Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

iotHubs

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Device Identities are exported to a secondary regionHighDisaster RecoveryNoPreview
Do not use free tierHighHigh AvailabilityYesPreview
Use Availability ZonesHighHigh AvailabilityNoPreview
Use Device Provisioning ServiceHighScalabilityYesPreview
Define Failover GuidelinesHighHigh AvailabilityNoPreview
Disabled Fallback RouteLowMonitoring and AlertingYesPreview

Details

Device Identities are exported to a secondary region

Impact:  High Category:  Disaster Recovery PG Verified:  Preview

APRL GUID:  783c6c18-760b-4867-9ced-3010a0bc5aa3

Description:

Device Identities should be copied to the failover region IoT Hub for all IoT devices to ensure connectivity in case of a failover. Manual Failover to another region is quicker (RTO), suitable for mission critical workloads.

Potential Benefits:

Faster failover; Ensures device connectivity
Learn More:
Import and export IoT Hub device identities in bulk
IoT Hub high availability and disaster recovery

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Do not use free tier

Impact:  High Category:  High Availability PG Verified:  Preview

APRL GUID:  eeba3a49-fef0-481f-a471-7ff01139b474

Description:

In a production scenario, the IoT Hub tier should not be Free because the Free tier does not provide the necessary Service Level Agreement.

Potential Benefits:

Ensures SLA for production
Learn More:
Choose the right IoT Hub tier and size for your solution

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// list all IoT Hubs that are using the Free tier
resources
| where type =~ "microsoft.devices/iothubs" and
    tostring(sku.tier) =~ 'Free'
| project recommendationId="eeba3a49-fef0-481f-a471-7ff01139b474", name, id, tags, param1=strcat("tier:", tostring(sku.tier))

Use Availability Zones

Impact:  High Category:  High Availability PG Verified:  Preview

APRL GUID:  214cbc46-747e-4354-af6e-6bf0054196a5

Description:

In regions supporting Availability Zones for IoT Hub, using these zones boosts availability. They're automatically activated for new IoT Hubs in supported areas.

Potential Benefits:

Boosts IoT Hub availability
Learn More:
Azure IoT Hub high availability and disaster recovery

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Use Device Provisioning Service

Impact:  High Category:  Scalability PG Verified:  Preview

APRL GUID:  b1e1378d-4572-4414-bebd-b8872a6d4d1c

Description:

Device Provisioning Service (DPS) enables easy redistribution of IoT devices for scaling and availability, allowing devices to be reassigned and not bound to specific IoT Hub instances. Devices in IoT Hubs using DPS should be verified for DPS utilization.

Potential Benefits:

Enhances scalability and availability
Learn More:
IoT Hub Device Provisioning Service (DPS) terminology
Best practices for large-scale IoT device deployments
IoT Hub Device Provisioning Service high availability and disaster recovery

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// list all IoT Hubs that do not have a linked IoT Hub Device Provisioning Service (DPS)
resources
| where type =~ "microsoft.devices/iothubs"
| project id, iotHubName=tostring(properties.hostName), tags, resourceGroup
| join kind=fullouter (
    resources
    | where type == "microsoft.devices/provisioningservices"
    | mv-expand iotHubs=properties.iotHubs
    | project iotHubName = tostring(iotHubs.name), dpsName = name, name=iotHubs.name
) on iotHubName
| where dpsName == ''
| project recommendationId="b1e1378d-4572-4414-bebd-b8872a6d4d1c", name=iotHubName, id, tags, param1='DPS:none'

Define Failover Guidelines

Impact:  High Category:  High Availability PG Verified:  Preview

APRL GUID:  02568a5d-335e-4e51-9f7c-fe2ada977300

Description:

In case of a regional failure, an IoT Hub can failover to a second region, automatically or manually, to ensure your application continues working.

Potential Benefits:

Ensures business continuity
Learn More:
IoT Hub high availability and disaster recovery

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Disabled Fallback Route

Impact:  Low Category:  Monitoring and Alerting PG Verified:  Preview

APRL GUID:  e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e

Description:

Using message routing for custom endpoints in IoT Hub, messages might not reach these destinations if specific conditions are unmet. A default route ensures all messages are received, but disabling this safety net risks leaving some messages undelivered.

Potential Benefits:

Prevents undelivered messages
Learn More:
Use message routing - Fallback route

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// list all IoT Hubs that have the fallback route disabled
resources
| where type == "microsoft.devices/iothubs"
| extend fallbackEnabled=properties.routing.fallbackRoute.isEnabled
| where fallbackEnabled == false
| project recommendationId="e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e", name, id, tags, param1='FallbackRouteEnabled:false'