Quickstart: SSH/RDP over IoT Hub device streams using C# proxy applications (preview)

Microsoft Azure IoT Hub currently supports device streams as a preview feature.

IoT Hub device streams allow service and device applications to communicate in a secure and firewall-friendly manner. This quickstart guide involves two C# programs that enable client/server application traffic (such as SSH and RDP) to be sent over a device stream established through IoT Hub. See here for an overview of the setup.

We first describe the setup for SSH (using port 22). We then describe how to modify the setup's port for RDP. Since device streams are application and protocol agnostic, the same sample can be modified to accommodate other types of application traffic. This usually only involves changing the communication port to the one used by the intended application.

How it works?

Figure below illustrates the setup of how the device- and service-local proxy programs in this sample will enable end-to-end connectivity between SSH client and SSH daemon. Here, we assume that the daemon is running on the same device as the device-local proxy.

Alt text

  1. Service-local proxy connects to IoT hub and initiates a device stream to the target device using its device ID.

  2. Device-local proxy completes the stream initiation handshake and establishes an end-to-end streaming tunnel through IoT Hub's streaming endpoint to the service side.

  3. Device-local proxy connects to the SSH daemon (SSHD) listening on port 22 on the device (this port is configurable, as described below).

  4. Service-local proxy awaits for new SSH connections from the user by listening on a designated port which in this case is port 2222 (this is also configurable, as described below). When user connects via SSH client, the tunnel enables application traffic to be exchanged between the SSH client and server programs.

Note

SSH traffic being sent over the stream will be tunneled through IoT Hub's streaming endpoint rather than being sent directly between service and device. This provides these benefits.

Open Azure Cloud Shell

Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Select Copy to copy the code, paste it in Cloud Shell, and then press Enter to run it. There are a few ways to open Cloud Shell:

Select Try It in the upper-right corner of a code block. Example of Try It for Azure Cloud Shell
Open Cloud Shell in your browser. Launch Azure Cloud Shell button
Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Cloud Shell button in the Azure portal

If you don’t have an Azure subscription, create a free account before you begin.

Prerequisites

The preview of device streams is currently only supported for IoT Hubs created in the following regions:

  • Central US
  • Central US EUAP

The two sample applications you run in this quickstart are written using C#. You need the .NET Core SDK 2.1.0 or greater on your development machine.

You can download the .NET Core SDK for multiple platforms from .NET.

You can verify the current version of C# on your development machine using the following command:

dotnet --version

Run the following command to add the Microsoft Azure IoT Extension for Azure CLI to your Cloud Shell instance. The IOT Extension adds IoT Hub, IoT Edge, and IoT Device Provisioning Service (DPS) specific commands to Azure CLI.

az extension add --name azure-cli-iot-ext

Download the sample C# project from https://github.com/Azure-Samples/azure-iot-samples-csharp/archive/master.zip and extract the ZIP archive.

Create an IoT hub

This section describes how to create an IoT hub using the Azure portal.

  1. Sign in to the Azure portal.

  2. Choose +Create a resource, then choose Internet of Things.

  3. Click Iot Hub from the list on the right. You see the first screen for creating an IoT hub.

    Screenshot showing creating a hub in the Azure portal

    Fill in the fields:

    Subscription: Select the subscription to use for your IoT hub.

    Resource Group: You can create a new resource group or use an existing one. To create a new one, click Create new and fill in the name you want to use. To use an existing resource group, click Use existing and select the resource group from the dropdown list. For more information, see Manage Azure Resource Manager resource groups.

    Region: This is the region in which you want your hub to be located. Select a region that supports the IoT Hub device streams preview, either Central US or Central US EUAP.

    IoT Hub Name: Put in the name for your IoT Hub. This name must be globally unique. If the name you enter is available, a green check mark appears.

    Important

    The IoT hub will be publicly discoverable as a DNS endpoint, so make sure to avoid any sensitive information while naming it.

  4. Click Next: Size and scale to continue creating your IoT hub.

    Screenshot showing setting size and scale for a new IoT hub using the Azure portal

    On this screen, you can take the defaults and just click Review + create at the bottom.

    Pricing and scale tier: Ensure you select one of the standard (S1, S2, S3) or the Free (F1) tier. This choice can also be guided by the size of your fleet and the non-streaming workloads you expect in your hub (e.g., telemetry messages). For example, the free tier is intended for testing and evaluation. It allows 500 devices to be connected to the IoT hub and up to 8,000 messages per day. Each Azure subscription can create one IoT Hub in the free tier.

    IoT Hub units: This choice depends on non-streaming workload you expect in your hub - you can select 1 for now.

    For details about the other tier options, see Choosing the right IoT Hub tier.

  5. Click Review + create to review your choices. You see something similar to this screen.

    Screenshot reviewing information for creating the new IoT hub

  6. Click Create to create your new IoT hub. Creating the hub takes a few minutes.

Register a device

A device must be registered with your IoT hub before it can connect. In this quickstart, you use the Azure Cloud Shell to register a simulated device.

  1. Run the following command in Azure Cloud Shell to create the device identity.

    YourIoTHubName: Replace this placeholder below with the name you choose for your IoT hub.

    MyDevice: This is the name given for the registered device. Use MyDevice as shown. If you choose a different name for your device, you will also need to use that name throughout this article, and update the device name in the sample applications before you run them.

    az iot hub device-identity create --hub-name YourIoTHubName --device-id MyDevice
    
  2. Run the following commands in Azure Cloud Shell to get the device connection string for the device you just registered:

    YourIoTHubName: Replace this placeholder below with the name you choose for your IoT hub.

    az iot hub device-identity show-connection-string --hub-name YourIoTHubName --device-id MyDevice --output table
    

    Make a note of the device connection string, which looks like the following example:

    HostName={YourIoTHubName}.azure-devices.net;DeviceId=MyDevice;SharedAccessKey={YourSharedAccessKey}

    You use this value later in the quickstart.

  3. You also need the service connection string from your IoT hub to enable the service-side application to connect to your IoT hub and establish a device stream. The following command retrieves this value for your IoT hub:

    YourIoTHubName: Replace this placeholder below with the name you choose for your IoT hub.

    az iot hub show-connection-string --policy-name service --name YourIoTHubName
    

    Make a note of the returned value, which looks like this:

    "HostName={YourIoTHubName}.azure-devices.net;SharedAccessKeyName=service;SharedAccessKey={YourSharedAccessKey}"

SSH to a device via device streams

Run the device-local proxy

Navigate to device-streams-proxy/device in your unzipped project folder. You will need the following information handy:

Argument name Argument value
deviceConnectionString The connection string of the device you created earlier.
targetServiceHostName The IP address where SSH server listens on (this would be localhost if the same IP where device-local proxy is running).
targetServicePort The port used by your application protocol (by default, this would be port 22 for SSH).

Compile and run the code as follows:

cd ./iot-hub/Quickstarts/device-streams-proxy/device/

# Build the application
dotnet build

# Run the application
# In Linux/MacOS
dotnet run $deviceConnectionString localhost 22

# In Windows
dotnet run %deviceConnectionString% localhost 22

Run the service-local proxy

Navigate to device-streams-proxy/service in your unzipped project folder. You will need the following information handy:

Parameter name Parameter value
iotHubConnectionString The service connection string of your IoT Hub.
deviceId The identifier of the device you created earlier.
localPortNumber A local port where your SSH client will connect to. We use port 2222 in this sample, but you could modify this to other arbitrary numbers.

Compile and run the code as follows:

cd ./iot-hub/Quickstarts/device-streams-proxy/service/

# Build the application
dotnet build

# Run the application
# In Linux/MacOS
dotnet run $serviceConnectionString MyDevice 2222

# In Windows
dotnet run %serviceConnectionString% MyDevice 2222

Run SSH client

Now use your SSH client program and connect to service-local proxy on port 2222 (instead of the SSH daemon directly).

ssh <username>@localhost -p 2222

At this point, you will be presented with the SSH login prompt to enter your credentials.

Console output on the service-side (the service-local proxy listens on port 2222):

Alt text

Console output on the device-local proxy which connects to the SSH daemon at IP_address:22:

Alt text

Console output of the SSH client program (SSH client communicates to SSH daemon by connecting to port 22 where service-local proxy is listening on):

Alt text

RDP to a device via device streams

The setup for RDP is very similar to SSH (described above). We basically need to use the RDP destination IP and port 3389 instead and use RDP client (instead of SSH client).

Run the device-local proxy (RDP)

Navigate to device-streams-proxy/device in your unzipped project folder. You will need the following information handy:

Argument name Argument value
DeviceConnectionString The connection string of the device you created earlier.
targetServiceHostName The hostname or IP address where RDP server runs (this would be localhost if the same IP where device-local proxy is running).
targetServicePort The port used by your application protocol (by default, this would be port 3389 for RDP).

Compile and run the code as follows:

cd ./iot-hub/Quickstarts/device-streams-proxy/device

# Run the application
# In Linux/MacOS
dotnet run $DeviceConnectionString localhost 3389

# In Windows
dotnet run %DeviceConnectionString% localhost 3389

Run the service-local proxy (RDP)

Navigate to device-streams-proxy/service in your unzipped project folder. You will need the following information handy:

Parameter name Parameter value
iotHubConnectionString The service connection string of your IoT Hub.
deviceId The identifier of the device you created earlier.
localPortNumber A local port where your SSH client will connect to. We use port 2222 in this sample, but you could modify this to other arbitrary numbers.

Compile and run the code as follows:

cd ./iot-hub/Quickstarts/device-streams-proxy/service/

# Build the application
dotnet build

# Run the application
# In Linux/MacOS
dotnet run $serviceConnectionString MyDevice 2222

# In Windows
dotnet run %serviceConnectionString% MyDevice 2222

Run RDP client

Now use your RDP client program and connect to service-local proxy on port 2222 (this was an arbitrary available port you chose earlier).

Alt text

Clean up resources

If you will be continuing to the next recommended article, you can keep the resources you've already created and reuse them.

Otherwise, you can delete the Azure resources created in this article to avoid charges.

Important

Deleting a resource group is irreversible. The resource group and all the resources contained in it are permanently deleted. Make sure that you do not accidentally delete the wrong resource group or resources. If you created the IoT Hub inside an existing resource group that contains resources you want to keep, only delete the IoT Hub resource itself instead of deleting the resource group.

To delete a resource group by name:

  1. Sign in to the Azure portal and click Resource groups.

  2. In the Filter by name... textbox, type the name of the resource group containing your IoT Hub.

  3. To the right of your resource group in the result list, click ... then Delete resource group.

    Delete

  4. You will be asked to confirm the deletion of the resource group. Type the name of your resource group again to confirm, and then click Delete. After a few moments, the resource group and all of its contained resources are deleted.

Next steps

In this quickstart, you have set up an IoT hub, registered a device, deployed a device- and a service-local proxy program to establish a device stream through IoT Hub, and used the proxies to tunnel SSH or RDP traffic. The same paradigm can accommodate other client/server protocols (where server runs on the device, e.g., SSH daemon).

Use the links below to learn more about device streams: