Many IoT Edge devices will be deployed behind some kind of firewall. This implies that remote management for there devices might not be trivial. Of course, devices will be hardened, tested, re-tested and fully configured before shipping them. But even after those step, sometimes you really need to access them.
Naturally there are many options to remotely manage the IoT Edge devices. The simplest way would be to open some ports in the corporate firewall to directly access the device via SSH. I do not know if you have ever tried to get a corporate to open firewall ports, but in my experience this is a no-go solution.
Solutions
Microsoft has understood this and has created the IoT Hub Device Streams functionality. Unfortunately this functionality is in preview for 2,5 years now (since January 2019), is only available in a limited number of Azure regions, and it does not support IoT Edge devices.
I know there are some projects on github that try to use device streams on edge devices using an additional connection string simulating a regular IoT device (like this one). This is however still limited to maximum of 300MB per day and still limited to the supported azure regions.
Requirements
I needed a different solution based on the following requirements:
- all connections must be initiated from the edge device
- the connections must allow a cloud-side initiated log-in to the edge device
- the connections must support SSH
- everything must be secure
- the set-up would survive downtime of either the edge device, the cloud device or the internet connection in between. This implies an auto-recovery for all these scenarios
After some investigation I concluded I could use AutoSSH to achieve my goals. AutoSSH will set up a tunnel to a remote server. From this remote server this tunnel then can be used to start a SSH session.
Prerequisites
- A linux server that is running SSH on a static IP address (or DNS name) that is accessible from all locations the edge devices are deployed. Below I will use the dns name edge-controller.magicazure.com
- The firewall protecting the edge device must allow outbound SSH connections. Since some firewalls are also blocking all traffic on port 22, you could opt for running your SSH server on port 443 which is mostly allowed for outbound traffic. Some firewalls might detect ssh traffic and still block you though. For those cases tunneling the SSH traffic over HTTP(s) might be needed. I have not tested this yet.
- A user that can log into the central linux server. Below I will use the user edgemanager
- A user that can log into the edge device. Below i will use the user edgedeviceuser
Installation steps
- Log into the edge device using ssh with the user edgedeviceuser.
- execute the command
apt-get install autossh
- execute the command
ssh-keygen -t rsa -b 2048
- Accept the default filename
- Accept the empty passphrase
- Confirm the empty passphrase
- execute the command
ssh-copy-id edgemanager@edge-controller.magicazure.com
- execute the command
autossh -M 20000 -f -N
edgemanager@edge-controller.magicazure.com
-R 21234:localhost:22
This set-up will create a tunnel from the edge device to the edge-controller allowing port 21234 on the edge-controller to connect to port 22 on the edge device local host.
Testing
- log into the edge-controller.magicazure.com machine using your personal account (or the edgemanager account if you want to)
- execute the command
ssh -p 21234 edgedeviceuser@localhost
- enter the password of the edgedeviceuser
- now you are logged into the edge device
Additional steps
To make sure the connection is started automatically when the edge device reboots, please follow the steps described on this post.
Functionality provided by this set-up
- We have a centralized linux server from where we can connect to ALL iot edge devices via ssh (as long as you have enough ports available to allow each edge device to connect to its ‘personal’ portnumber).
- On reboot of the edge device, the connection will be reactivated to the centralized server
- On internet-connection down for an edge device we cannot reach the edge device obviously
- On internet-connection coming back up, the remote access is restarted automatically
- If the central server restarts, all edge devices will automatically reconnect
- There is no need to initiate port forwarding on the firewalls protecting the edge devices
- When logging into the edge device the username and password are still needed to connect. So no open connection to be misused automatically
- Keep in mind to really secure the centralized server, since this one is providing access to all edge devices