Azure IoT Edge is an Internet of Things (IoT) service that builds on top of the IoT Hub and enables users to carry out edge computing. Edge computing is when data is analyzed on devices, that is, at the edge of the network, rather than in the cloud itself. With edge computing, you can avoid transferring raw data by carrying out data cleaning, aggregation, and analysis on the device itself, and then send the insights gained to the cloud. This will result in reduced bandwidth costs, quicker response times and reduced traffic.
Artificial Intelligence on the edge
Azure also offers services such as Azure Functions, Azure Stream Analytics and Azure Machine Learning which can all be run via Azure IoT Edge. This means that you can deploy AI, including image recognition, machine learning and complex event processing without having to write the code in-house.
Azure IoT Edge's components
Azure IoT Edge has three components: IoT Edge modules, the IoT Edge runtime, and a cloud-based interface.
IoT Edge modules
These are containers that run Azure services, 3rd party services, or your own code. IoT Edge modules are deployed and execute locally on IoT Edge devices. Multiple modules can be configured to communicate with each other. You can also package Azure services into modules or develop custom modules. If you want to deploy your own code to your devices, Azure IoT Edge supports both Linux and Windows and Java, .NET Core 2.0, Node.js, C, and Python.
The IoT Edge runtime
This runs on each IoT Edge device and manages the modules deployed there. It performs a number of functions including monitoring and managing the device and facilitating communications between the modules, the device, other devices, and the cloud. The runtime supports both Linux and Windows operating systems.
Cloud-based interface
This interface allows you to remotely monitor and manage IoT Edge devices. Cloud services allow users to create and configure a workload to be run on a specific type of device, send a workload to a set of devices and monitor workloads running on devices in the field.
Using an IoT edge device as a gateway
There are three patterns for using an IoT Edge device as a gateway:
- transparent
- protocol translation
- identity translation
Transparent
Devices are connected to a gateway device instead of IoT Hub. The gateway passes communications between the devices and IoT Hub. Both the devices themselves and a user interacting with the devices do not know that they are communicating with the cloud via a gateway.
Protocol translation
If a device doesn't support MQTT, AMQP, or HTTP, then it uses a gateway device to send data to IoT Hub. All the information will look like it's coming from one device, the gateway device. If cloud applications want to analyze the data on a per device basis, then additional identifying information must be embedded in their messages...
Identity translation
If a device cannot connect to the IoT Hub, then it connects to a gateway device instead. The gateway is able to understand the protocols used by downstream devices and provide the identity.
Use cases
All three gateway patterns provide the following benefits:
- Edge analytics – the data coming from downstream devices is processed locally using AI services and only a subset of data is sent to IoT Hub.
- Downstream device isolation – With this gateway device all downstream devices are protected from exposure to the internet. Also, it can be placed between an IT network that provides access to the internet and an OT network that is not connected to the internet.
- Traffic smoothing – In the case of IoT Hub throttling the IoT Edge device will automatically implement exponential backoff. As a result, you’ll be able to cope better with spikes in traffic.
- Limited offline support – If messages can’t be delivered to IoT Hub, then the gateway device will store the message locally.
Devices on the edge produce data; however, some of these devices may not have been designed with cloud connectivity in mind, but opaque gateways make it possible for the data which they generate to be accessed and used. A gateway which does identity translation also allows downstream devices to be fully managed from the cloud. However, regardless of the protocol used, all your devices show up in IoT Hub.
Operating systems
Azure IoT Edge runs on most operating systems that can run containers; however, not all operating systems are equally supported. Operating systems are grouped into tiers depending on the level of support available.
Tier 1
For Tier 1 systems Microsoft:
- Has these operating system in automated tests
- Provides installation packages for them
Tier 2
Tier 2 is generally compatible with Azure IoT Edge and can be used relatively easily.
Security
Edge computing means that data and thus value are concentrated on the edge, and not just in the cloud. A device on the edge can also be physically accessed and is thus vulnerable to many types of threats. Therefore, devices on the edge need to be kept as secure as the cloud itself.
Authentication
Azure IoT edge uses certificate-based authentication. This mechanism is based on the standards governing Public Key Infrastructure (PKiX) by the Internet Engineering Task Force (IETF).
The Azure IoT Edge security framework requires unique certificate identities for all devices, modules, and actors that interact, either physically or through the network connection, with the Azure IoT Edge device.
Controlling access to resources and data is a fundamental part of security. Devices, modules, and actors are only allowed to access resources and data within their permission scope, and only if this is architecturally allowable. Other authorization schemes include certificate signing rights, and role-based access control (RBAC). Other authorization schemes can also be used, depending on your needs.
Attestation
The integrity of software bits is ensured using attestation and in Azure IoT edge it is divided into three main categories.
- Static attestation
- Runtime attestation
- Software attestation
Static attestation is also referred to as a secure boot. It involves the verification of the integrity of all the software, operating systems, runtimes and configuration information when the device is powered up. Azure IoT Edge’s security framework includes hardware-ingrained capabilities to ensure static attestation.
Runtime attestation
This is when a system detects malware or unauthorized configuration changes that occur after the boot process and takes countermeasures against them. Some of these attacks are warded off by the device’s hardware; however, extensions are also needed to combat runtime threats.
Software attestation
All systems need patches and upgrades. However, update processes require security, as otherwise, they may be a vector that allows malware into a system. Azure IoT Edge updates are done through measured and signed packages in order to check the integrity of the patches and upgrades and to authenticate their source, thus preventing them from becoming threat vectors.
Intelligent edge devices are often deployed in places where malicious actors may have access to them. Therefore, the security offered by the device hardware is important. Azure IoT Edge works together with silicon hardware vendors to develop tamper-resistant hardware for a variety of deployment scenarios.
Extensibility
Azure IoT Edge security allows extensibility into different areas including,
- First party security services like the Device Provisioning Service for Azure IoT Hub.
- Third-party services such as managed security services.
- Legacy systems which need to be retrofitted with alternative security arrangements.
- Secure hardware
In the end, the highest success in securing the intelligent edge results from collaborative contributions from an open community-driven by a common interest in securing IoT. These contributions might be in the form of secure technologies or services. The Azure IoT Edge security framework offers a solid foundation for security that is extensible for the maximum coverage to offer the same level of trust and integrity in the intelligent edge as with the Azure cloud.