将 IoT Edge 设备配置为充当透明网关Configure an IoT Edge device to act as a transparent gateway

本文详细说明如何将 IoT Edge 设备配置为充当透明网关,供其他设备用来与 IoT 中心通信。This article provides detailed instructions for configuring an IoT Edge device to function as a transparent gateway for other devices to communicate with IoT Hub. 本文使用术语 IoT Edge 网关来指代配置为透明网关的 IoT Edge 设备。This article uses the term IoT Edge gateway to refer to an IoT Edge device configured as a transparent gateway. 有关详细信息,请参阅如何将 IoT Edge 设备用作网关For more information, see How an IoT Edge device can be used as a gateway.

备注

当前:Currently:

  • 支持 Edge 的设备无法连接到 IoT Edge 网关。Edge-enabled devices can't connect to IoT Edge gateways.
  • 下游设备不能使用文件上传。Downstream devices can't use file upload.

成功设置透明网关连接需要完成三个常规步骤。There are three general steps to set up a successful transparent gateway connection. 本文介绍其中的第一个步骤:This article covers the first step:

  1. 将网关设备配置为服务器,以便下游设备能够安全地连接到该设备。设置网关以接收来自下游设备的消息,并将其路由到适当的目标。Configure the gateway device as a server so that downstream devices can connect to it securely. Set up the gateway to receive messages from downstream devices and route them to the proper destination.
  2. 为下游设备创建设备标识,以便它可以通过 IoT 中心进行身份验证。Create a device identity for the downstream device so that it can authenticate with IoT Hub. 配置下游设备,使其通过网关设备发送消息。Configure the downstream device to send messages through the gateway device. 有关详细信息,请参阅在 Azure IoT 中心对下游设备进行身份验证For more information, see Authenticate a downstream device to Azure IoT Hub.
  3. 将下游设备连接到网关设备并开始发送消息。Connect the downstream device to the gateway device and start sending messages. 有关详细信息,请参阅将下游设备连接到 Azure IoT Edge 网关For more information, see Connect a downstream device to an Azure IoT Edge gateway.

充当网关的设备必须能够安全地连接到下游设备。For a device to function as a gateway, it needs to be able to securely connect to its downstream devices. Azure IoT Edge 允许使用公钥基础结构 (PKI) 在设备之间建立安全连接。Azure IoT Edge allows you to use a public key infrastructure (PKI) to set up secure connections between devices. 在这种情况下,我们可以将下游设备连接到充当透明网关的 IoT Edge 设备。In this case, we're allowing a downstream device to connect to an IoT Edge device acting as a transparent gateway. 要维持合理的安全性,下游设备应确认网关设备的标识。To maintain reasonable security, the downstream device should confirm the identity of the gateway device. 此标识检查可防止设备连接到潜在的恶意网关。This identity check prevents your devices from connecting to potentially malicious gateways.

透明网关方案中的下游设备可以是包含通过 Azure IoT 中心云服务创建的标识的任何应用程序或平台。A downstream device in a transparent gateway scenario can be any application or platform that has an identity created with the Azure IoT Hub cloud service. 在许多情况下,这些应用程序使用 Azure IoT 设备 SDKIn many cases, these applications use the Azure IoT device SDK. 在各种实际用途中,下游设备甚至可以是 IoT Edge 网关设备本身上运行的应用程序。For all practical purposes, a downstream device could even be an application running on the IoT Edge gateway device itself. 但是,IoT Edge 设备不能位于 IoT Edge 网关的下游。However, an IoT Edge device cannot be downstream of an IoT Edge gateway.

可以创建任何启用设备网关拓扑所需的信任的证书基础结构。You can create any certificate infrastructure that enables the trust required for your device-gateway topology. 在本文中,我们假设使用相同的证书设置来启用 IoT 中心的 X.509 CA 安全性,其中涉及与特定 IoT 中心(IoT 中心根 CA)关联的 X.509 CA 证书,以及通过此 CA 签名的一系列证书和 IoT Edge 设备的 CA。In this article, we assume the same certificate setup that you would use to enable X.509 CA security in IoT Hub, which involves an X.509 CA certificate associated to a specific IoT hub (the IoT hub root CA), a series of certificates signed with this CA, and a CA for the IoT Edge device.

备注

在这些文章中使用的术语“根 CA 证书”是指 PKI 证书链最顶层的颁发机构公共证书,而不一定是联合证书颁发机构的证书根。The term root CA certificate used throughout these articles refers to the topmost authority public certificate of the PKI certificate chain, and not necessarily the certificate root of a syndicated certificate authority. 在许多情况下,它实际上是中间 CA 公共证书。In many cases, it is actually an intermediate CA public certificate.

以下步骤将演示创建证书并将它们安装在网关上的正确位置的过程。The following steps walk you through the process of creating the certificates and installing them in the right places on the gateway. 可以使用任一计算机生成证书,然后将其复制到 IoT Edge 设备。You can use any machine to generate the certificates, and then copy them over to your IoT Edge device.

先决条件Prerequisites

安装了 IoT Edge 的 Linux 或 Windows 设备。A Linux or Windows device with IoT Edge installed.

安装设备 CA 证书Set up the device CA certificate

所有 IoT Edge 网关上都需要安装设备 CA 证书。All IoT Edge gateways need a device CA certificate installed on them. IoT Edge 安全守护程序使用 IoT Edge 设备 CA 证书为工作负载 CA 证书签名,而工作负载 CA 证书又为 IoT Edge 中心的服务器证书签名。The IoT Edge security daemon uses the IoT Edge device CA certificate to sign a workload CA certificate, which in turn signs a server certificate for IoT Edge hub. 在连接启动期间,网关将其服务器证书提供给下游设备。The gateway presents its server certificate to the downstream device during the initiation of the connection. 下游设备将进行检查,确保服务器证书是汇总到根 CA 证书的证书链的一部分。The downstream device checks to make sure that the server certificate is part of a certificate chain that rolls up to the root CA certificate. 此过程允许下游设备确认网关是否来自受信任的源。This process allows the downstream device to confirm that the gateway comes from a trusted source. 有关详细信息,请参阅了解 Azure IoT Edge 如何使用证书For more information, see Understand how Azure IoT Edge uses certificates.

网关证书设置

根 CA 证书和设备 CA 证书(及其私钥)必须位于 IoT Edge 网关设备上,并在 IoT Edge 的 config.yaml 文件中配置。The root CA certificate and the device CA certificate (with its private key) need to be present on the IoT Edge gateway device and configured in the IoT Edge config.yaml file. 请记住,在这种情况下,“根 CA 证书”表示此 IoT Edge 方案的最顶层证书颁发机构。Remember that in this case root CA certificate means the topmost certificate authority for this IoT Edge scenario. 网关设备 CA 证书和下游设备证书需要汇总到同一根 CA 证书。The gateway device CA certificate and the downstream device certificates need to roll up to the same root CA certificate.

提示

在 IoT Edge 设备上安装根 CA 证书和设备 CA 证书的过程也在管理 IoT Edge 设备上的证书中进行了更详细的介绍。The process of installing the root CA certificate and device CA certificate on an IoT Edge device is also explained in more detail in Manage certificates on an IoT Edge device.

准备好以下文件:Have the following files ready:

  • 根 CA 证书Root CA certificate
  • 设备 CA 证书Device CA certificate
  • 设备 CA 私钥Device CA private key

对于生产方案,你应该通过自己的证书颁发机构生成这些文件。For production scenarios, you should generate these files with your own certificate authority. 对于开发和测试方案,可以使用演示证书。For development and test scenarios, you can use demo certificates.

  1. 如果使用的是演示证书,请使用下面的一组步骤来创建文件:If you're using demo certificates, use the following set of steps to create your files:

    1. 创建根 CA 证书Create root CA certificate. 在完成这些说明后,你将有一个根 CA 证书文件:At the end of these instructions, you'll have a root CA certificate file:

      • <path>/certs/azure-iot-test-only.root.ca.cert.pem<path>/certs/azure-iot-test-only.root.ca.cert.pem.
    2. 创建 IoT Edge 设备 CA 证书Create IoT Edge device CA certificate. 在完成这些说明后,你将有两个文件:设备 CA 证书及其私钥:At the end of these instructions you'll have two files, a device CA certificate and its private key:

      • <path>/certs/iot-edge-device-<cert name>-full-chain.cert.pem<path>/certs/iot-edge-device-<cert name>-full-chain.cert.pem and
      • <path>/private/iot-edge-device-<cert name>.key.pem
  2. 如果在另一计算机上创建了这些文件,请将它们复制到 IoT Edge 设备上。If you created these files on a different machine, copy them over to your IoT Edge device.

  3. 在 IoT Edge 设备上,打开安全守护程序配置文件。On your IoT Edge device, open the security daemon config file.

    • Windows: C:\ProgramData\iotedge\config.yamlWindows: C:\ProgramData\iotedge\config.yaml
    • Linux:/etc/iotedge/config.yamlLinux: /etc/iotedge/config.yaml
  4. 找到文件的 certificates 节,将你的三个文件的文件 URI 作为以下属性的值来提供:Find the certificates section of the file and provide the file URIs to your three files as values for the following properties:

    • device_ca_cert:设备 CA 证书device_ca_cert: device CA certificate
    • device_ca_pk:设备 CA 私钥device_ca_pk: device CA private key
    • trusted_ca_certs:根 CA 证书trusted_ca_certs: root CA certificate
  5. 保存并关闭该文件。Save and close the file.

  6. 重启 IoT Edge。Restart IoT Edge.

    • Windows: Restart-Service iotedgeWindows: Restart-Service iotedge
    • Linux:sudo systemctl restart iotedgeLinux: sudo systemctl restart iotedge

将 edgeHub 部署到网关Deploy edgeHub to the gateway

首次在设备上安装 IoT Edge 时,只会自动启动一个系统模块,即 IoT Edge 代理。When you first install IoT Edge on a device, only one system module starts automatically: the IoT Edge agent. 创建第一个部署后,还会再启动一个设备,即第二个系统模块(IoT Edge 中心)。Once you create the first deployment more a device, the second system module, the IoT Edge hub, is started as well.

IoT Edge 中心负责接收来自下游设备的传入消息,并将它们路由到下一个目标。The IoT Edge hub is responsible for receiving incoming messages from downstream devices and routing them to the next destination. 如果 edgeHub 模块未在设备上运行,请为设备创建一个初始部署。If the edgeHub module isn't running on your device, create an initial deployment for your device. 该部署看上去是空的,因为尚未添加任何模块,但它会确保运行这两个系统模块。The deployment will look empty because you don't add any modules, but it will make sure that both system modules are running.

可通过以下方式检查设备上正在运行的模块:在 Azure 门户中检查设备详细信息,在 Visual Studio 或 Visual Studio Code 中查看设备状态,或在该设备上运行命令 iotedge listYou can check which modules are running on a device by checking its device details in the Azure portal, viewing the device status in Visual Studio or Visual Studio Code, or by running the command iotedge list on the device itself.

如果 edgeAgent 模块在没有 edgeHub 模块的情况下运行,请执行以下步骤:If the edgeAgent module is running without the edgeHub module, use the following steps:

  1. 在 Azure 门户中导航到 IoT 中心。In the Azure portal, navigate to your IoT hub.

  2. 转到“IoT Edge”并选择要用作网关的 IoT Edge 设备。Go to IoT Edge and select your IoT Edge device that you want to use as a gateway.

  3. 选择“设置模块”。Select Set Modules.

  4. 在完成时选择“下一步:路由”。Select Next: Routes.

  5. 在“路由”页面上,你应该有一个默认路由,该路由将所有消息(无论是来自模块还是来自下游设备)发送到 IoT 中心。On the Routes page, you should have a default route that sends all messages, whether from a module or from a downstream device, to IoT Hub. 如果没有,请使用以下值添加新的路由,然后选择“查看 + 创建”:If not, add a new route with the following values then select Review + create:

    • 名称routeName: route
    • FROM /messages/* INTO $upstreamValue: FROM /messages/* INTO $upstream
  6. 在“查看 + 创建”页面上,选择“创建”。 On the Review + create page, select Create.

在网关设备上打开端口Open ports on gateway device

标准 IoT Edge 设备不需要任何入站连接便可工作,因为与 IoT 中心之间的所有通信都是通过出站连接执行的。Standard IoT Edge devices don't need any inbound connectivity to function, because all communication with IoT Hub is done through outbound connections. 网关设备则不同,因为它们需要从其下游设备接收消息。Gateway devices are different because they need to receive messages from their downstream devices. 如果下游设备与网关设备之间有防火墙,则也需要能够通过防火墙进行通信。If a firewall is between the downstream devices and the gateway device, then communication needs to be possible through the firewall as well.

要使网关方案能够正常工作,必须为来自下游设备的入站流量打开 IoT Edge 中心的至少一个受支持协议。For a gateway scenario to work, at least one of the IoT Edge hub's supported protocols must be open for inbound traffic from downstream devices. 受支持的协议包括 MQTT、AMQP、HTTPS、基于 WebSocket 的 MQTT 和基于 Websocket 的 AMQP。The supported protocols are MQTT, AMQP, HTTPS, MQTT over WebSockets, and AMQP over WebSockets.

端口Port 协议Protocol
88838883 MQTTMQTT
56715671 AMQPAMQP
443443 HTTPSHTTPS
MQTT+WSMQTT+WS
AMQP+WSAMQP+WS

路由来自下游设备的消息Route messages from downstream devices

IoT Edge 运行时可以像模块发送的消息一样路由从下游设备发送的消息。The IoT Edge runtime can route messages sent from downstream devices just like messages sent by modules. 使用此功能可将任何数据发送到云之前在网关上运行的模块中执行分析。This feature allows you to perform analytics in a module running on the gateway before sending any data to the cloud.

目前,对由下游设备发送的消息进行路由的方式是将它们与由模块发送的消息区分开来。Currently, the way that you route messages sent by downstream devices is by differentiating them from messages sent by modules. 由模块发送的消息全都包含名为“connectionModuleId”的系统属性,但由下游设备发送的消息则不包含此属性。Messages sent by modules all contain a system property called connectionModuleId but messages sent by downstream devices do not. 可以使用路由的 WHERE 子句以排除包含该系统属性的任何消息。You can use the WHERE clause of the route to exclude any messages that contain that system property.

以下示例路由可将消息从任何下游设备发送到名为 ai_insights 的模块,然后从 ai_insights 发送到 IoT 中心。The below route is an example that would send messages from any downstream device to a module named ai_insights, and then from ai_insights to IoT Hub.

{
    "routes":{
        "sensorToAIInsightsInput1":"FROM /messages/* WHERE NOT IS_DEFINED($connectionModuleId) INTO BrokeredEndpoint(\"/modules/ai_insights/inputs/input1\")",
        "AIInsightsToIoTHub":"FROM /messages/modules/ai_insights/outputs/output1 INTO $upstream"
    }
}

有关消息路由的详细信息,请参阅部署模块和建立路由For more information about message routing, see Deploy modules and establish routes.

启用扩展脱机操作Enable extended offline operation

从 IoT Edge 运行时 1.0.4 版本开始,你可以配置网关设备以及与之连接的下游设备,以执行扩展脱机操作。Starting with the 1.0.4 release of the IoT Edge runtime, the gateway device and downstream devices connecting to it can be configured for extended offline operation.

借助此功能,本地模块或下游设备可根据需要向 IoT Edge 设备重新进行身份验证,即使与 IoT 中心断开连接也可使用消息和方法相互进行通信。With this capability, local modules or downstream devices can reauthenticate with the IoT Edge device as needed and communicate with each other using messages and methods even when disconnected from the IoT hub. 有关详细信息,请参阅了解 IoT Edge 设备、模块和子设备的扩展脱机功能For more information, see Understand extended offline capabilities for IoT Edge devices, modules, and child devices.

若要启用扩展脱机功能,请在 IoT Edge 网关设备和要与之连接的下游设备之间建立父子关系。To enable extended offline capabilities, you establish a parent-child relationship between an IoT Edge gateway device and downstream devices that will connect to it. 此系列的下一篇文章(即在 Azure IoT 中心对下游设备进行身份验证)更详细地介绍了这些步骤。Those steps are explained in more detail in the next article of this series, Authenticate a downstream device to Azure IoT Hub.

后续步骤Next steps

现在,你已将一个 IoT Edge 设备设置为透明网关,需要将下游设备配置为信任该网关并向其发送消息。Now that you have an IoT Edge device set up as a transparent gateway, you need to configure your downstream devices to trust the gateway and send messages to it. 继续在 Azure IoT 中心内对下游设备进行身份验证,以进行设置透明网关方案的后续步骤。Continue on to Authenticate a downstream device to Azure IoT Hub for the next steps in setting up your transparent gateway scenario.