如何将 IoT Edge 设备用作网关How an IoT Edge device can be used as a gateway

IoT Edge 设备可以作为网关运行,提供网络上其他设备和 IoT 中心之间的连接。IoT Edge devices can operate as gateways, providing a connection between other devices on the network and IoT Hub.

IoT Edge 中心模块的作用类似于 IoT 中心,因此可以处理来自其他设备(其标识可以与同一 IoT 中心配合使用)的连接。The IoT Edge hub module acts like IoT Hub, so can handle connections from other devices that have an identity with the same IoT hub. 这种类型的网关模式称为“透明”,因为消息可以从下游设备传递到 IoT 中心,就像它们之间没有网关一样。This type of gateway pattern is called transparent because messages can pass from downstream devices to IoT Hub as though there were not a gateway between them.

对于不能或无法自行连接到 IoT 中心的设备,IoT Edge 网关可以提供该连接。For devices that don't or can't connect to IoT Hub on their own, IoT Edge gateways can provide that connection. 这种类型的网关模式称为“转换”,因为 IoT Edge 设备必须对传入的下游设备消息执行处理,然后才能将这些消息转发到 IoT 中心。This type of gateway pattern is called translation because the IoT Edge device has to perform processing on incoming downstream device messages before they can be forwarded to IoT Hub. 这些场景需要 IoT Edge 网关上的其他模块来处理处理步骤。These scenarios require additional modules on the IoT Edge gateway to handle the processing steps.

透明和转换网关模式并不相互排斥。The transparent and translation gateway patterns are not mutually exclusive. 单个 IoT Edge 设备既可以充当透明网关,也可以充当转换网关。A single IoT Edge device can function as both a transparent gateway and a translation gateway.

所有网关模式提供以下优势:All gateway patterns provide the following benefits:

  • 边缘分析 - 在本地使用 AI 服务处理来自下游设备的数据,而无需向云发送完全保真的遥测数据。Analytics at the edge - Use AI services locally to process data coming from downstream devices without sending full-fidelity telemetry to the cloud. 本地查找和响应见解,并仅将一部分数据发送到 IoT 中心。Find and react to insights locally and only send a subset of data to IoT Hub.
  • 下游设备隔离 - 网关设备可以屏蔽所有下游设备,而不对 Internet 公开。Downstream device isolation - The gateway device can shield all downstream devices from exposure to the internet. 它可以位于无连接的运营技术 (OT) 网络和提供 Web 访问权限的信息技术 (IT) 网络之间。It can sit in between an operational technology (OT) network that does not have connectivity and an information technology (IT) network that provides access to the web. 同样,无法自行连接到 IoT 中心的设备可以改为连接到网关设备。Similarly, devices that don't have the capability to connect to IoT Hub on their own can connect to a gateway device instead.
  • 连接多路复用 - 通过 IoT Edge 网关连接到 IoT 中心的所有设备可以使用同一个基础连接。Connection multiplexing - All devices connecting to IoT Hub through an IoT Edge gateway can use the same underlying connection. 这种多路复用功能要求 IoT Edge 网关使用 AMQP 作为其上游协议。This multiplexing capability requires that the IoT Edge gateway uses AMQP as its upstream protocol.
  • 流量平滑 - 在本地保存消息的同时,如果 IoT 中心对流量进行限制,IoT Edge 设备将自动执行指数回退。Traffic smoothing - The IoT Edge device will automatically implement exponential backoff if IoT Hub throttles traffic, while persisting the messages locally. 此优点使解决方案能灵活应对流量高峰。This benefit makes your solution resilient to spikes in traffic.
  • 脱机支持 - 网关设备存储不能传递到 IoT 中心的消息和孪生更新。Offline support - The gateway device stores messages and twin updates that cannot be delivered to IoT Hub.

透明网关Transparent gateways

在透明网关模式下,在理论上可以连接到 IoT 中心的设备可以改为连接到网关设备。In the transparent gateway pattern, devices that theoretically could connect to IoT Hub can connect to a gateway device instead. 下游设备有其自己的 IoT 中心标识,并使用 MQTT 或 AMQP 协议进行连接。The downstream devices have their own IoT Hub identities and connect using either MQTT or AMQP protocols. 网关只是在设备与 IoT 中心之间传递通信。The gateway simply passes communications between the devices and IoT Hub. 设备和通过 IoT 中心与其交互的用户都不知道网关正在协调它们的通信。Both the devices and the users interacting with them through IoT Hub are unaware that a gateway is mediating their communications. 这样缺乏感知意味着网关被认为是“透明”的。This lack of awareness means the gateway is considered transparent.

要详细了解 IoT Edge 中心如何管理下游设备与云之间的通信,请参阅了解 Azure IoT Edge 运行时及其体系结构For more information about how the IoT Edge hub manages communication between downstream devices and the cloud, see Understand the Azure IoT Edge runtime and its architecture.

父子关系Parent and child relationships

通过将 IoT Edge 网关设置为与之连接的下游设备子级的父级,可以在 IoT 中心中声明透明的网关关系 。You declare transparent gateway relationships in IoT Hub by setting the IoT Edge gateway as the parent of a downstream device child that connects to it.

可在网关配置中的以下三个点建立父/子关系:The parent/child relationship is established at three points in the gateway configuration:

云标识Cloud identities

透明网关方案中的所有设备都需要云标识,以便能够在 IoT 中心进行身份验证。All devices in a transparent gateway scenario need cloud identities so they can authenticate to IoT Hub. 创建或更新设备标识时,可以设置设备的父设备或子设备。When you create or update a device identity, you can set the device's parent or child devices. 此配置授权父网关设备处理其子设备的身份验证。This configuration authorizes the parent gateway device to handle authentication for its child devices.


对于使用对称密钥身份验证的下游设备来说,在 IoT 中心中设置父设备曾是一个可选步骤。Setting the parent device in IoT Hub used to be an optional step for downstream devices that use symmetric key authentication. 但从版本 1.1.0 开始,每个下游设备都必须分配给父设备。However, starting with version 1.1.0 every downstream device must be assigned to a parent device.

可以通过将环境变量 AuthenticationMode 设置为值 CloudAndScope 来将 IoT Edge 中心配置为返回到以前的行为 。You can configure the IoT Edge hub to go back to the previous behavior by setting the environment variable AuthenticationMode to the value CloudAndScope.

子设备只能有一个父级。Child devices can only have one parent. 每个父级最多可以有 100 个子级。Each parent can have up to 100 children.

网关发现Gateway discovery

子设备需要能够在本地网络上找到其父设备。A child device needs to be able to find its parent device on the local network. 使用主机名(完全限定的域名 (FQDN) 或 IP 地址)配置网关设备,其子设备将使用该主机名来定位它。Configure gateway devices with a hostname, either a fully qualified domain name (FQDN) or an IP address, that its child devices will use to locate it.

在下游 IoT 设备上,使用连接字符串中的 gatewayHostname 参数指向父设备。On downstream IoT devices, use the gatewayHostname parameter in the connection string to point to the parent device.

安全连接Secure connection

父设备和子设备还需要对彼此的连接进行身份验证。Parent and child devices also need to authenticate their connections to each other. 每个设备都需要一个共享根 CA 证书的副本,子设备使用该副本来验证它们是否连接到正确的网关。Each device needs a copy of a shared root CA certificate which the child devices use to verify that they are connecting to the proper gateway.

透明网关后面的设备功能Device capabilities behind transparent gateways

与 IoT Edge 的消息传递管道一起使用的所有 IoT 中心基元也支持透明网关方案。All IoT Hub primitives that work with IoT Edge's messaging pipeline also support transparent gateway scenarios. 每个 IoT Edge 网关都具备存储和转发通过它传入的消息的能力。Each IoT Edge gateway has store and forward capabilities for messages coming through it.

使用下表查看设备与网关后的设备对不同 IoT 中心功能的支持情况。Use the following table to see how different IoT Hub capabilities are supported for devices compared to devices behind gateways.

转换网关Translation gateways

如果下游设备无法连接到 IoT 中心,则 IoT Edge 网关需要充当转换器。If downstream devices can't connect to IoT Hub, then the IoT Edge gateway needs to act as a translator. 通常,不支持 MQTT、AMQP 或 HTTP 的设备需要此模式。Often, this pattern is required for devices that don't support MQTT, AMQP, or HTTP. 由于这些设备无法连接到 IoT 中心,因此,如果不进行一些预处理,它们也将无法连接到 IoT Edge 中心模块。Since these devices can't connect to IoT Hub, they also can't connect to the IoT Edge hub module without some pre-processing.

对于通常特定于下游设备的硬件或协议的自定义或第三方模块,需要将它们部署到 IoT Edge 网关。Custom or third-party modules that are often specific to the downstream device's hardware or protocol need to be deployed to the IoT Edge gateway. 这些转换模块将传入的消息转换为 IoT 中心可以理解的格式。These translation modules take the incoming messages and turn them into a format that can be understood by IoT Hub.

转换网关有两种模式:协议转换和标识转换 。There are two patterns for translation gateways: protocol translation and identity translation.

关系图 - 转换网关模式

协议转换Protocol translation

在协议转换网关模式下,只有 IoT Edge 网关具有 IoT 中心的标识。In the protocol translation gateway pattern, only the IoT Edge gateway has an identity with IoT Hub. 转换模块从下游设备接收消息,将其转换为受支持的协议,然后 IoT Edge 设备代表下游设备发送这些消息。The translation module receives messages from downstream devices, translates them into a supported protocol, and then the IoT Edge device sends the messages on behalf of the downstream devices. 所有信息好像都来自一台设备,即网关。All information looks like it is coming from one device, the gateway. 如果云应用程序想要以设备位单位分析数据,则下游设备就必须在其消息中嵌入额外的标识信息。Downstream devices must embed additional identifying information in their messages if cloud applications want to analyze the data on a per-device basis. 此外,IoT 中心基元(例如孪生和直接方法)仅受网关设备支持,而不受下游设备支持。Additionally, IoT Hub primitives like twins and direct methods are only supported for the gateway device, not downstream devices. 与透明网关相比,这种模式中的网关被视为不透明,因为它们掩盖了下游设备的标识。Gateways in this pattern are considered opaque in contrast to transparent gateways, because they obscure the identities of downstream devices.

协议转换支持资源受限的设备。Protocol translation supports devices that are resource constrained. 许多现有设备将生成能够为企业提供见解的数据;然而,它们的设计并未考虑云连接。Many existing devices are producing data that can power business insights; however they were not designed with cloud connectivity in mind. 不透明的网关允许解锁这些数据,并在 IoT 解决方案中使用这些数据。Opaque gateways allow this data to be unlocked and used in an IoT solution.

标识转换Identity translation

标识转换网关模式基于协议转换,但是 IoT Edge 网关还代表下游设备提供 IoT 中心设备标识。The identity translation gateway pattern builds on protocol translation, but the IoT Edge gateway also provides an IoT Hub device identity on behalf of the downstream devices. 转换模块负责理解下游设备使用的协议,为其提供标识,并将其消息转换为 IoT 中心基元。The translation module is responsible for understanding the protocol used by the downstream devices, providing them identity, and translate their messages into IoT Hub primitives. 下游设备作为一流设备出现在 IoT 中心,随附克隆和方法。Downstream devices appear in IoT Hub as first-class devices with twins and methods. 用户可以与 IoT 中心中的设备进行交互,而同时不了解中间网关设备。A user can interact with the devices in IoT Hub and is unaware of the intermediate gateway device.

标识转换具备协议转换的优势,并且还允许从云完全管理下游设备。Identity translation provides the benefits of protocol translation and additionally allows for full manageability of downstream devices from the cloud. IoT 解决方案中的所有设备都显示在 IoT 中心内,不管它们使用的是什么协议。All devices in your IoT solution show up in IoT Hub regardless of the protocol they use.

转换网关后面的设备功能Device capabilities behind translation gateways

下表说明了如何在两种转换网关模式下将 IoT 中心功能扩展到下游设备。The following table explains how IoT Hub features are extended to downstream devices in both translation gateway patterns.

功能Capability 协议转换Protocol translation 标识转换Identity translation
存储在 IoT 中心标识注册表中的标识Identities stored in the IoT Hub identity registry 仅网关设备的标识Only the identity of the gateway device 所有已连接的设备的标识Identities of all connected devices
设备孪生Device twin 仅网关具有设备和模块孪生Only the gateway has a device and module twins 每个已连接的设备均有自己的设备孪生Each connected device has its own device twin
直接方法和云到设备的消息Direct methods and cloud-to-device messages 云只能对网关设备寻址The cloud can only address the gateway device 云可以对每个已连接的设备单独寻址The cloud can address each connected device individually
IoT 中心限制和配额IoT Hub throttles and quotas 适用于网关设备Apply to the gateway device 适用于每个设备Apply to each device

使用协议转换模式时,通过该网关连接的所有设备共享同一个可包含最多 50 条消息的云到设备的队列。When using the protocol translation pattern, all devices connecting through that gateway share the same cloud-to-device queue, which can contain at most 50 messages. 仅当很少设备通过各字段网关进行连接以及云到设备的流量较低时,才使用该模式。Only use this pattern when few devices are connecting through each field gateway, and their cloud-to-device traffic is low.

IoT Edge 运行时不包含协议或标识转换功能。The IoT Edge runtime does not include protocol or identity translation capabilities. 这些模式需要自定义模块或第三方模块,这些模块通常特定于所使用的硬件和协议。These patterns requires custom or third-party modules that are often specific to the hardware and protocol used. Azure 市场包含多个可供选择的协议转换模块。Azure Marketplace contains several protocol translation modules to choose from. 有关使用标识转换模式的示例,请参阅 Azure IoT Edge LoRaWAN 初学者工具包For a sample that uses the identity translation pattern, see Azure IoT Edge LoRaWAN Starter Kit.

后续步骤Next steps

了解设置透明网关的三个步骤:Learn the three steps to set up a transparent gateway: