DPS with Nested Edge using X.509

Question

Hi There,

If we create 'Parent' Edge layer using DPS and X.509 and 'child' Edge as manual X.509 attestation, then is it possible to create a nested iot-edge architecture using these both Parent and Child edge?

What I am thinking is to make 'Parent' Edge a transparent gateways and then manually create another Edge (say Child) using manual X.509 attestation.

Steps I am following:

1. Create 2 ubuntu 18.04 Azure VMS and install the Azure runtime 1.2.5 in them.
2. Generate demo certificates for both:
   For Parent:
   Root CA, Device CA, x.509 (identity cert)
   For Child:
   using above created Root CA- Device CA, X.509 identity Primary and secondary and their Hexa code.
3. Verify Root CA in DPS and create group enrollment.
4. Provision Parent edge in DPS using certs.
5. Create DNS for Parent VM to use as hostname (in parent).
6. Add trusted bundle (root CA), Device CA cert and key, Device identity cert and key in config.toml of parent edge.
7. Create Child edge in portal using Hex code (x.509) and link it to parent device.
8. Put root CA in certificate path of both VMs (sudo cp /home/edgeserver/demo_certs/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt, then sudo update-ca-certificates)
9. Enter parent's DNS as parent hostname, Add trust bundle(root ca), Primary Identity certificate and it's key in X.509 manual attestation section, device CA cert and it's key in Child Edge's config.toml.
10. Proper module deployments.
11. and reboot.

Answer 1

There were some issues with the certs as I have created certs first then I added the DNS name. Now I created DNS first then certs so it's working fine.
Will try to implement some NSG rules and will see how it responds.