Quickstart: SSH/RDP over IoT Hub device streams using C proxy application (preview)

Microsoft Azure IoT Hub currently supports device streams as a preview feature.

IoT Hub device streams allow service and device applications to communicate in a secure and firewall-friendly manner. See this page for an overview of the setup.

This document describes the setup for tunneling SSH traffic (using port 22) through device streams. The setup for RDP traffic is similar and requires a simple configuration change. Since device streams are application and protocol agnostic, the present quickstart can be modified (by changing the communication ports) to accommodate other types of application traffic.

How it works?

The figure below illustrates the setup of how the device- and service-local proxy programs will enable end-to-end connectivity between the SSH client and SSH daemon processes. During public preview, the C SDK only supports device streams on the device side. As a result, this quickstart only covers instructions to run the device-local proxy application. You should run an accompanying service-local proxy application which is available in C# quickstart or Node.js quickstart guides.

Alt text

  1. Service-local proxy connects to IoT hub and initiates a device stream to the target device.

  2. Device-local proxy completes the stream initiation handshake and establishes an end-to-end streaming tunnel through IoT Hub's streaming endpoint to the service side.

  3. Device-local proxy connects to the SSH daemon (SSHD) listening on port 22 on the device (this is configurable, as described [below](#run-the device-local-proxy-application)).

  4. Service-local proxy awaits for new SSH connections from the user by listening on a designated port which in this case is port 2222 (this is also configurable, as described below). When user connects via SSH client, the tunnel enables SSH application traffic to be transferred between the SSH client and server programs.


SSH traffic being sent over a device stream will be tunneled through IoT Hub's streaming endpoint rather than being sent directly between service and device. This provides these benefits. Furthermore, the figure illustrates the SSH daemon running on the same device (or machine) as the device-local proxy. In this quickstart, providing the SSH daemon IP address allows device-local proxy and daemon to run on different machines as well.

Open Azure Cloud Shell

Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Select Copy to copy the code, paste it in Cloud Shell, and then press Enter to run it. There are a few ways to open Cloud Shell:

Select Try It in the upper-right corner of a code block. Example of Try It for Azure Cloud Shell
Open Cloud Shell in your browser. Launch Azure Cloud Shell button
Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Cloud Shell button in the Azure portal

If you don’t have an Azure subscription, create a free account before you begin.


  • The preview of device streams is currently only supported for IoT Hubs created in the following regions:

    • Central US
    • Central US EUAP
  • Install Visual Studio 2017 with the 'Desktop development with C++' workload enabled.

  • Install the latest version of Git.

  • Run the following command to add the Microsoft Azure IoT Extension for Azure CLI to your Cloud Shell instance. The IOT Extension adds IoT Hub, IoT Edge, and IoT Device Provisioning Service (DPS) specific commands to Azure CLI.

    az extension add --name azure-cli-iot-ext

Prepare the development environment

For this quickstart, you will be using the Azure IoT device SDK for C. You will prepare a development environment used to clone and build the Azure IoT C SDK from GitHub. The SDK on GitHub includes the sample code used in this quickstart.

  1. Download the CMake build system.

    It is important that the Visual Studio prerequisites (Visual Studio and the 'Desktop development with C++' workload) are installed on your machine, before starting the CMake installation. Once the prerequisites are in place, and the download is verified, install the CMake build system.

  2. Open a command prompt or Git Bash shell. Execute the following command to clone the Azure IoT C SDK GitHub repository:

    git clone https://github.com/Azure/azure-iot-sdk-c.git --recursive -b public-preview

    You should expect this operation to take several minutes to complete.

  3. Create a cmake subdirectory in the root directory of the git repository, and navigate to that folder.

    cd azure-iot-sdk-c
    mkdir cmake
    cd cmake
  4. Run the following commands from the cmake directory to build a version of the SDK specific to your development client platform.

    • In Linux:

      cmake ..
      make -j
    • In Windows, run the following commands in Developer Command Prompt for Visual Studio 2015 or 2017. A Visual Studio solution for the simulated device will be generated in the cmake directory.

      rem For VS2015
      cmake .. -G "Visual Studio 14 2015"
      rem Or for VS2017
      cmake .. -G "Visual Studio 15 2017"
      rem Then build the project
      cmake --build . -- /m /p:Configuration=Release

Create an IoT hub

This section describes how to create an IoT hub using the Azure portal.

  1. Sign in to the Azure portal.

  2. Choose +Create a resource, then choose Internet of Things.

  3. Click Iot Hub from the list on the right. You see the first screen for creating an IoT hub.

    Screenshot showing creating a hub in the Azure portal

    Fill in the fields:

    Subscription: Select the subscription to use for your IoT hub.

    Resource Group: You can create a new resource group or use an existing one. To create a new one, click Create new and fill in the name you want to use. To use an existing resource group, click Use existing and select the resource group from the dropdown list. For more information, see Manage Azure Resource Manager resource groups.

    Region: This is the region in which you want your hub to be located. Select a region that supports the IoT Hub device streams preview, either Central US or Central US EUAP.

    IoT Hub Name: Put in the name for your IoT Hub. This name must be globally unique. If the name you enter is available, a green check mark appears.


    The IoT hub will be publicly discoverable as a DNS endpoint, so make sure to avoid any sensitive information while naming it.

  4. Click Next: Size and scale to continue creating your IoT hub.

    Screenshot showing setting size and scale for a new IoT hub using the Azure portal

    On this screen, you can take the defaults and just click Review + create at the bottom.

    Pricing and scale tier: Ensure you select one of the standard (S1, S2, S3) or the Free (F1) tier. This choice can also be guided by the size of your fleet and the non-streaming workloads you expect in your hub (e.g., telemetry messages). For example, the free tier is intended for testing and evaluation. It allows 500 devices to be connected to the IoT hub and up to 8,000 messages per day. Each Azure subscription can create one IoT Hub in the free tier.

    IoT Hub units: This choice depends on non-streaming workload you expect in your hub - you can select 1 for now.

    For details about the other tier options, see Choosing the right IoT Hub tier.

  5. Click Review + create to review your choices. You see something similar to this screen.

    Screenshot reviewing information for creating the new IoT hub

  6. Click Create to create your new IoT hub. Creating the hub takes a few minutes.

Register a device

A device must be registered with your IoT hub before it can connect. In this section, you will use the Azure Cloud Shell with the IoT extension to register a simulated device.

  1. Run the following command in Azure Cloud Shell to create the device identity.

    YourIoTHubName: Replace this placeholder below with the name you choose for your IoT hub.

    MyDevice: This is the name given for the registered device. Use MyDevice as shown. If you choose a different name for your device, you will also need to use that name throughout this article, and update the device name in the sample applications before you run them.

    az iot hub device-identity create --hub-name YourIoTHubName --device-id MyDevice
  2. Run the following commands in Azure Cloud Shell to get the device connection string for the device you just registered:

    YourIoTHubName: Replace this placeholder below with the name you choose for your IoT hub.

    az iot hub device-identity show-connection-string --hub-name YourIoTHubName --device-id MyDevice --output table

    Make a note of the device connection string, which looks like the following example:


    You use this value later in the quickstart.

SSH to a device via device streams

Run the device-local proxy application

  1. Edit the source file iothub_client/samples/iothub_client_c2d_streaming_proxy_sample/iothub_client_c2d_streaming_proxy_sample.c and provide your device connection string, target device IP/hostname, and the SSH port 22:

    /* Paste in the your iothub connection string  */
    static const char* connectionString = "[Connection string of IoT Hub]";
    static const char* localHost = "[IP/Host of your target machine]"; // Address of the local server to connect to.
    static const size_t localPort = 22; // Port of the local server to connect to.
  2. Compile the sample:

     # In Linux
     # Go to the sample's folder cmake/iothub_client/samples/iothub_client_c2d_streaming_proxy_sample
     make -j
     rem In Windows
     rem Go to cmake at root of repository
     cmake --build . -- /m /p:Configuration=Release
  3. Run the compiled program on the device:

     # In Linux
     # Go to the sample's folder cmake/iothub_client/samples/iothub_client_c2d_streaming_proxy_sample
     rem In Windows
     rem Go to the sample's release folder cmake\iothub_client\samples\iothub_client_c2d_streaming_proxy_sample\Release

Run the service-local proxy application

As discussed previously, establishing an end-to-end stream to tunnel SSH traffic requires a local proxy at each end (both on the service and the device). During public preview, IoT Hub C SDK only supports device streams on the device side. To build and run the service-local proxy, follow the steps available in the C# quickstart or the Node.js quickstart.

Establish an SSH session

After both the device- and service-local proxies are running, use your SSH client program and connect to the service-local proxy on port 2222 (instead of the SSH daemon directly).

ssh <username>@localhost -p 2222

At this point, you will be presented with the SSH login prompt to enter your credentials.

Console output on the device-local proxy which connects to the SSH daemon at IP_address:22: Alt text

Console output of the SSH client program (SSH client communicates to SSH daemon by connecting to port 22, which the service-local proxy is listening on): Alt text

Clean up resources

If you will be continuing to the next recommended article, you can keep the resources you've already created and reuse them.

Otherwise, you can delete the Azure resources created in this article to avoid charges.


Deleting a resource group is irreversible. The resource group and all the resources contained in it are permanently deleted. Make sure that you do not accidentally delete the wrong resource group or resources. If you created the IoT Hub inside an existing resource group that contains resources you want to keep, only delete the IoT Hub resource itself instead of deleting the resource group.

To delete a resource group by name:

  1. Sign in to the Azure portal and click Resource groups.

  2. In the Filter by name... textbox, type the name of the resource group containing your IoT Hub.

  3. To the right of your resource group in the result list, click ... then Delete resource group.


  4. You will be asked to confirm the deletion of the resource group. Type the name of your resource group again to confirm, and then click Delete. After a few moments, the resource group and all of its contained resources are deleted.

Next steps

In this quickstart, you have set up an IoT hub, registered a device, deployed a device- and a service-local proxy program to establish a device stream through IoT Hub, and used the proxies to tunnel SSH traffic.

Use the links below to learn more about device streams: