MicrosoftDocs
diff --git a/‎articles/iot-dps/iot-dps-tls-support.md
Lines changed: 96 additions & 0 deletions b/‎articles/iot-dps/iot-dps-tls-support.md
Lines changed: 96 additions & 0 deletions
diff --git a/‎articles/iot-dps/media/virtual-network-support/public-endpoint-ingress.png
21.4 KB b/‎articles/iot-dps/media/virtual-network-support/public-endpoint-ingress.png
21.4 KB
diff --git a/‎articles/iot-dps/media/virtual-network-support/public-endpoint.png
41.8 KB b/‎articles/iot-dps/media/virtual-network-support/public-endpoint.png
41.8 KB
diff --git a/‎articles/iot-dps/media/virtual-network-support/virtual-network-ingress.png
37.6 KB b/‎articles/iot-dps/media/virtual-network-support/virtual-network-ingress.png
37.6 KB
diff --git a/‎articles/iot-dps/toc.yml
Lines changed: 4 additions & 0 deletions b/‎articles/iot-dps/toc.yml
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/iot-dps/virtual-network-support.md
Lines changed: 244 additions & 0 deletions b/‎articles/iot-dps/virtual-network-support.md
Lines changed: 244 additions & 0 deletions
@@ -0,0 +1,96 @@
+---
+ title: Azure IoT Device Provisioning Service (DPS) TLS support
+ description: Best practices in using secure TLS connections for devices and services communicating with the IoT Device Provisioning Service (DPS)
+ services: iot-dps
+ author: wesmc7777
+ ms.service: iot-dps
+ ms.topic: conceptual
+ ms.date: 05/03/2020
+ ms.author: wesmc
+---
+
+# TLS support in IoT Hub DPS
+
+DPS uses Transport Layer Security (TLS) to secure connections from IoT devices. Three versions of the TLS protocol are currently supported, namely versions 1.0, 1.1, and 1.2.
+
+TLS 1.0 and 1.1 are considered legacy and are planned for deprecation. For more information, see [Deprecating TLS 1.0 and 1.1 for IoT Hub](../iot-hub/iot-hub-tls-deprecating-1-0-and-1-1.md). It is strongly recommended that you use TLS 1.2 as the preferred TLS version when connecting to DPS.
+
+## Restrict connections to TLS 1.2
+
+For added security, it is advised to configure your DPS instances to *only* allow device client connections that use TLS version 1.2 and to enforce the use of [recommended ciphers](#recommended-ciphers).
+
+To do this, provision a new DPS resource in any of the [supported regions](#supported-regions) and set the `minTlsVersion` property to `1.2` in your Azure Resource Manager template's DPS resource specification. The following example template JSON specifies the `minTlsVersion` property for a new DPS instance.
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Devices/ProvisioningServices",
+            "apiVersion": "2020-01-01",
+            "name": "<provide-a-valid-DPS-resource-name>",
+            "location": "<any-of-supported-regions-below>",
+            "properties": {
+                "minTlsVersion": "1.2"
+            },
+            "sku": {
+                "name": "S1",
+                "capacity": 1
+            },
+        }     
+    ]
+}
+```
+
+You can deploy the template with the following Azure CLI command. 
+
+```azurecli
+az deployment group create -g <your resource group name> --template-file template.json
+```
+
+For more information on creating DPS resources with Resource Manager templates, see, [Set up DPS with an Azure Resource Manager template](quick-setup-auto-provision-rm.md).
+
+The DPS resource created using this configuration will refuse devices that attempt to connect using TLS versions 1.0 and 1.1. Similarly, the TLS handshake will be refused if the device client's HELLO message does not list any of the [recommended ciphers](#recommended-ciphers).
+
+> [!NOTE]
+> The `minTlsVersion` property is read-only and cannot be changed once your DPS resource is created. It is therefore essential that you properly test and validate that *all* your IoT devices are compatible with TLS 1.2 and the [recommended ciphers](#recommended-ciphers) in advance.
+
+## Supported regions
+
+IoT DPS instances that require the use of TLS 1.2 can be created in the following regions:
+
+* East US
+* South Central US
+* West US 2
+* US Gov Arizona
+* US Gov Virginia
+
+> [!NOTE]
+> Upon failovers, the `minTlsVersion` property of your DPS will remain effective in the geo-paired region post-failover.
+
+## Recommended ciphers
+
+DPS instances that are configured to accept only TLS 1.2 will also enforce the use of the following recommended ciphers:
+
+* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
+* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
+* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
+* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`
+
+## Use TLS 1.2 in the IoT SDKs
+
+Use the links below to configure TLS 1.2 and allowed ciphers in the Azure IoT client SDKs.
+
+| Language | Versions supporting TLS 1.2 | Documentation |
+|----------|------------------------------------|---------------|
+| C        | Tag 2019-12-11 or newer            | [Link](https://aka.ms/Tls_C_SDK_IoT) |
+| Python   | Version 2.0.0 or newer             | [Link](https://aka.ms/Tls_Python_SDK_IoT) |
+| C#       | Version 1.21.4 or newer            | [Link](https://aka.ms/Tls_CSharp_SDK_IoT) |
+| Java     | Version 1.19.0 or newer            | [Link](https://aka.ms/Tls_Java_SDK_IoT) |
+| NodeJS   | Version 1.12.2 or newer            | [Link](https://aka.ms/Tls_Node_SDK_IoT) |
+
+
+## Use TLS 1.2 with IoT Edge
+
+IoT Edge devices can be configured to use TLS 1.2 when communicating with IoT Hub and DPS. For this purpose, use the [IoT Edge documentation page](https://github.com/Azure/iotedge/blob/master/edge-modules/edgehub-proxy/README.md).
@@ -95,6 +95,10 @@
     href: concepts-device.md
   - name: Security
     href: concepts-security.md
+  - name: TLS support
+    href: iot-dps-tls-support.md  
+  - name: Virtual networks support
+    href: virtual-network-support.md  
   - name: Service
     href: concepts-service.md
   - name: Understanding DPS IP addresses
 
@@ -0,0 +1,244 @@
+---
+ title: Azure IoT Device Provisioning Service (DPS) support for virtual networks
+ description: How to use virtual networks connectivity pattern with Azure IoT Device Provisioning Service (DPS)
+ services: iot-hub
+ author: wesmc7777
+ ms.service: iot-dps
+ ms.topic: conceptual
+ ms.date: 05/03/2020
+ ms.author: wesmc
+---
+
+# Azure IoT Hub Device Provisioning Service (DPS) support for virtual networks
+
+This article introduces the virtual network (VNET) connectivity pattern and elaborates on how to set up a private connectivity experience for devices using DPS to be assigned to an IoT Hub inside a customer-owned Azure VNET. 
+
+In most scenarios where DPS is configured with a VNET, your IoT Hub will also be configured in the same VNET. For more specific information on IoT Hub support for virtual networks, see, [IoT Hub virtual network support](../iot-hub/virtual-network-support.md).
+
+> [!NOTE]
+> The DPS features described in this article are currently available to DPS resources [created with managed service identity](#create-a-dps-resource-with-managed-service-identity) in the following regions: 
+> * East US
+> * South Central US
+> * West US 2
+
+
+## Introduction
+
+By default, DPS hostnames map to a public endpoint with a publicly routable IP address over the Internet. This public endpoint is visible to DPS resources owned by different customers and access can be attempted by IoT devices over wide-area networks as well as on-premises networks alike.
+
+For several reasons, customers may wish to restrict connectivity to Azure resources, like DPS, through a VNET that they own and operate. These reasons include:
+
+* Introducing additional layers of security via network level isolation for your IoT hub and DPS resources to prevent connection exposure over the public Internet.
+
+* Enabling a private connectivity experience from your on-premises network assets ensuring that your data and traffic 
+is transmitted directly to Azure backbone network.
+
+* Preventing exfiltration attacks from sensitive on-premises networks. 
+
+* Following established Azure-wide connectivity patterns using [private endpoints](../private-link/private-endpoint-overview.md).
+
+
+This article describes how to achieve these goals using [private endpoints](../private-link/private-endpoint-overview.md).
+
+
+## DPS connectivity using private endpoints
+
+A private endpoint is a private IP address allocated inside a customer-owned VNET via which an Azure resource is reachable. By having a private endpoint for your DPS resource, you will be able to allow devices operating inside your VNET to request provisioning by your DPS resource without requiring traffic to be sent to public endpoints.
+
+Devices that operate in your on-premises network can use [Virtual Private Network (VPN)](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) private peering to gain connectivity to your VNET in Azure and subsequently to your DPS resource via the private endpoint. As a result, customers who wish to restrict connectivity to public endpoints for DPS can achieve this goal by using [DPS IP filter rules](./iot-dps-ip-filtering.md) while retaining connectivity to their DPS resource using the private endpoint.
+
+> [!NOTE]
+> The main focus of this setup is for devices inside an on-premises network. This setup is not advised for devices deployed in a wide-area network.
+
+Before proceeding ensure that the following prerequisites are met:
+
+* Your DPS resource must be provisioned with [managed service identity](#create-a-dps-resource-with-managed-service-identity).
+
+* Your DPS resource must be provisioned in one of the [supported regions](#regional-availability-private-endpoints).
+
+* You have provisioned an Azure VNET with a subnet in which the private endpoint will be created. See [create a virtual network using Azure CLI](../virtual-network/quick-create-cli.md) for more details.
+
+* For devices that operate inside of on-premises networks, set up [Virtual Private Network (VPN)](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) private peering into your Azure VNET.
+
+
+### Regional availability (private endpoints)
+
+Private endpoints supported in IoT Hub's created in the following regions:
+
+* East US
+
+* South Central US
+
+* West US 2
+
+
+### Set up a private endpoint for DPS
+
+To set up a private endpoint, follow these steps:
+
+1. Run the following Azure CLI command to re-register Azure IoT Hub provider with your subscription:
+
+    ```azurecli-interactive
+    az provider register --namespace Microsoft.Devices --wait --subscription  <subscription-name>
+    ```
+
+2. Navigate to the **Private endpoint connections** tab for your DPS resource in the [Azure portal](https://portal.azure.com) (this tab is only available for in IoT Hubs in the [supported regions](#regional-availability-private-endpoints)), and click the **+** sign to add a new private endpoint.
+
+3. Provide the subscription, resource group, name and region to create the new private endpoint in (ideally, private endpoint should be created in the same region as your hub; see [regional availability section](#regional-availability-private-endpoints) for more details).
+
+4. Click **Next: Resource**, and provide the subscription for your DPS resource, and select **"Microsoft.Devices/ProvisioningServices"** as resource type, your DPS name as **resource**, and **iotHub** as target sub-resource.
+
+    **!!TEST STEP 4 HERE AS THE TARGET SUB-RESOURCE SHOULD BE DPS RELATED!!**
+
+5. Click **Next: Configuration** and provide your virtual network and subnet to create the private endpoint in. Select the option to integrate with Azure private DNS zone, if desired.
+
+6. Click **Next: Tags**, and optionally provide any tags for your resource.
+
+7. Click **Review + create** to create your private endpoint resource.
+
+
+### Pricing private endpoints
+
+For pricing details, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link).
+
+
+## Egress connectivity from DPS to IoT Hubs
+
+  **!! IS THIS NEEDED FOR DPS TO TALK TO HUBs? !!**
+
+
+IoT Hub needs access to your Azure blob storage, event hubs, service bus resources for [message routing](../iot-hub/iot-hub-devguide-messages-d2c.md), [file upload](../iot-hub/iot-hub-devguide-file-upload.md), and [bulk device import/export](../iot-hub/iot-hub-bulk-identity-mgmt.md), which typically takes place over the resources' public endpoint. In the event that you bind your storage account, event hubs or service bus resource to a VNET, the advised configuration will block connectivity to the resource by default. Consequently, this will impede IoT Hub's functionality that requires access to those resources.
+
+To alleviate this situation, you need to enable connectivity from your IoT Hub resource to your storage account, event hubs or service bus resources via the **Azure first party trusted services** option.
+
+The prerequisites are as follows:
+
+* Your IoT hub must be provisioned in one of the [supported regions](#regional-availability-trusted-microsoft-first-party-services).
+
+* Your IoT Hub must be assigned a managed service identity at hub provisioning time. Follow instruction on how to [create a DPS resource with managed service identity](#create-a-dps-resource-with-managed-service-identity).
+
+
+### Regional availability (trusted Microsoft first party services)
+
+Azure trusted first party services exception to bypass firewall restrictions to Azure storage, event hubs and service bus resources is only supported for IoT Hubs in the following regions:
+
+* East US
+
+* South Central US
+
+* West US 2
+
+
+### Pricing (trusted Microsoft first party services)
+
+Trusted Microsoft first party services exception feature is free of charge in IoT Hubs in the [supported regions](#regional-availability-trusted-microsoft-first-party-services). Charges for the provisioned storage accounts, event hubs, or service bus resources apply separately.
+
+
+### Create a DPS resource with managed service identity
+
+A managed service identity can be assigned to your DPS resource at provisioning time (this feature is not currently supported for existing DPS resources), which requires the DPS resource to use TLS 1.2 as the minimum version. For this purpose, you need to use the ARM resource template below:
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Devices/ProvisioningServices",
+      "apiVersion": "2020-03-01",
+      "name": "<provide-a-valid-DPS-resource-name>",
+      "location": "<any-of-supported-regions>",
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "minTlsVersion": "1.2"
+      },
+      "sku": {
+          "name": "S1",
+          "capacity": 1
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2018-02-01",
+      "name": "updateIotDPSWithKeyEncryptionKey",
+      "dependsOn": [
+        "<provide-a-valid-DPS-resource-name>"
+      ],
+      "properties": {
+        "mode": "Incremental",
+        "template": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "0.9.0.0",
+          "resources": [
+            {
+              "type": "Microsoft.Devices/ProvisioningServices",
+              "apiVersion": "2020-03-01",
+              "name": "<provide-a-valid-DPS-resource-name>",
+              "location": "<any-of-supported-regions>",
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "properties": {
+                "minTlsVersion": "1.2"
+              },
+              "sku": {
+                "name": "S1",
+                "capacity": 1
+              }
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
+```
+
+After substituting the values for your resource `name` and supported region for `location`, you can use Azure CLI to deploy the resource in an existing resource group using:
+
+```azurecli-interactive
+az group deployment create --name <deployment-name> --resource-group <resource-group-name> --template-file <template-file.json>
+```
+
+After the resource is created, you can retrieve the managed service identity assigned to your hub using Azure CLI:
+
+```azurecli-interactive
+az resource show --resource-type Microsoft.Devices/ProvisioningServices --name <iot-hub-resource-name> --resource-group <resource-group-name>
+```
+
+**!!! IS THIS NEEDED?  I NEED TO WALK THROUGH THIS !!!**
+
+Once the DPS resource with a managed service identity is provisioned, follow the IoT Hub section to set up routing endpoints to your linked IoT Hubs.
+
+
+### Egress connectivity to IoT Hubs endpoints for routing
+
+**!!! IS THIS NEEDED FOR THE HUB?  I NEED TO WALK THROUGH THIS !!!**
+
+IoT Hub can be configured to route messages to a customer-owned storage account. To allow the routing functionality to access a storage account while firewall restrictions are in place, your IoT Hub needs to have a managed service identity (see how to [create a DPS resource with managed service identity](#create-a-dps-resource-with-managed-service-identity)). Once a managed service identity is provisioned, follow the steps below to give RBAC permission to your hub's resource identity to access your storage account.
+
+1. In the Azure portal, navigate to your storage account's **Access control (IAM)** tab and click **Add** under the **Add a role assignment** section.
+
+2. Select **Storage Blob Data Contributor** as **role**, **Azure AD user, group, or service principal** as **Assigning access to** and select your IoT Hub's resource name in the drop-down list. Click the **Save** button.
+
+3. Navigate to the **Firewalls and virtual networks** tab in your storage account and enable **Allow access from selected networks** option. Under the **Exceptions** list, check the box for **Allow trusted Microsoft services to access this storage account**. Click the **Save** button.
+
+4. On your IoT Hub's resource page, navigate to **Message routing** tab.
+
+5. Navigate to **Custom endpoints** section and click **Add**. Select **Storage** as the endpoint type.
+
+6. On the page that shows up, provide a name for your endpoint, select the container that you intend to use in your blob storage, provide encoding, and file name format. Select **System Assigned** as the **Authentication type** to your storage endpoint. Click the **Create** button.
+
+Now your custom storage endpoint is set up to use your hub's system assigned identity, and it has permission to access your storage resource despite its firewall restrictions. You can now use this endpoint to set up a routing rule.
+
+
+
+## Next steps
+
+Use the links below to learn more about IoT Hub features:
+
+* [Message routing](../iot-hub/iot-hub-devguide-messages-d2c.md)
+* [File upload](../iot-hub/iot-hub-devguide-file-upload.md)
+* [Bulk device import/export](../iot-hub/iot-hub-bulk-identity-mgmt.md)