|
| 1 | +--- |
| 2 | +title: How to Configure Azure IoT Edge for Linux on Windows to work on a DMZ | Microsoft Docs |
| 3 | +description: How to configure the Azure IoT Edge for Linux (EFLOW) VM to support multiple network interface cards (NICs) and connect to multiple networks. |
| 4 | +author: PatAltimore |
| 5 | +ms.reviewer: fcabrera |
| 6 | +ms.service: iot-edge |
| 7 | +services: iot-edge |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 07/13/2022 |
| 10 | +ms.author: patricka |
| 11 | +--- |
| 12 | + |
| 13 | +# How to configure Azure IoT Edge for Linux on Windows Industrial IoT & DMZ configuration |
| 14 | + |
| 15 | +[!INCLUDE [iot-edge-version-all-supported](../../includes/iot-edge-version-all-supported.md)] |
| 16 | + |
| 17 | +This article describes how to configure the Azure IoT Edge for Linux (EFLOW) VM to support multiple network interface cards (NICs) and connect to multiple networks. By enabling multiple NIC support, applications running on the EFLOW VM can communicate with devices connected to the offline network, and at the same time, use IoT Edge to send data to the cloud. |
| 18 | + |
| 19 | +## Prerequisites |
| 20 | + |
| 21 | +- A Windows device with EFLOW already set up. For more information on EFLOW installation and configuration, see [Create and provision an IoT Edge for Linux on Windows device using symmetric keys](./how-to-provision-single-device-linux-on-windows-symmetric.md). |
| 22 | +- A virtual switch different from the default one used during EFLOW installation. For more information on creating a virtual switch, see [Create a virtual switch for Azure IoT Edge for Linux on Windows](./how-to-create-virtual-switch.md). |
| 23 | + |
| 24 | +## Industrial scenario |
| 25 | + |
| 26 | +Industrial IoT is transcurring the era of IT and OT convergence. However, making traditional OT assets more intelligent with IT technologies also means a larger exposure to cyberattacks. This is one of the main reasons why multiple environments are designed using demilitarized zones or also known as DMZs. |
| 27 | + |
| 28 | +Imagine a workflow scenario where you have a networking configuration divided into two different networks or zones. In the first zone, you may have a secure network defined as the offline network. The offline network has no internet connectivity and is limited to internal access. In the second zone, you may have a demilitarized zone (DMZ), in which you may have a couple of devices that have limited internet connectivity. When moving the workflow to run on the EFLOW VM, you may have problems accessing the different networks since the EFLOW VM by default has only one NIC attached. |
| 29 | + |
| 30 | +Suppose you have an environment with some devices like PLCs or OPC UA compatible devices connected to the offline network, and you want to upload all the device's information to Azure using the OPC Publisher module running on the EFLOW VM. |
| 31 | + |
| 32 | +Since the EFLOW host device and the PLC or OPC UA devices are physically connected to the offline network, you can use the [Azure IoT Edge for Linux on Windows virtual multiple NIC configurations](./how-to-configure-multiple-nics.md) to connect the EFLOW VM to the offline network. By using an *external virtual switch*, you can connect the EFLOW VM to the offline network and directly communicate with other offline devices. |
| 33 | + |
| 34 | +For the other network, the EFLOW host device is physically connected to the DMZ (online network) with internet and Azure connectivity. Using an *internal or external switch*, you can connect the EFLOW VM to Azure IoT Hub using IoT Edge modules and upload the information sent by the offline devices through the offline NIC. |
| 35 | + |
| 36 | + |
| 37 | + |
| 38 | +### Scenario summary |
| 39 | + |
| 40 | +Secure network: |
| 41 | + |
| 42 | +- No internet connectivity, access restricted. |
| 43 | +- PLCs or UPC UA compatible devices connected. |
| 44 | +- EFLOW VM connected using an External virtual switch. |
| 45 | + |
| 46 | +DMZ: |
| 47 | + |
| 48 | +- Internet connectivity - Azure connection allowed. |
| 49 | +- EFLOW VM connected to Azure IoT Hub, using either an Internal/External virtual switch. |
| 50 | +- OPC Publisher running as a module inside the EFLOW VM used to publish data to Azure. |
| 51 | + |
| 52 | +## Configure VM network virtual switches |
| 53 | + |
| 54 | +The following steps are specific for the networking described in the example scenario. Ensure that the virtual switches used and the configurations used align with your networking environment. |
| 55 | + |
| 56 | +> [!NOTE] |
| 57 | +> The steps in this article assume that the EFLOW VM was deployed with an *external virtual switch* connected to the *secure network (offline)*. You can change the following steps to your specific network configuration you want to achieve. For more information about EFLOW multiple NIcs support, see [Azure IoT Edge for Linux on Windows virtual multiple NIC configurations](./how-to-configure-multiple-nics.md). |
| 58 | +
|
| 59 | +To finish the provisioning of the EFLOW VM and communicate with Azure, you need to assign another NIC that is connected to the DMZ network (online). |
| 60 | + |
| 61 | +For this scenario, you'll assign an *external virtual switch* connected to the DMZ network. For more information, review [Create a virtual switch for Hyper-V virtual machines](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-switch-for-hyper-v-virtual-machines). |
| 62 | + |
| 63 | +To create an external virtual switch, follow these steps: |
| 64 | + |
| 65 | +1. Open Hyper-V Manager. |
| 66 | +2. In **Actions**, select **Virtual Switch Manager**. |
| 67 | +3. In **Virtual Switches**, select **New Virtual network switch**. |
| 68 | +4. Choose type **External** then select **Create Virtual Switch**. |
| 69 | +5. Enter a name that represents the secure network. For example, *OnlineOPCUA*. |
| 70 | +6. Under **Connection Type**, select **External Network** then choose the *network adapter* connected to your DMZ network. |
| 71 | +7. Select **Apply**. |
| 72 | + |
| 73 | +Once the external virtual switch is created, you need to attach it to the EFLOW VM using the following steps. For more information about attaching multiple NICs, see [EFLOW Multiple NICs](https://github.com/Azure/iotedge-eflow/wiki/Multiple-NICs). |
| 74 | + |
| 75 | +For the custom new *external virtual switch* you created, use the following PowerShell commands to attach it your EFLOW VM and set a static IP: |
| 76 | + |
| 77 | +1. `Add-EflowNetwork -vswitchName "OnlineOPCUA" -vswitchType "External"` |
| 78 | + |
| 79 | +  |
| 80 | + |
| 81 | +2. `Add-EflowVmEndpoint -vswitchName "OnlineOPCUA" -vEndpointName "OnlineEndpoint" -ip4Address 192.168.0.103 -ip4PrefixLength 24 -ip4GatewayAddress 192.168.0.1` |
| 82 | + |
| 83 | +  |
| 84 | + |
| 85 | +Once complete, you'll have the *OnlineOPCUA* switch assigned to the EFLOW VM. To check the multiple NIC attachment, use the following steps: |
| 86 | + |
| 87 | +1. Open an elevated PowerShell session by starting with **Run as Administrator**. |
| 88 | + |
| 89 | +1. Connect to the EFLOW virtual machine. |
| 90 | + ```powershell |
| 91 | + Connect-EflowVm |
| 92 | + ``` |
| 93 | +
|
| 94 | +1. List all the network interfaces assigned to the EFLOW virtual machine. |
| 95 | + ```bash |
| 96 | + ifconfig |
| 97 | + ``` |
| 98 | +
|
| 99 | +1. Review the IP configuration and verify you see the *eth0* interface (connected to the secure network) and the *eth1* interface (connected to the DMZ network). |
| 100 | +
|
| 101 | +  |
| 102 | +
|
| 103 | +## Configure VM network routing |
| 104 | +
|
| 105 | +When using the EFLOW multiple NICs feature, you may want to set up the different route priorities. By default, EFLOW creates one *default* route per *ehtX* interface assigned to the VM. EFLOW assigns the default route a random priority. If all interfaces are connected to the internet, random priorities may not be a problem. However, if one of the NICs is connected to an *offline* network, you may want to prioritize the *online* NIC over the *offline* NIC to get the EFLOW VM connected to the internet. |
| 106 | +
|
| 107 | +EFLOW uses the [route](https://man7.org/linux/man-pages/man8/route.8.html) service to manage the network routing alternatives. In order to check the available EFLOW VM routes, use the following steps: |
| 108 | +
|
| 109 | +1. Open an elevated PowerShell session by starting with **Run as Administrator**. |
| 110 | +
|
| 111 | +1. Connect to the EFLOW virtual machine. |
| 112 | + |
| 113 | + ```powershell |
| 114 | + Connect-EflowVm |
| 115 | + ``` |
| 116 | +
|
| 117 | +1. List all the network routes configured in the EFLOW virtual machine. |
| 118 | + |
| 119 | + ```bash |
| 120 | + sudo route |
| 121 | + ``` |
| 122 | +
|
| 123 | +  |
| 124 | +
|
| 125 | + >[!TIP] |
| 126 | + >The previous image shows the route command output with the two NIC's assigned (*eth0* and *eth1*). The virtual machine creates two different *default* destinations rules with different metrics. A lower metric value has a higher priority. This routing table will vary depending on the networking scenario configured in the previous steps. |
| 127 | +
|
| 128 | +### Static routes fix |
| 129 | +
|
| 130 | +Every time EFLOW VM starts, the networking services recreates all routes, and any previously assigned priority could change. To work around this issue, you can assign the desired priority for each route every time the EFLOW VM starts. You can create a service that executes every time the VM starts and use the `route` command to set the desired route priorities. |
| 131 | +
|
| 132 | +First, create a bash script that executes the necessary commands to set the routes. For example, following the networking scenario mentioned earlier, the EFLOW VM has two NICs (offline and online networks). NIC *eth0* is connected using the gateway IP xxx.xxx.xxx.xxx. NIC *eth1* is connected using the gateway IP yyy.yyy.yyy.yyy. |
| 133 | +
|
| 134 | +The following script resets the *default* routes for both *eth0* and *eth1 then adds the routes with the desired **\<number\>** metric. Remember that *a lower metric value has higher priority*. |
| 135 | +
|
| 136 | +```bash |
| 137 | +#!/bin/sh |
| 138 | +
|
| 139 | +# Wait 30s for the interfaces to be up |
| 140 | +sleep 30 |
| 141 | +
|
| 142 | +# Delete previous eth0 route and create a new one with desired metric |
| 143 | +sudo ip route del default via xxx.xxx.xxx.xxx dev eth0 |
| 144 | +sudo route add -net default gw xxx.xxx.xxx.xxx netmask 0.0.0.0 dev eth0 metric <number> |
| 145 | +
|
| 146 | +# Delete previous eth1 route and create a new one with desired metric |
| 147 | +sudo ip route del default via yyy.yyy.yyy.yyy dev eth1 |
| 148 | +sudo route add -net default gw yyy.yyy.yyy.yyy netmask 0.0.0.0 dev eth1 metric <number> |
| 149 | +``` |
| 150 | + |
| 151 | +You can use the previous script to create your own custom script specific to your networking scenario. Once script is defined, save it, and assign execute permission. For example, if the script name is *route-setup.sh*, you can assign execute permission using the command `sudo chmod +x route-setup.sh`. You can test if the script works correctly by executing it manually using the command `sudo sh ./route-setup.sh` and then checking the routing table using the `sudo route` command. |
| 152 | + |
| 153 | +The final step is to create a Linux service that runs on startup, and executes the bash script to set the routes. You'll have to create a *systemd* unit file to load the service. The following is an example of that file. |
| 154 | + |
| 155 | +```systemd |
| 156 | +[Unit] |
| 157 | +after=network |
| 158 | +
|
| 159 | +[Service] |
| 160 | +Type=simple |
| 161 | +ExecStart=/bin/bash /home/iotedge-user/route-setup.sh |
| 162 | +
|
| 163 | +[Install] |
| 164 | +WantedBy=default.target |
| 165 | +``` |
| 166 | + |
| 167 | + To check the service works, reboot the EFLOW VM (`Stop-EflowVm` & `Start-EflowVm`) then `Connect-EflowVm` to connect to the VM. List the routes using `sudo route` and verify they're correct. You should be able to see the new *default* rules with the assigned metric. |
| 168 | + |
| 169 | +## Next steps |
| 170 | + |
| 171 | +Follow the steps in [How to configure networking for Azure IoT Edge for Linux on Windows](./how-to-configure-iot-edge-for-linux-on-windows-networking.md) to verify your networking configurations were applied correctly. |
0 commit comments