使用 Azure IoT 中心设备预配服务预配设备Provisioning devices with Azure IoT Hub Device Provisioning Service

Microsoft Azure 提供一套丰富的集成公有云服务,满足所有 IoT 解决方案需求。Microsoft Azure provides a rich set of integrated public cloud services for all your IoT solution needs. IoT 中心设备预配服务是针对 IoT 中心的帮助程序服务,无需人为干预即可零接触实时预配至合适的 IoT 中心,客户可以采用安全且可缩放的方式预配数百万台设备。The IoT Hub Device Provisioning Service is a helper service for IoT Hub that enables zero-touch, just-in-time provisioning to the right IoT hub without requiring human intervention, enabling customers to provision millions of devices in a secure and scalable manner.

何时使用设备预配服务When to use Device Provisioning Service

很多预配情况下,设备预配服务是将设备连接并配置到 IoT 中心的绝佳选择,例如:There are many provisioning scenarios in which the Device Provisioning Service is an excellent choice for getting devices connected and configured to IoT Hub, such as:

  • 零接触预配到单一 IoT 解决方案,无需在出厂(初始设置)时对 IoT 中心连接信息进行硬编码Zero-touch provisioning to a single IoT solution without hardcoding IoT Hub connection information at the factory (initial setup)
  • 跨多个中心对设备进行负载均衡Load balancing devices across multiple hubs
  • 根据销售交易数据将设备连接到其所有者的 IoT 解决方案(多租户)Connecting devices to their owner’s IoT solution based on sales transaction data (multitenancy)
  • 根据用例将设备连接到特定的 IoT 解决方案(解决方案隔离)Connecting devices to a particular IoT solution depending on use-case (solution isolation)
  • 将设备连接到具有最低延迟的 IoT 中心(异地分片)Connecting a device to the IoT hub with the lowest latency (geo-sharding)
  • 根据设备中的更改重新进行预配Reprovisioning based on a change in the device
  • 滚动设备使用的密钥以连接到 IoT 中心(当不使用 X.509 证书进行连接时)Rolling the keys used by the device to connect to IoT Hub (when not using X.509 certificates to connect)

幕后Behind the scenes

上一部分中列出的所有方案都可通过相同流程采用零接触预配的预配服务来完成。All the scenarios listed in the previous section can be done using the provisioning service for zero-touch provisioning with the same flow. 预配向来所涉及的许多手动步骤通过设备预配服务自动完成,以减少部署 IoT 设备的时间并降低手动错误的风险。Many of the manual steps traditionally involved in provisioning are automated with the Device Provisioning Service to reduce the time to deploy IoT devices and lower the risk of manual error. 下面的部分介绍了在预配设备时在幕后发生的情况。The following section describes what goes on behind the scenes to get a device provisioned. 第一个步骤是手动的,后续的所有步骤都是自动的。The first step is manual, all of the following steps are automated.

基本预配流程

  1. 设备制造商将设备注册信息添加到 Azure 门户中的注册列表。Device manufacturer adds the device registration information to the enrollment list in the Azure portal.
  2. 设备联络出厂时设置的预配服务终结点。Device contacts the provisioning service endpoint set at the factory. 设备将识别性信息传递给预配服务来证明其标识。The device passes the identifying information to the provisioning service to prove its identity.
  3. 预配服务通过使用 nonce 质询(受信任的平台模块)或标准 X.509 验证 (X.509) 根据注册列表项来验证注册 ID 和密钥,从而验证设备的标识。The provisioning service validates the identity of the device by validating the registration ID and key against the enrollment list entry using either a nonce challenge (Trusted Platform Module) or standard X.509 verification (X.509).
  4. 预配服务将设备注册到 IoT 中心,并填充设备的所需孪生状态The provisioning service registers the device with an IoT hub and populates the device's desired twin state.
  5. IoT 中心将设备 ID 信息返回给预配服务。The IoT hub returns device ID information to the provisioning service.
  6. 预配服务将 IoT 中心连接信息返回到设备。The provisioning service returns the IoT hub connection information to the device. 设备现在可以开始将数据直接发送到 IoT 中心。The device can now start sending data directly to the IoT hub.
  7. 设备连接到 IoT 中心。The device connects to IoT hub.
  8. 设备从其在 IoT 中心中的设备孪生获取所需的状态。The device gets the desired state from its device twin in IoT hub.

设置过程Provisioning process

在设备的部署过程中有两个不同的步骤,其中设备预配服务部分可以独立完成:There are two distinct steps in the deployment process of a device in which the Device Provisioning Service takes a part that can be done independently:

  • 制造步骤,其中设备在出厂时创建和准备,以及 The manufacturing step in which the device is created and prepared at the factory, and
  • 云设置步骤,其中将设备预配服务配置为自动预配 。The cloud setup step in which the Device Provisioning Service is configured for automated provisioning.

这两个步骤都与现有的制造和部署过程无缝衔接。Both these steps fit in seamlessly with existing manufacturing and deployment processes. 设备预配服务甚至简化了一些部署过程,这些过程需要大量的手动操作来获取设备上的连接信息。The Device Provisioning Service even simplifies some deployment processes that involve a lot of manual work to get connection information onto the device.

制造步骤Manufacturing step

此步骤有关制造线上发生的情况。This step is all about what happens on the manufacturing line. 此步骤中涉及的角色包括硅设计者、硅制造商、集成商和/或设备的最终制造商。The roles involved in this step include silicon designer, silicon manufacturer, integrator and/or the end manufacturer of the device. 此步骤关于创建硬件本身。This step is concerned with creating the hardware itself.

设备预配服务不会在制造过程中引入新的步骤;而是与在设备上安装初始软件和(理想情况下)HSM 的现有步骤相关。The Device Provisioning Service does not introduce a new step in the manufacturing process; rather, it ties into the existing step that installs the initial software and (ideally) the HSM on the device. 此步骤中不创建设备 ID,而是使用预配服务信息对设备进行编程,设备开启时,将能够调用预配服务来获取其连接信息/IoT 解决方案分配。Instead of creating a device ID in this step, the device is programmed with the provisioning service information, enabling it to call the provisioning service to get its connection info/IoT solution assignment when it is switched on.

同样在此步骤中,制造商向设备部署人员/操作员提供识别性密钥信息。Also in this step, the manufacturer supplies the device deployer/operator with identifying key information. 可以通过简单方法提供该信息,例如,确认所有设备都有基于设备部署人员/操作员提供的签名证书生成的 X.509 证书;也可以通过复杂方法提供该信息,例如,从每个 TPM 设备提取 TPM 认可密钥的公共部分。Supplying that information could be as simple as confirming that all devices have an X.509 certificate generated from a signing certificate provided by the device deployer/operator, or as complicated as extracting the public portion of a TPM endorsement key from each TPM device. 这些服务如今由众多硅制造商提供。These services are offered by many silicon manufacturers today.

云设置步骤Cloud setup step

此步骤有关配置云实现正确的自动预配。This step is about configuring the cloud for proper automatic provisioning. 云设置步骤中通常涉及两种类型的用户:知道设备需要如何初始设置的用户(设备操作员),以及知道如何在 IoT 中心之间拆分设备的人员(解决方案操作员)。Generally there are two types of users involved in the cloud setup step: someone who knows how devices need to be initially set up (a device operator), and someone else who knows how devices are to be split among the IoT hubs (a solution operator).

必须对预配进行一次性初始设置,这通常由解决方案操作员来执行。There is a one-time initial setup of the provisioning that must occur, which is usually handled by the solution operator. 配置预配服务后,不需要修改,除非用例发生更改。Once the provisioning service is configured, it does not have to be modified unless the use case changes.

将服务配置为自动预配后,必须使其准备好注册设备。After the service has been configured for automatic provisioning, it must be prepared to enroll devices. 此步骤由设备操作员完成,设备操作员知道设备的所需配置,并且负责确保预配服务在寻找其 IoT 中心时可以正确地证明设备的标识。This step is done by the device operator, who knows the desired configuration of the device(s) and is in charge of making sure the provisioning service can properly attest to the device's identity when it comes looking for its IoT hub. 设备操作员从制造商处获取识别性密钥信息,并将其添加到注册列表。The device operator takes the identifying key information from the manufacturer and adds it to the enrollment list. 添加新条目或现有条目更新为关于设备的最新信息后,随之会更新注册列表。There can be subsequent updates to the enrollment list as new entries are added or existing entries are updated with the latest information about the devices.

注册和预配Registration and provisioning

预配意味着各种含义,具体取决于使用术语的行业 。Provisioning means various things depending on the industry in which the term is used. 在将 IoT 设备预配至其云解决方案的情况中,预配由两部分构成:In the context of provisioning IoT devices to their cloud solution, provisioning is a two part process:

  1. 第一部分是通过注册设备来建立设备和 IoT 解决方案之间的初始连接。The first part is establishing the initial connection between the device and the IoT solution by registering the device.
  2. 第二部分是根据其注册到的解决方案的具体要求将适当的配置应用于设备。The second part is applying the proper configuration to the device based on the specific requirements of the solution it was registered to.

只有这两个步骤都完成后,才能说该设备已完全预配。Once both of those two steps have been completed, we can say that the device has been fully provisioned. 某些云服务仅提供预配过程的第一步,即将设备注册到 IoT 解决方案终结点,但不提供初始配置。Some cloud services only provide the first step of the provisioning process, registering devices to the IoT solution endpoint, but do not provide the initial configuration. 设备预配服务自动执行这两个步骤,为设备提供无缝的预配体验。The Device Provisioning Service automates both steps to provide a seamless provisioning experience for the device.

设备预配服务的功能Features of the Device Provisioning Service

设备预配服务具有许多功能,使其非常适合用来预配设备。The Device Provisioning Service has many features, making it ideal for provisioning devices.

  • 对基于 X.509 和 TPM 的标识 的安全证明支持。Secure attestation support for both X.509 and TPM-based identities.
  • 注册列表,其中包含可能在某一时刻注册的设备/设备组的完整记录 。Enrollment list containing the complete record of devices/groups of devices that may at some point register. 注册列表包含有关设备注册后所需的设备配置信息,并可随时更新。The enrollment list contains information about the desired configuration of the device once it registers, and it can be updated at any time.
  • 多分配策略,用于根据自己的需要控制设备预配服务向 IoT 中心分配设备的方式 。Multiple allocation policies to control how the Device Provisioning Service assigns devices to IoT hubs in support of your scenarios.
  • 监视和诊断日志记录,用于确保一切都正常工作。Monitoring and diagnostics logging to make sure everything is working properly.
  • 多中心支持,允许设备预配服务将设备分配给多个 IoT 中心。Multi-hub support allows the Device Provisioning Service to assign devices to more than one IoT hub. 设备预配服务可跨多个 Azure 订阅与中心进行通讯。The Device Provisioning Service can talk to hubs across multiple Azure subscriptions.
  • 跨区域支持,允许设备预配服务将设备分配给多个 IoT 中心。Cross-region support allows the Device Provisioning Service to assign devices to IoT hubs in other regions.

可在设备概念服务概念安全概念中详细了解设备预配中涉及的概念和功能。You can learn more about the concepts and features involved in device provisioning in device concepts, service concepts, and security concepts.

跨平台支持Cross-platform support

设备预配服务与所有 Azure IoT 服务一样,可以在各种操作系统上跨平台运行。The Device Provisioning Service, like all Azure IoT services, works cross-platform with a variety of operating systems. Azure 采用各种语言提供了开放源 SDK,以便于连接设备并管理服务。Azure offers open-source SDKs in a variety of languages to facilitate connecting devices and managing the service. 设备设置服务支持用于将设备连接的以下协议:The Device Provisioning Service supports the following protocols for connecting devices:

  • HTTPSHTTPS
  • AMQPAMQP
  • 基于 Web 套接字的 AMQPAMQP over web sockets
  • MQTTMQTT
  • 基于 Web 套接字的 MQTTMQTT over web sockets

设备预配服务仅对服务操作支持 HTTPS 连接。The Device Provisioning Service only supports HTTPS connections for service operations.

RegionsRegions

设备预配服务在许多区域可用。The Device Provisioning Service is available in many regions. 可以在 Azure 状态页面上检查设备预配服务的可用性。You can check availability of the Device Provisioning Service on the Azure Status page.

Note

设备预配服务是全球性的,不局限于某个位置。The Device Provisioning Service is global and not bound to a location. 但是,必须指定与设备预配服务配置文件关联的元数据将驻留在其中一个区域。However, you must specify a region in which the metadata associated with your Device Provisioning Service profile will reside.

可用性Availability

设备预配服务的服务级别协议规定的可用性级别为 99.9%,您可以阅读 SLAThere is a 99.9% Service Level Agreement for the Device Provisioning Service, and you can read the SLA. 完整 Azure SLA 说明了 Azure 作为整体的保证可用性。The full Azure SLA explains the guaranteed availability of Azure as a whole.

配额Quotas

每个 Azure 订阅附带默认的配额限制,这些限制可能影响 IoT 解决方案的范围。Each Azure subscription has default quota limits in place that could impact the scope of your IoT solution. 每个订阅的当前限制是每订阅 10 个设备预配服务。The current limit on a per-subscription basis is 10 Device Provisioning Services per subscription.

下表列出了适用于 Azure IoT 中心设备预配服务资源的限制。The following table lists the limits that apply to Azure IoT Hub Device Provisioning Service resources.

ResourceResource 限制Limit
每个 Azure 订阅的最大设备预配服务数Maximum device provisioning services per Azure subscription 10 个10
最大登记数Maximum number of enrollments 1,000,0001,000,000
最大注册数Maximum number of registrations 1,000,0001,000,000
最大登记组数Maximum number of enrollment groups 100100
最大 CA 数Maximum number of CAs 2525
链接的 IoT 中心的最大数量Maximum number of linked IoT hubs 10 个10
消息的最大大小Maximum size of message 96 KB96 KB

Note

若要增加订阅中的实例数,请联系 Azure 支持To increase the number of instances in your subscription, contact Azure Support.

Note

若要增加预配服务上的登记和注册数量,请联系 Azure 支持To increase the number of enrollments and registrations on your provisioning service, contact Azure Support.

超过以下配额时,设备预配服务将限制请求。The Device Provisioning Service throttles requests when the following quotas are exceeded.

限制Throttle 每单位值Per-unit value
操作Operations 200/分钟/服务200/min/service
设备注册数Device registrations 200/分钟/服务200/min/service
设备轮询操作Device polling operation 5/10 秒/设备5/10 sec/device

有关配额限制的更多详细信息,请参阅:For more details on quota limits:

设备预配服务使用 Azure IoT 中心自动进行设备预配。The Device Provisioning Service automates device provisioning with Azure IoT Hub. 了解有关 IoT 中心的详细信息。Learn more about IoT Hub.

后续步骤Next steps

现已大致了解在 Azure 中配置 IoT 设备。You now have an overview of provisioning IoT devices in Azure. 后续步骤是尝试端对端 IoT 方案。The next step is to try out an end-to-end IoT scenario.