Today I wanted to make a "bite-sized" post to walk you through setting up Azure Sphere with Azure IoT Edge.
As a refresher, Azure Sphere will perform device authentication and attestation (described here: Azure Sphere Device Authentication and Attestation Service) and if the application has specified an Azure Sphere tenant in the application manifest's DeviceAuthentication value, it will then receive a client authentication cert which is valid for around a day.
DeviceAuthentication |
A string that specifies the UUID of the Azure Sphere tenant to use for device authentication. Example: "DeviceAuthentication": "77304f1f-9530-4157-8598-30bc1f3d66f0" |
Why is this important? Because the goal here is to use this "high assurance" client certificate to authenticate the Azure Sphere device to the Azure IoT Edge server and pass it telemetry or other data. This ensures a secure authentication method as opposed to static hardcoded passwords.
A couple of other things to remember for this demo:
- The Azure Sphere device must be able to communicate to the internet in order to perform DAA, obtain OS updates and other AS3 service communications.
- The Azure Sphere device must also have an explicit entry in the application manifest in order to communicate with the IoT Edge server:
AllowedConnections |
A list of DNS host names or IP addresses (IPv4) to which the application is allowed to connect. If the application uses an Azure IoT Hub, the list must include the IP address or DNS host name for the hub, typically hub-name.azure-devices.net. Port numbers and wildcard characters in names and IP addresses are not accepted. Example: "AllowedConnections" : [ "my-hub.example.net", "global.azure-devices-provisioning.net" ] |
- The Azure Sphere device must be a child of the IoT Edge server
The starting point for the lab is:
- Azure Sphere
- Device is claimed to tenant
- Device is in developer mode
- Device is connected to Wi-Fi
- IoT Edge
- IoT Edge runtime is installed and IoT edge server is created for a specific IoT Hub
- Deployed the simulated temperature sensor module to test and ensure basic functionality.
With that out of the way, let's take a look at this video for a walkthrough of basic connectivity from Azure Sphere to an IoT Edge server using the Azure Sphere device certificate!
EDIT on 4/5/21 for IoT Edge 1.2 RC4
Please note, the steps outlined are not the same in Edge 1.2 (preview as of 4/2/2021).
Note you must use a FQDN for 1.2 RC4 (not an IP address)
Place the Azure Sphere tenant CA in the trusted_roots.pem and make sure it is specified in the new section called "trust_bundle_cert"
trust_bundle_cert = "file:///edge_certs/trusted_roots.pem"
For the chain and private key use the "edge_ca" section
# ==============================================================================
# Edge CA certificate
# ==============================================================================
#
# If you have your own Edge CA certificate that you want all module certificates
# to be issued by, uncomment this section and replace the values with your own.
#
[edge_ca]
cert = "file:///edge_certs/iot-edge-device-ca-spatDeviceCA-full-chain.cert.pem"
pk = "file:///edge_certs/iot-edge-device-ca-spatDeviceCA.key.pem"