Quickstart: SSH/RDP over IoT Hub device streams using Node.js proxy application (preview)

Microsoft Azure IoT Hub currently supports device streams as a preview feature.

IoT Hub device streams allow service and device applications to communicate in a secure and firewall-friendly manner. This quickstart guide describes execution of a Node.js proxy application running on the service side to enable SSH and RDP traffic to be sent to the device over a device stream. See here for an overview of the setup. During public preview, Node.js SDK only supports device streams on the service side. As a result, this quickstart guide only covers instructions to run the service-local proxy. You should run an accompanying device-local proxy which is available in C quickstart or C# quickstart guides.

We first describe the setup for SSH (using port 22). We then describe how to modify the setup for RDP (which uses port 3389). Since device streams are application and protocol agnostic, the same sample can be modified to accommodate other types of client/server application traffic (usually by modifying the communication port).

Open Azure Cloud Shell

Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Select Copy to copy the code, paste it in Cloud Shell, and then press Enter to run it. There are a few ways to open Cloud Shell:

Select Try It in the upper-right corner of a code block. Example of Try It for Azure Cloud Shell
Open Cloud Shell in your browser. Launch Azure Cloud Shell button
Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Cloud Shell button in the Azure portal

If you don’t have an Azure subscription, create a free account before you begin.


The preview of device streams is currently only supported for IoT Hubs created in the following regions:

  • Central US
  • Central US EUAP

To run the service-local application in this quickstart you need Node.js v4.x.x or later on your development machine.

You can download Node.js for multiple platforms from nodejs.org.

You can verify the current version of Node.js on your development machine using the following command:

node --version

Run the following command to add the Microsoft Azure IoT Extension for Azure CLI to your Cloud Shell instance. The IOT Extension adds IoT Hub, IoT Edge, and IoT Device Provisioning Service (DPS) specific commands to Azure CLI.

az extension add --name azure-cli-iot-ext

If you haven't already done so, download the sample Node.js project from https://github.com/Azure-Samples/azure-iot-samples-node/archive/streams-preview.zip and extract the ZIP archive.

Create an IoT hub

If you completed the previous Quickstart: Send telemetry from a device to an IoT hub, you can skip this step.

This section describes how to create an IoT hub using the Azure portal.

  1. Sign in to the Azure portal.

  2. Choose +Create a resource, then choose Internet of Things.

  3. Click Iot Hub from the list on the right. You see the first screen for creating an IoT hub.

    Screenshot showing creating a hub in the Azure portal

    Fill in the fields:

    Subscription: Select the subscription to use for your IoT hub.

    Resource Group: You can create a new resource group or use an existing one. To create a new one, click Create new and fill in the name you want to use. To use an existing resource group, click Use existing and select the resource group from the dropdown list. For more information, see Manage Azure Resource Manager resource groups.

    Region: This is the region in which you want your hub to be located. Select a region that supports the IoT Hub device streams preview, either Central US or Central US EUAP.

    IoT Hub Name: Put in the name for your IoT Hub. This name must be globally unique. If the name you enter is available, a green check mark appears.


    The IoT hub will be publicly discoverable as a DNS endpoint, so make sure to avoid any sensitive information while naming it.

  4. Click Next: Size and scale to continue creating your IoT hub.

    Screenshot showing setting size and scale for a new IoT hub using the Azure portal

    On this screen, you can take the defaults and just click Review + create at the bottom.

    Pricing and scale tier: Ensure you select one of the standard (S1, S2, S3) or the Free (F1) tier. This choice can also be guided by the size of your fleet and the non-streaming workloads you expect in your hub (e.g., telemetry messages). For example, the free tier is intended for testing and evaluation. It allows 500 devices to be connected to the IoT hub and up to 8,000 messages per day. Each Azure subscription can create one IoT Hub in the free tier.

    IoT Hub units: This choice depends on non-streaming workload you expect in your hub - you can select 1 for now.

    For details about the other tier options, see Choosing the right IoT Hub tier.

  5. Click Review + create to review your choices. You see something similar to this screen.

    Screenshot reviewing information for creating the new IoT hub

  6. Click Create to create your new IoT hub. Creating the hub takes a few minutes.

Register a device

If you completed the previous Quickstart: Send telemetry from a device to an IoT hub, you can skip this step.

A device must be registered with your IoT hub before it can connect. In this quickstart, you use the Azure Cloud Shell to register a simulated device.

  1. Run the following command in Azure Cloud Shell to create the device identity.

    YourIoTHubName: Replace this placeholder below with the name you chose for your IoT hub.

    MyDevice: This is the name given for the registered device. Use MyDevice as shown. If you choose a different name for your device, you will also need to use that name throughout this article, and update the device name in the sample applications before you run them.

    az iot hub device-identity create --hub-name YourIoTHubName --device-id MyDevice
  2. You also need a service connection string to enable the back-end application to connect to your IoT hub and retrieve the messages. The following command retrieves the service connection string for your IoT hub:

    YourIoTHubName: Replace this placeholder below with the name you chose for your IoT hub.

    az iot hub show-connection-string --policy-name service --name YourIoTHubName

    Make a note of the returned value, which looks like this:


SSH to a device via device streams

Run the device-local proxy

As mentioned earlier, IoT Hub Node.js SDK only supports device streams on the service side. For device-local application, use the accompanying device proxy programs available in C quickstart or C# quickstart guides. Ensure the device-local proxy is running before proceeding to the next step.

Run the service-local proxy

Assuming that the device-local proxy is running, follow the steps below to run the service-local proxy written in Node.js.

  • Provide your service credentials, the target device ID where SSH daemon runs, and the port number for the proxy running on the device as environment variables.

    # In Linux
    export IOTHUB_CONNECTION_STRING="<provide_your_service_connection_string>"
    export PROXY_PORT=2222
    # In Windows
    SET IOTHUB_CONNECTION_STRING=<provide_your_service_connection_string>

    Change the values above to match your device ID and connection string.

  • Navigate to Quickstarts/device-streams-service in your unzipped project folder and run the service-local proxy.

    cd azure-iot-samples-node-streams-preview/iot-hub/Quickstarts/device-streams-service
    # Install the preview service SDK, and other dependencies
    npm install azure-iothub@streams-preview
    npm install
    # Run the service-local proxy application
    node proxy.js

SSH to your device via device streams

In Linux, run SSH using ssh $USER@localhost -p 2222 on a terminal. In Windows, use your favorite SSH client (e.g., PuTTY).

Console output on the service-local after SSH session is established (the service-local proxy listens on port 2222): Alt text

Console output of the SSH client program (SSH client communicates to SSH daemon by connecting to port 22 where service-local proxy is listening on): Alt text

RDP to your device via device streams

Now use your RDP client program and connect to service proxy on port 2222 (this was an arbitrary available port you chose earlier).


Ensure that your device proxy is configured correctly for RDP and configured with RDP port 3389.

Alt text

Clean up resources

If you will be continuing to the next recommended article, you can keep the resources you've already created and reuse them.

Otherwise, you can delete the Azure resources created in this article to avoid charges.


Deleting a resource group is irreversible. The resource group and all the resources contained in it are permanently deleted. Make sure that you do not accidentally delete the wrong resource group or resources. If you created the IoT Hub inside an existing resource group that contains resources you want to keep, only delete the IoT Hub resource itself instead of deleting the resource group.

To delete a resource group by name:

  1. Sign in to the Azure portal and click Resource groups.

  2. In the Filter by name... textbox, type the name of the resource group containing your IoT Hub.

  3. To the right of your resource group in the result list, click ... then Delete resource group.


  4. You will be asked to confirm the deletion of the resource group. Type the name of your resource group again to confirm, and then click Delete. After a few moments, the resource group and all of its contained resources are deleted.

Next steps

In this quickstart, you have set up an IoT hub, registered a device, and deployed a service proxy program to enable RDP and SSH to an IoT device. The RDP and SSH traffic will be tunneled through a device stream through IoT Hub. This eliminates the need for direct connectivity to the device.

Use the links below to learn more about device streams: