OT sensor cloud connection methods

This article describes the architectures and methods supported for connecting your Microsoft Defender for IoT OT sensors to the cloud.

All supported cloud connection methods provide:

  • Simple deployment, requiring no extra installations in your private Azure environment, such as for an IoT Hub

  • Improved security, without needing to configure or lock down any resource security settings in the Azure VNET

  • Scalability for new features supported only in the cloud

  • Flexible connectivity using any of the connection methods described in this article

For more information, see Choose a sensor connection method.

Important

To ensure that your network is ready, we recommend that you first run the migration in a lab or testing environment so that you can safely validate your Azure service configurations.

Proxy connections with an Azure proxy

The following image shows how you can connect your sensors to the Defender for IoT portal in Azure through a proxy in the Azure VNET. This configuration ensures confidentiality for all communications between your sensor and Azure.

Diagram of a proxy connection using an Azure proxy.

Depending on your network configuration, you can access the VNET via a VPN connection or an ExpressRoute connection.

This method uses a proxy server hosted within Azure. To handle load balancing and failover, the proxy is configured to scale automatically behind a load balancer.

For more information, see Connect via an Azure proxy.

Proxy connections with proxy chaining

The following image shows how you can connect your sensors to the Defender for IoT portal in Azure through multiple proxies, using different levels of the Purdue model and the enterprise network hierarchy.

Diagram of a proxy connection using proxy chaining.

This method supports connecting your sensors without direct internet access, using an SSL-encrypted tunnel to transfer data from the sensor to the service endpoint via proxy servers. The proxy server doesn't perform any data inspection, analysis, or caching.

With a proxy chaining method, Defender for IoT doesn't support your proxy service. It's the customer's responsibility to set up and maintain the proxy service.

For more information, see Connect via proxy chaining.

Direct connections

The following image shows how you can connect your sensors to the Defender for IoT portal in Azure directly over the internet from remote sites, without transversing the enterprise network.

Diagram of a direct connection to Azure.

With direct connections

  • Any sensors connected to Azure data centers directly over the internet have a secure and encrypted connection to the Azure data centers. Transport Layer Security (TLS) provides always-on communication between the sensor and Azure resources.

  • The sensor initiates all connections to the Azure portal. Initiating connections only from the sensor protects internal network devices from unsolicited inbound connections, but also means that you don't need to configure any inbound firewall rules.

For more information, see Connect directly.

Multi-cloud connections

You can connect your sensors to the Defender for IoT portal in Azure from other public clouds for OT/IoT management process monitoring.

Depending on your environment configuration, you might connect using one of the following methods:

  • ExpressRoute with customer-managed routing

  • ExpressRoute with a cloud exchange provider

  • A site-to-site VPN over the internet.

For more information, see Connect via multi-cloud vendors.

Working with a mixture of sensor software versions

If you're a customer with an existing production deployment, we recommend that upgrade any legacy sensor versions to version 22.1.x.

While you'll need to migrate your connections before the legacy version reaches end of support, you can currently deploy a hybrid network of sensors, including legacy software versions with their IoT Hub connections, and sensors with the connection methods described in this article.

After migrating, you can remove any relevant IoT Hubs from your subscription as they'll no longer be required for your sensor connections.

For more information, see Update a standalone sensor version and Migration for existing customers.

Next steps

For more information, see Connect your sensors to Microsoft Defender for IoT.