使用 Azure IoT 中心设备预配服务预配设备Provisioning devices with Azure IoT Hub Device Provisioning Service

Microsoft Azure 提供一套丰富的集成公有云服务,满足所有 IoT 解决方案需求。Microsoft Azure provides a rich set of integrated public cloud services for all your IoT solution needs. IoT 中心设备预配服务 (DPS) 是 IoT 中心的帮助器服务,支持零接触、实时预配到适当的 IoT 中心,不需要人为干预。The IoT Hub Device Provisioning Service (DPS) is a helper service for IoT Hub that enables zero-touch, just-in-time provisioning to the right IoT hub without requiring human intervention. 使用 DPS 能够以安全且可缩放的方式预配数百万台设备。DPS enables the provisioning of millions of devices in a secure and scalable manner.

何时使用设备预配服务When to use Device Provisioning Service

在很多预配方案中,DPS 都是将设备连接并配置到 IoT 中心的绝佳选择,例如:There are many provisioning scenarios in which DPS is an excellent choice for getting devices connected and configured to IoT Hub, such as:

  • 零接触预配到单一 IoT 解决方案,无需在出厂(初始设置)时对 IoT 中心连接信息进行硬编码Zero-touch provisioning to a single IoT solution without hardcoding IoT Hub connection information at the factory (initial setup)
  • 跨多个中心对设备进行负载均衡Load-balancing devices across multiple hubs
  • 根据销售交易数据将设备连接到其所有者的 IoT 解决方案(多租户)Connecting devices to their owner's IoT solution based on sales transaction data (multitenancy)
  • 根据用例将设备连接到特定的 IoT 解决方案(解决方案隔离)Connecting devices to a particular IoT solution depending on use-case (solution isolation)
  • 将设备连接到具有最低延迟的 IoT 中心(异地分片)Connecting a device to the IoT hub with the lowest latency (geo-sharding)
  • 根据设备中的更改重新进行预配Reprovisioning based on a change in the device
  • 滚动设备使用的密钥以连接到 IoT 中心(当不使用 X.509 证书进行连接时)Rolling the keys used by the device to connect to IoT Hub (when not using X.509 certificates to connect)

幕后Behind the scenes

上一部分中列出的所有方案都可通过相同流程采用零接触预配的 DPS 来完成。All the scenarios listed in the previous section can be done using DPS for zero-touch provisioning with the same flow. 预配向来所涉及的许多手动步骤通过 DPS 自动完成,以减少部署 IoT 设备的时间并降低手动错误的风险。Many of the manual steps traditionally involved in provisioning are automated with DPS to reduce the time to deploy IoT devices and lower the risk of manual error. 下面的部分介绍了在预配设备时在幕后发生的情况。The following section describes what goes on behind the scenes to get a device provisioned. 第一个步骤是手动的,后续的所有步骤都是自动的。The first step is manual, all of the following steps are automated.

基本预配流程

  1. 设备制造商将设备注册信息添加到 Azure 门户中的注册列表。Device manufacturer adds the device registration information to the enrollment list in the Azure portal.
  2. 设备联系工厂中设置的 DPS 终结点。Device contacts the DPS endpoint set at the factory. 设备将标识信息传递给 DPS 来证明其身份。The device passes the identifying information to DPS to prove its identity.
  3. DPS 通过使用 nonce 质询(受信任的平台模块)或标准 X.509 验证 (X.509) 根据注册列表项来验证注册 ID 和密钥,从而验证设备的标识。DPS validates the identity of the device by validating the registration ID and key against the enrollment list entry using either a nonce challenge (Trusted Platform Module) or standard X.509 verification (X.509).
  4. DPS 将设备注册到 IoT 中心,并填充设备的所需孪生状态DPS registers the device with an IoT hub and populates the device's desired twin state.
  5. IoT 中心将设备 ID 信息返回给 DPS。The IoT hub returns device ID information to DPS.
  6. DPS 将 IoT 中心连接信息返回给设备。DPS returns the IoT hub connection information to the device. 设备现在可以开始将数据直接发送到 IoT 中心。The device can now start sending data directly to the IoT hub.
  7. 设备连接到 IoT 中心。The device connects to IoT hub.
  8. 设备从其在 IoT 中心中的设备孪生获取所需的状态。The device gets the desired state from its device twin in IoT hub.

预配过程Provisioning process

在设备的部署过程中有两个不同的步骤,其中 DPS 部分可以独立完成:There are two distinct steps in the deployment process of a device in which DPS takes a part that can be done independently:

  • 制造步骤,其中设备在出厂时创建和准备,以及 The manufacturing step in which the device is created and prepared at the factory, and
  • 云设置步骤,其中将设备预配服务配置为自动预配 。The cloud setup step in which the Device Provisioning Service is configured for automated provisioning.

这两个步骤都与现有的制造和部署过程无缝衔接。Both these steps fit in seamlessly with existing manufacturing and deployment processes. DPS 甚至简化了一些部署过程,这些过程需要手动操作来获取设备上的连接信息。DPS even simplifies some deployment processes that involve manual work to get connection information onto the device.

制造步骤Manufacturing step

此步骤有关制造线上发生的情况。This step is all about what happens on the manufacturing line. 此步骤中涉及的角色包括硅设计者、硅制造商、集成商和/或设备的最终制造商。The roles involved in this step include silicon designer, silicon manufacturer, integrator and/or the end manufacturer of the device. 此步骤关于创建硬件本身。This step is concerned with creating the hardware itself.

DPS 不会在制造过程中引入新的步骤;而是与在设备上安装初始软件和(理想情况下)HSM 的现有步骤相关。DPS does not introduce a new step in the manufacturing process; rather, it ties into the existing step that installs the initial software and (ideally) the HSM on the device. 此步骤中不创建设备 ID,而是使用预配服务信息对设备进行编程,设备开启时,将能够调用预配服务来获取其连接信息/IoT 解决方案分配。Instead of creating a device ID in this step, the device is programmed with the provisioning service information, enabling it to call the provisioning service to get its connection info/IoT solution assignment when it is switched on.

同样在此步骤中,制造商向设备部署人员/操作员提供识别性密钥信息。Also in this step, the manufacturer supplies the device deployer/operator with identifying key information. 可以通过简单方法提供该信息,例如,确认所有设备都有基于设备部署人员/操作员提供的签名证书生成的 X.509 证书;也可以通过复杂方法提供该信息,例如,从每个 TPM 设备提取 TPM 认可密钥的公共部分。Supplying that information could be as simple as confirming that all devices have an X.509 certificate generated from a signing certificate provided by the device deployer/operator, or as complicated as extracting the public portion of a TPM endorsement key from each TPM device. 这些服务如今由众多硅制造商提供。These services are offered by many silicon manufacturers today.

云设置步骤Cloud setup step

此步骤有关配置云实现正确的自动预配。This step is about configuring the cloud for proper automatic provisioning. 云设置步骤中通常涉及两种类型的用户:知道设备需要如何初始设置的用户(设备操作员),以及知道如何在 IoT 中心之间拆分设备的人员(解决方案操作员)。Generally there are two types of users involved in the cloud setup step: someone who knows how devices need to be initially set up (a device operator), and someone else who knows how devices are to be split among the IoT hubs (a solution operator).

必须对预配进行一次性初始设置,这通常由解决方案操作员来执行。There is a one-time initial setup of the provisioning that must occur, which is usually handled by the solution operator. 配置预配服务后,不需要修改,除非用例发生更改。Once the provisioning service is configured, it does not have to be modified unless the use case changes.

将服务配置为自动预配后,必须使其准备好注册设备。After the service has been configured for automatic provisioning, it must be prepared to enroll devices. 此步骤由设备操作员完成,设备操作员知道设备的所需配置,并且负责确保预配服务在寻找其 IoT 中心时可以正确地证明设备的标识。This step is done by the device operator, who knows the desired configuration of the device(s) and is in charge of making sure the provisioning service can properly attest to the device's identity when it comes looking for its IoT hub. 设备操作员从制造商处获取识别性密钥信息,并将其添加到注册列表。The device operator takes the identifying key information from the manufacturer and adds it to the enrollment list. 添加新条目或现有条目更新为关于设备的最新信息后,随之会更新注册列表。There can be subsequent updates to the enrollment list as new entries are added or existing entries are updated with the latest information about the devices.

注册和预配Registration and provisioning

预配意味着各种含义,具体取决于使用术语的行业 。Provisioning means various things depending on the industry in which the term is used. 在将 IoT 设备预配至其云解决方案的情况中,预配由两部分构成:In the context of provisioning IoT devices to their cloud solution, provisioning is a two part process:

  1. 第一部分是通过注册设备来建立设备和 IoT 解决方案之间的初始连接。The first part is establishing the initial connection between the device and the IoT solution by registering the device.
  2. 第二部分是根据其注册到的解决方案的具体要求将适当的配置应用于设备。The second part is applying the proper configuration to the device based on the specific requirements of the solution it was registered to.

只有这两个步骤都完成后,才能说该设备已完全预配。Once both of those two steps have been completed, we can say that the device has been fully provisioned. 某些云服务仅提供预配过程的第一步,即将设备注册到 IoT 解决方案终结点,但不提供初始配置。Some cloud services only provide the first step of the provisioning process, registering devices to the IoT solution endpoint, but do not provide the initial configuration. DPS 自动执行这两个步骤,为设备提供无缝的预配体验。DPS automates both steps to provide a seamless provisioning experience for the device.

设备预配服务的功能Features of the Device Provisioning Service

DPS 具有许多功能,非常适合用于预配设备。DPS has many features, making it ideal for provisioning devices.

  • 对基于 X.509 和 TPM 的标识 的安全证明支持。Secure attestation support for both X.509 and TPM-based identities.
  • 注册列表,其中包含可能在某一时刻注册的设备/设备组的完整记录 。Enrollment list containing the complete record of devices/groups of devices that may at some point register. 注册列表包含有关设备注册后所需的设备配置信息,并可随时更新。The enrollment list contains information about the desired configuration of the device once it registers, and it can be updated at any time.
  • 多个分配策略,用于根据自己的需要控制 DPS 向 IoT 中心分配设备的方式:通过注册列表控制最小延迟、平均加权分布(默认值)和静态配置。Multiple allocation policies to control how DPS assigns devices to IoT hubs in support of your scenarios: Lowest latency, evenly weighted distribution (default), and static configuration via the enrollment list. 延迟是使用与流量管理器相同的方法确定的。Latency is determined using the same method as Traffic Manager.
  • 监视和诊断日志记录,用于确保一切都正常工作。Monitoring and diagnostics logging to make sure everything is working properly.
  • 多中心支持,允许 DPS 将设备分配给多个 IoT 中心。Multi-hub support allows DPS to assign devices to more than one IoT hub. DPS 可以跨多个 Azure 订阅来与中心通信。DPS can talk to hubs across multiple Azure subscriptions.
  • 跨区域支持使 DPS 能够将设备分配到其他区域的 IoT 中心。Cross-region support allows DPS to assign devices to IoT hubs in other regions.
  • 静态数据加密允许使用 256 位 AES 加密(可用的最强大的分组加密法之一,并且符合 FIPS 140-2)透明地加密和解密 DPS 中的数据。Encryption for data at rest allows data in DPS to be encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

可在设备概念服务概念安全概念中详细了解设备预配中涉及的概念和功能。You can learn more about the concepts and features involved in device provisioning in device concepts, service concepts, and security concepts.

跨平台支持Cross-platform support

与所有 Azure IoT 服务一样,DPS 可以在各种操作系统上跨平台运行。Just like all Azure IoT services, DPS works cross-platform with a variety of operating systems. Azure 采用各种语言提供了开放源 SDK,以便于连接设备并管理服务。Azure offers open-source SDKs in a variety of languages to facilitate connecting devices and managing the service. DPS 支持使用以下协议来连接设备:DPS supports the following protocols for connecting devices:

  • HTTPSHTTPS
  • AMQPAMQP
  • 基于 Web 套接字的 AMQPAMQP over web sockets
  • MQTTMQTT
  • 基于 Web 套接字的 MQTTMQTT over web sockets

DPS 仅支持使用 HTTPS 连接来执行服务操作。DPS only supports HTTPS connections for service operations.

区域Regions

DPS 已在许多区域中推出。DPS is available in many regions. Azure 区域页面中提供了所有服务的现有区域和新宣布推出区域的更新列表。The updated list of existing and newly announced regions for all services is at Azure Regions. 可以在 Azure 状态页面上检查设备预配服务的可用性。You can check availability of the Device Provisioning Service on the Azure Status page.

备注

DPS 是全局性的,而不局限于某个位置。DPS is global and not bound to a location. 但是,必须指定与 DPS 配置文件关联的元数据将驻留在其中一个区域。However, you must specify a region in which the metadata associated with your DPS profile will reside.

可用性Availability

DPS 的服务级别协议为 99.9%。具体请阅读 SLAThere is a 99.9% Service Level Agreement for DPS, and you can read the SLA. 完整 Azure SLA 说明了 Azure 作为整体的保证可用性。The full Azure SLA explains the guaranteed availability of Azure as a whole.

配额Quotas

每个 Azure 订阅附带默认的配额限制,这些限制可能影响 IoT 解决方案的范围。Each Azure subscription has default quota limits in place that could impact the scope of your IoT solution. 每个订阅的当前限制是每订阅 10 个设备预配服务。The current limit on a per-subscription basis is 10 Device Provisioning Services per subscription.

下表列出了适用于 Azure IoT 中心设备预配服务资源的限制。The following table lists the limits that apply to Azure IoT Hub Device Provisioning Service resources.

资源Resource 限制Limit
每个 Azure 订阅的最大设备预配服务数Maximum device provisioning services per Azure subscription 1010
最大登记数Maximum number of enrollments 1,000,0001,000,000
最大注册数Maximum number of registrations 1,000,0001,000,000
最大登记组数Maximum number of enrollment groups 100100
最大 CA 数Maximum number of CAs 2525
链接的 IoT 中心的最大数量Maximum number of linked IoT hubs 5050
消息的最大大小Maximum size of message 96 KB96 KB

备注

若要增加预配服务上的登记和注册数量,请联系 Azure 支持To increase the number of enrollments and registrations on your provisioning service, contact Azure Support.

备注

增加 CA 的最大数目不受支持。Increasing the maximum number of CAs is not supported.

超过以下配额时,设备预配服务将限制请求。The Device Provisioning Service throttles requests when the following quotas are exceeded.

限制Throttle 每单位值Per-unit value
操作Operations 200/分钟/服务200/min/service
设备注册数Device registrations 200/分钟/服务200/min/service
设备轮询操作Device polling operation 5/10 秒/设备5/10 sec/device

有关配额限制的更多详细信息,请参阅:For more details on quota limits:

DPS 通过 Azure IoT 中心将设备预配自动化。DPS automates device provisioning with Azure IoT Hub. 了解有关 IoT 中心的详细信息。Learn more about IoT Hub.

后续步骤Next steps

现已大致了解在 Azure 中配置 IoT 设备。You now have an overview of provisioning IoT devices in Azure. 后续步骤是尝试端对端 IoT 方案。The next step is to try out an end-to-end IoT scenario.