Azure infrastructure
External flux
External flux come from outside the system (user, devices, pipelines, etc...)
| Source | Target | Protocol | Authentication | Desc. (optional) |
|---|---|---|---|---|
| User / SPA front-end | Management API | HTTPS | OAuth2.0 / JWT Token | Requests are sent through the reverse proxy |
| User / SPA front-end | WebSocket Server | HTTPS | OAuth2.0 / JWT Token | Requests are sent through the reverse proxy |
| Device | Reverse Proxy | HTTPS | Certificate (self-signed or CA-signed) or symmetric key | |
| Device | IoT Hub | MQTTS | Certificate (self-signed or CA-signed) or symmetric key | |
| IoT Hub | Device | MQTTS | Certificate (self-signed or CA-signed) or symmetric key | Send commands, updates, and configurations |
| CI/CD pipelines | Azure Management API | HTTPS | Azure CLI authentication with ID & secret | Deploy infrastructure through IaC & deploy applications |
Internal flux
Internal flux are internal to the system, and should not come be exposed to the public internet
| Source | Target | Protocol | Authentication | Desc. (optional) |
|---|---|---|---|---|
| Management API | AAD B2C | HTTPS | None - Keys are public | Read public keys in order to validate incoming JWT tokens |
| Management API | AAD B2C | HTTPS | Secret | Manage user accounts |
| Management API | SQL database | TCP/TLS | Technical user account (login + password) | User account with full privileges on the database |
| Management API | Azure Functions | HTTPS | Azure Function Key | Read telemetries |
| Management API | Service Bus | AMQP | Connection string | Send events |
| Management API | Redis | Redis protocol | Technical user account (login + password) | Write and receive device-related information and events |
| Management API | Storage Account | HTTPS | Managed identity | Store assets (icons, binary files, etc...) |
| WebSocket Server | Management API | HTTPS | User access token | Validate user authentication and authorization |
| WebSocket Server | Redis | Redis protocol | Technical user account (login + password) | Subscribe to device-related events |
| Azure Function | Service Bus | AMQP | Connection string | Send telemetries |
| Azure Function | Azure Function | HTTPS | Azure Function Key | Telemetry-related actions |
| Azure Function | InfluxDB | HTTPS | Token (least access privilege) | Write / read telemetries |
| Azure Function | Redis | Redis protocol | Technical user account (login + password) | Read device provisioning information and update device connectivity states |
| Service bus | Azure Function | Event Grid | / (Internal Azure process) | Trigger several functions (e.g events & telemetries writing to DB) |
Publicly exposed resources
Those resources are publicly exposed, and should stay exposed:
- Reverse proxy
- IoT Hub
- Device Provisioning Service (DPS)
- Azure Active Directory B2C
Those resources are publicly exposed in the default setup, but can be made publicly unaccessible through the use of virtual networks:
- Azure Functions
- Service Bus
- Databases (SQL & Influx)