Device Streams

IoT Hub acts as a proxy and takes over the establishment of communication and secure data transmission. The connection strings for the IoT device and the IoT hub’s service user form the basis for establishing communication.

Based on these connection strings authentication and generation of an access token for the new streaming endpoint take place. Both actions can be implemented using the interfaces provided by Device SDK and Service SDK.

Using Device and Service SDK

The connection between service and IoT devices using a device stream session is initiated by the service. Therefore implementation always starts with ServiceClient of Service SDK using the service connection string. With the method CreateStreamAsync a connection request to an IoT device is started. IoT device is specified using the unique device identifier from IoT Hub.

On the other side, IoT device establishes a connection to the IoT Hub using DeviceClient of the Device SDK. WaitForDeviceStreamRequestAsync waits for an incoming connection request.

Think about scenarios where unattended device access is not desired and another person has to accept the connection explicitly. Herefore Device SDK offers two additional methods. Method AcceptDeviceStreamRequestAsync can be used to accept the request. To deny the request, RejectDeviceStreamRequestAsync is the method to use.

After establishing a connection to the IoT Hub next step is about creating a WebSocket connection. It acts as a tunnel between service and IoT devices. The following code sample shows how to create this WebSocket connection using the access token generated by the initiation of the device stream request. This step is the same for service and IoT devices.

Concerning data exchange following point should be highlighted:

  • Only an outgoing connection using port 443 is required for connection
  • Data exchange is always secured using a transparent encryption
  • Data exchange follows the rules of TCP/IP. That means that reliability and sequence of data packages are guaranteed

With the WebSocket connection established to the streaming endpoint on both sides, a secured end-to-end connection exists. How you can use this to create an SSH connection to an IoT device is explained in the next section.

Establishing an SSH connection

The presented code samples can already be used to exchange data between the service and the IoT device. That can be sufficient if the applications are accessible on both sides and can also be modified. However, how maintenance-related analyses of logs or configuration of the IoT device is realized when using a standard application such as SSH?

With Azure IoT Hub Device Streams, this isn’t a bigger problem. Assuming that a connection to the IoT hub has already been established (as explained in the previous section), the following schematic diagram shows the process of creating an SSH connection with an IoT device.

Communication scheme of an SSH connection with Azure IoT Hub — Device Streams

The main building blocks are the service proxy and the device proxy. The service proxy acts as a kind of server and waits for a local SSH connection. The device proxy takes on a client's role by establishing a connection to the SSH daemon on the IoT device. Both proxy applications tunnel the traffic between the local instances and the IoT Hub streaming endpoint. In simple terms, this tunneling is a copying process between two streams, as shown in the following example of the device proxy.

The HandleIncomingDataAsync method receives the data traffic from the IoT device and writes it into the stream that takes over the communication with the SSH daemon. The HandleOutgoingDataAsync method copies the SSH daemon's responses into the WebSocket stream of the IoT hub connection. Afterward, the data is transmitted to the service proxy via the IoT hub device streams. Within the service proxy, there is a similar option for copying the data and interacting with the SSH client. The mechanisms shown can also be transferred to other TCP standard applications such as RDP or SCP by adapting the ports.

On GitHub, a full working sample application can be found. It covers SSH connection to an IoT device using Azure IoT Hub — Device Streams. (Example how to work with Azure IoT Hub Device Streams)

Thank you for taking the time to read my article. 😄

If you enjoyed it and want to see more coding-related content then follow me on my social profiles. Don't hesitate to like, comment or share this post. I appreciate any kind of feedback on this article.


Did you find this article valuable?

Support Fabian Zankl by becoming a sponsor. Any amount is appreciated!