IoT Hub

The presented resiliency recommendations in this guidance include IoT Hub and associated resources and settings. General guidance are available in the Well-Architected Framework for IoT Reliability in your IoT workload.

Summary of Recommendations

Recommendations Details

IOTH-1 - Device Identities are exported to a secondary region

Category: Disaster Recovery

Impact: High

Recommendation

Device Identities should be copied to the failover region IoT-Hub for all IoT devices to be able to connect in case of a failover to another IoT Hub.

Manual Failover of IoT Hub to another region is faster (RTO) and can be used for mission critical workload.

Resources

Resource Graph Query

// cannot-be-validated-with-arg



IOTH-2 - Do not use free tier

Category: Availability

Impact: High

Recommendation

In a production scenario the IoT Hub tier should not be Free, as the Free tier does not offer the necessary SLA.

Resources

Resource Graph Query

// Azure Resource Graph Query
// list all IoT Hubs that are using the Free tier
resources
| where type =~ "microsoft.devices/iothubs" and
    tostring(sku.tier) =~ 'Free'
| project recommendationId="ioth-2", name, id, tags, param1=strcat("tier:", tostring(sku.tier))



IOTH-3 - Use Availability Zones

Category: Availability

Impact: High

Recommendation

In a region that supports Availability Zones for IoT Hub, these Zones should be used to increase availability. Availability Zones are automatically activated for new IoT Hubs in the supported regions.

Resources

Resource Graph Query

// cannot-be-validated-with-arg



IOTH-4 - Use Device Provisioning Service

Category: System Efficiency

Impact: High

Recommendation

Device Provisioning Service (DPS) can redistribute IoT devices easily for scaling and availability. Devices will not be bound to specific IoT Hub instances, but can be reassigned with rules.

Even IoT Hubs that are associated to a Device Provisioning Service need to be checked if their devices use it.

Resources

Resource Graph Query

// Azure Resource Graph Query
// list all IoT Hubs that do not have a linked IoT Hub Device Provisioning Service (DPS)
resources
| where type =~ "microsoft.devices/iothubs"
| project id, iotHubName=tostring(properties.hostName), tags, resourceGroup
| join kind=fullouter (
    resources
    | where type == "microsoft.devices/provisioningservices"
    | mv-expand iotHubs=properties.iotHubs
    | project iotHubName = tostring(iotHubs.name), dpsName = name, name=iotHubs.name
) on iotHubName
| where dpsName == ''
| project recommendationId="ioth-4", name=iotHubName, id, tags, param1='DPS:none'



IOTH-5 - Define Failover Guidelines

Category: Availability

Impact: High

Recommendation

In case of a regional failure, an IoT Hub can failover to a second region. This failover can be initiated automatically or manually. In both cases certain requirements are necessary for you application to continue working. Review the guidance for a failover

  • check if the RTO is matched in case of an automatic failover
  • no IP addresses are used by devices to connect to an IoT Hub

Resources

Resource Graph Query

// cannot-be-validated-with-arg



IOTH-6 - Disabled Fallback Route

Category: Monitoring

Impact: Low

Recommendation

If message routing is used to route messages to custom endpoints, it can happen that messages are not delivered to the custom routes, if the conditions are not meat. A default route will always receive all messages. Disabling it could potentially leave messages undelivered.

Resources

Resource Graph Query

// Azure Resource Graph Query
// list all IoT Hubs that have the fallback route disabled
resources
| where type == "microsoft.devices/iothubs"
| extend fallbackEnabled=properties.routing.fallbackRoute.isEnabled
| where fallbackEnabled == false
| project recommendationId="ioth-6", name, id, tags, param1='FallbackRouteEnabled:false'