IoT 中樞利用 Private Link 和受控識別支援虛擬網路IoT Hub support for virtual networks with Private Link and Managed Identity

根據預設,IoT 中樞的主機名稱會使用可透過網際網路公開路由所傳送 IP 位址來對應至公用端點。By default, IoT Hub's hostnames map to a public endpoint with a publicly routable IP address over the internet. 不同客戶會共用此 IoT 中樞公用端點,且廣域網路和內部部署網路中的 IoT 裝置全部都可進行存取。Different customers share this IoT Hub public endpoint, and IoT devices in over wide-area networks and on-premises networks can all access it.

IoT 中樞公用端點

IoT 中樞功能 (包括訊息路由檔案上傳大量裝置匯入/匯出) 也需要從 IoT 中樞透過其公用端點連線到客戶擁有的 Azure 資源。IoT Hub features including message routing, file upload, and bulk device import/export also require connectivity from IoT Hub to a customer-owned Azure resource over its public endpoint. 這些連線路徑共同構成從 IoT 中樞到客戶資源的輸出流量。These connectivity paths collectively make up the egress traffic from IoT Hub to customer resources.

您可能想要限制透過所擁有和操作的 VNet 來與 Azure 資源 (包括 IoT 中樞) 連線。You might want to restrict connectivity to your Azure resources (including IoT Hub) through a VNet that you own and operate. 這些原因包括:These reasons include:

  • 藉由防止對公用網際網路公開連線,為 IoT 中樞引進網路隔離。Introducing network isolation for your IoT hub by preventing connectivity exposure to the public internet.

  • 從內部部署網路資產啟用私人連線體驗,以確保資料和流量會直接傳輸到 Azure 骨幹網路。Enabling a private connectivity experience from your on-premises network assets ensuring that your data and traffic is transmitted directly to Azure backbone network.

  • 防止來自敏感性內部部署網路的外洩攻擊。Preventing exfiltration attacks from sensitive on-premises networks.

  • 遵循使用私人端點建立的全 Azure 連線模式。Following established Azure-wide connectivity patterns using private endpoints.

本文描述如何使用 Azure Private Link 輸入連線到 IoT 中樞,並使用信任的 Microsoft 服務例外從 IoT 中樞輸出連線到其他 Azure 資源來達成這些目標。This article describes how to achieve these goals using Azure Private Link for ingress connectivity to IoT Hub and using trusted Microsoft services exception for egress connectivity from IoT Hub to other Azure resources.

私人端點是在客戶所擁有 VNet 內配置的私人 IP 位址,可透過它來連線到 Azure 資源。A private endpoint is a private IP address allocated inside a customer-owned VNet via which an Azure resource is reachable. 透過 Azure Private Link,您可為 IoT 中樞設定私人端點,以允許 VNet 內的服務連線到 IoT 中樞,而不需要將流量傳送至 IoT 中樞的公用端點。Through Azure Private Link, you can set up a private endpoint for your IoT hub to allow services inside your VNet to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. 同樣地,內部部署裝置可使用虛擬私人網路 (VPN)ExpressRoute 對等互連來取得與 VNet 和 IoT 中樞 (透過其私人端點) 的連線。Similarly, your on-premises devices can use Virtual Private Network (VPN) or ExpressRoute peering to gain connectivity to your VNet and your IoT Hub (via its private endpoint). 因此,您可以使用 Iot 中樞 IP 篩選器公用網路存取切換,來限制或完全封鎖對 IoT 中樞公用端點的連線。As a result, you can restrict or completely block off connectivity to your IoT hub's public endpoints by using IoT Hub IP filter or the public network access toggle. 此方法可保持使用裝置的私人端點進行中樞的連線。This approach keeps connectivity to your Hub using the private endpoint for devices. 此設定主要是針對內部部署網路內的裝置。The main focus of this setup is for devices inside an on-premises network. 若是部署在廣域網路中的裝置,則不建議此設定。This setup isn't advised for devices deployed in a wide-area network.

IoT 中樞虛擬網路 engress

請確定符合下列先決條件,再繼續進行:Before proceeding ensure that the following prerequisites are met:

設定用於 IoT 中樞輸入的私人端點Set up a private endpoint for IoT Hub ingress

私人端點適用于 IoT 中樞裝置 Api (例如裝置到雲端訊息) 和服務 Api (例如) 建立和更新裝置。Private endpoint works for IoT Hub device APIs (like device-to-cloud messages) as well as service APIs (like creating and updating devices).

  1. 在 Azure 入口網站中,選取 [網路]、[私人端點連線],然後按一下 [+ 私人端點]。In Azure portal, select Networking, Private endpoint connections, and click the + Private endpoint.

    顯示為 IoT 中樞新增私人端點的位置螢幕擷取畫面

  2. 提供要在其中建立新私人端點的訂用帳戶、資源群組、名稱和區域。Provide the subscription, resource group, name, and region to create the new private endpoint in. 在理想情況下,私人端點應該在與您中樞相同的區域中建立。Ideally, private endpoint should be created in the same region as your hub.

  3. 按一下 [下一步:資源] ,並提供 IoT 中樞資源的訂用帳戶,然後選取 [Microsoft.Devices/IotHubs] 作為 [資源類型]、 IoT 中樞名稱作為 [資源],以及 [iotHub] 作為 [目標子資源]。Click Next: Resource, and provide the subscription for your IoT Hub resource, and select "Microsoft.Devices/IotHubs" as resource type, your IoT Hub name as resource, and iotHub as target subresource.

  4. 按一下 [下一步:設定] ,並提供要在其中建立私人端點的虛擬網路和子網路。Click Next: Configuration and provide your virtual network and subnet to create the private endpoint in. 如有需要,請選取與 Azure 私人 DNS 區域整合的選項。Select the option to integrate with Azure private DNS zone, if desired.

  5. 按一下 [下一步:標記] ,並選擇性地為資源提供任何標記。Click Next: Tags, and optionally provide any tags for your resource.

  6. 按一下 [檢閱 + 建立] 以建立 Private Link 資源。Click Review + create to create your private link resource.

內建事件中樞相容端點Built-in Event Hub compatible endpoint

建的事件中樞相容端點 也可以透過私人端點來存取。The built-in Event Hub compatible endpoint can also be accessed over private endpoint. 設定 private link 時,您應該會看到內建端點的額外私人端點連線。When private link is configured, you should see an additional private endpoint connection for the built-in endpoint. 它是 servicebus.windows.net 在 FQDN 中的那個。It's the one with servicebus.windows.net in the FQDN.

顯示每個 IoT 中樞私用連結所提供的兩個私人端點的影像

IoT 中樞的 IP 篩選器 可以選擇性地控制內建端點的公用存取。IoT Hub's IP filter can optionally control public access to the built-in endpoint.

若要完全封鎖 IoT 中樞的公用網路存取,請關閉 公用網路存取 ,或使用 IP 篩選器來封鎖所有 IP,然後選取將規則套用至內建端點的選項。To completely block public network access to your IoT hub, turn off public network access or use IP filter to block all IP and select the option to apply rules to the built-in endpoint.

如需定價詳細資料,請參閱 Azure Private Link 定價For pricing details, see Azure Private Link pricing.

從 IoT 中樞輸出連線到其他 Azure 資源Egress connectivity from IoT Hub to other Azure resources

IoT 中樞可連線到 Azure Blob 儲存體、事件中樞、服務匯流排資源,以透過資源的公用端點進行訊息路由檔案上傳大量裝置匯入/匯出IoT Hub can connect to your Azure blob storage, event hub, service bus resources for message routing, file upload, and bulk device import/export over the resources' public endpoint. 將資源繫結至 VNet 預設會封鎖與資源的連線。Binding your resource to a VNet blocks connectivity to the resource by default. 因此,此設定可防止 IoT 中樞將資料傳送至資源。As a result, this configuration prevents IoT Hub's from working sending data to your resources. 若要修正此問題,請透過 [信任的 Microsoft 服務] 選項,啟用從 IoT 中樞資源到儲存體帳戶、事件中樞或服務匯流排資源的連線。To fix this issue, enable connectivity from your IoT Hub resource to your storage account, event hub, or service bus resources via the trusted Microsoft service option.

開啟 IoT 中樞的受控識別Turn on managed identity for IoT Hub

若要允許其他服務作為信任的 Microsoft 服務來尋找 IoT 中樞,其必須具有系統指派的受控識別。To allow other services to find your IoT hub as a trusted Microsoft service, it must have a system-assigned managed identity.

  1. 在 IoT 中樞入口網站中,巡覽至 [身分識別]Navigate to Identity in your IoT Hub portal

  2. 在 [狀態] 下,選取 [開啟],然後按一下 [儲存]。Under Status, select On, then click Save.

    顯示如何為 IoT 中樞開啟受控識別的螢幕擷取畫面

使用 Azure CLI 來開啟受控識別:To use Azure CLI to turn on managed identity:

az iot hub update --name <iot-hub-resource-name> --set identity.type="SystemAssigned"

使用 ARM 範本在建立時將受控識別指派給您的 IoT 中樞Assign managed identity to your IoT Hub at creation time using ARM template

若要在資源布建時將受控識別指派給您的 IoT 中樞,請使用下方的 ARM 範本。To assign managed identity to your IoT hub at resource provisioning time, use the ARM template below. 此 ARM 範本有兩個必要的資源,必須先部署這些資源,才能建立其他資源(例如) Microsoft.Devices/IotHubs/eventHubEndpoints/ConsumerGroupsThis ARM template has two required resources, and they both need to be deployed before creating other resources like Microsoft.Devices/IotHubs/eventHubEndpoints/ConsumerGroups.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Devices/IotHubs",
      "apiVersion": "2020-03-01",
      "name": "<provide-a-valid-resource-name>",
      "location": "<any-of-supported-regions>",
      "identity": {
        "type": "SystemAssigned"
      },
      "sku": {
        "name": "<your-hubs-SKU-name>",
        "tier": "<your-hubs-SKU-tier>",
        "capacity": 1
      }
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2018-02-01",
      "name": "createIotHub",
      "dependsOn": [
        "[resourceId('Microsoft.Devices/IotHubs', '<provide-a-valid-resource-name>')]"
      ],
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "0.9.0.0",
          "resources": [
            {
              "type": "Microsoft.Devices/IotHubs",
              "apiVersion": "2020-03-01",
              "name": "<provide-a-valid-resource-name>",
              "location": "<any-of-supported-regions>",
              "identity": {
                "type": "SystemAssigned"
              },
              "sku": {
                "name": "<your-hubs-SKU-name>",
                "tier": "<your-hubs-SKU-tier>",
                "capacity": 1
              }
            }
          ]
        }
      }
    }
  ]
}

以您的資源、和的值取代之後 name location SKU.name SKU.tier ,您可以使用 Azure CLI,在現有的資源群組中部署資源:After substituting the values for your resource name, location, SKU.name and SKU.tier, you can use Azure CLI to deploy the resource in an existing resource group using:

az deployment group create --name <deployment-name> --resource-group <resource-group-name> --template-file <template-file.json>

建立資源之後,您可以使用 Azure CLI,來取得指派給您中樞的受控服務身分識別:After the resource is created, you can retrieve the managed service identity assigned to your hub using Azure CLI:

az resource show --resource-type Microsoft.Devices/IotHubs --name <iot-hub-resource-name> --resource-group <resource-group-name>

受控識別的定價Pricing for managed identity

信任的 Microsoft 第一方服務例外功能為免費。Trusted Microsoft first party services exception feature is free of charge. 但佈建的儲存體帳戶、事件中樞或服務匯流排資源則會另外收取費用。Charges for the provisioned storage accounts, event hubs, or service bus resources apply separately.

輸出連線到儲存體帳戶端點以進行路由Egress connectivity to storage account endpoints for routing

IoT 中樞可將訊息路由傳送至客戶擁有的儲存體帳戶。IoT Hub can route messages to a customer-owned storage account. 若要在有防火牆限制時允許路由功能存取儲存體帳戶, IoT 中樞必須具有受控識別To allow the routing functionality to access a storage account while firewall restrictions are in place, your IoT Hub needs to have a managed identity. 布建受控識別之後,請遵循下列步驟,將 Azure RBAC 許可權授與您中樞的資源身分識別,以存取您的儲存體帳戶。Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your storage account.

  1. 在 Azure 入口網站中,巡覽至儲存體帳戶的 [存取控制 (IAM)] 索引標籤,然後按一下 [新增角色指派] 區段下的 [新增]。In the Azure portal, navigate to your storage account's Access control (IAM) tab and click Add under the Add a role assignment section.

  2. 選取 [儲存體 Blob 資料參與者] (而「不是」[參與者] 或 [儲存體帳戶參與者]) 作為 [角色]、[Azure AD 使用者、群組或服務主體] 作為 [存取權指派對象為],然後在下拉式清單中選取 IoT 中樞的資源名稱。Select Storage Blob Data Contributor (not Contributor or Storage Account Contributor) as role, Azure AD user, group, or service principal as Assigning access to and select your IoT Hub's resource name in the drop-down list. 按一下 [儲存] 按鈕。Click the Save button.

  3. 巡覽至儲存體帳戶中的 [防火牆和虛擬網路] 索引標籤,然後啟用 [允許從選取的網路存取] 選項。Navigate to the Firewalls and virtual networks tab in your storage account and enable Allow access from selected networks option. 在 [例外] 清單下,核取 [允許信任的 Microsoft 服務存取此儲存體帳戶] 核取方塊。Under the Exceptions list, check the box for Allow trusted Microsoft services to access this storage account. 按一下 [儲存] 按鈕。Click the Save button.

  4. 在 IoT 中樞的資源頁面上,巡覽至 [訊息路由] 索引標籤。On your IoT Hub's resource page, navigate to Message routing tab.

  5. 巡覽至 [自訂端點] 區段,然後按一下 [新增]。Navigate to Custom endpoints section and click Add. 選取 [儲存體] 作為 [端點類型]。Select Storage as the endpoint type.

  6. 在顯示的頁面上提供端點的名稱,選取想要在 blob 儲存體中使用的容器,並提供編碼和檔案名稱格式。On the page that shows up, provide a name for your endpoint, select the container that you intend to use in your blob storage, provide encoding, and file name format. 選取 [以身分 識別為基礎 ] 作為儲存體端點的 驗證類型Select Identity-based as the Authentication type to your storage endpoint. 按一下 [ 建立 ] 按鈕。Click the Create button.

現在,自訂儲存體端點已設定為使用中樞系統指派的身分識別,且即使有防火牆限制,也有權存取儲存體資源。Now your custom storage endpoint is set up to use your hub's system assigned identity, and it has permission to access your storage resource despite its firewall restrictions. 您現在可使用此端點來設定路由規則。You can now use this endpoint to set up a routing rule.

輸出連線到事件中樞端點以進行路由Egress connectivity to event hubs endpoints for routing

IoT 中樞可設定為將訊息路由傳送至客戶擁有的事件中樞命名空間。IoT Hub can be configured to route messages to a customer-owned event hubs namespace. 若要在有防火牆限制時允許路由功能存取事件中樞資源, IoT 中樞必須具有受控識別。To allow the routing functionality to access an event hubs resource while firewall restrictions are in place, your IoT Hub needs to have a managed identity. 一旦建立受控識別之後,請遵循下列步驟,將 Azure RBAC 許可權授與您中樞的資源身分識別,以存取您的事件中樞。Once a managed identity is created, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your event hubs.

  1. 在 Azure 入口網站中,巡覽至事件中樞的 [存取控制 (IAM)] 索引標籤,然後按一下 [新增角色指派] 區段下的 [新增]。In the Azure portal, navigate to your event hubs Access control (IAM) tab and click Add under the Add a role assignment section.

  2. 選取 [事件中樞資料傳送者] 作為 [角色]、[Azure AD 使用者、群組或服務主體] 作為 [存取權指派對象為],然後在下拉式清單中選取 IoT 中樞的資源名稱。Select Event Hubs Data Sender as role, Azure AD user, group, or service principal as Assigning access to and select your IoT Hub's resource name in the drop-down list. 按一下 [儲存] 按鈕。Click the Save button.

  3. 巡覽至事件中樞內的 [防火牆和虛擬網路] 索引標籤,然後啟用 [允許從選取的網路存取] 選項。Navigate to the Firewalls and virtual networks tab in your event hubs and enable Allow access from selected networks option. 在 [例外] 清單下,核取 [允許信任的 Microsoft 服務存取此事件中樞] 核取方塊。Under the Exceptions list, check the box for Allow trusted Microsoft services to access event hubs. 按一下 [儲存] 按鈕。Click the Save button.

  4. 在 IoT 中樞的資源頁面上,巡覽至 [訊息路由] 索引標籤。On your IoT Hub's resource page, navigate to Message routing tab.

  5. 巡覽至 [自訂端點] 區段,然後按一下 [新增]。Navigate to Custom endpoints section and click Add. 選取 [事件中樞] 作為 [端點類型]。Select Event hubs as the endpoint type.

  6. 在顯示的頁面上,提供您的端點名稱,然後選取您的事件中樞命名空間和實例。On the page that shows up, provide a name for your endpoint, select your event hubs namespace and instance. 選取 [以身分 識別為基礎 ] 作為 驗證類型,然後按一下 [ 建立 ] 按鈕。Select Identity-based as the Authentication type, and click the Create button.

現在,自訂事件中樞已設定為使用中樞系統指派的身分識別,且即使有防火牆限制,也有權存取事件中樞資源。Now your custom event hubs endpoint is set up to use your hub's system assigned identity, and it has permission to access your event hubs resource despite its firewall restrictions. 您現在可使用此端點來設定路由規則。You can now use this endpoint to set up a routing rule.

輸出連線到服務匯流排端點以進行路由Egress connectivity to service bus endpoints for routing

IoT 中樞可設定為將訊息路由傳送至客戶擁有的服務匯流排命名空間。IoT Hub can be configured to route messages to a customer-owned service bus namespace. 若要在有防火牆限制時,允許路由功能存取服務匯流排資源, IoT 中樞必須具有受控識別。To allow the routing functionality to access a service bus resource while firewall restrictions are in place, your IoT Hub needs to have a managed identity. 布建受控識別之後,請遵循下列步驟,將 Azure RBAC 許可權授與您中樞的資源身分識別,以存取您的服務匯流排。Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your service bus.

  1. 在 Azure 入口網站中,巡覽至服務匯流排的 [存取控制 (IAM)] 索引標籤,然後按一下 [新增角色指派] 區段下的 [新增]。In the Azure portal, navigate to your service bus' Access control (IAM) tab and click Add under the Add a role assignment section.

  2. 選取 [服務匯流排資料傳送者] 作為 [角色]、[Azure AD 使用者、群組或服務主體] 作為 [存取權指派對象為],然後在下拉式清單中選取 IoT 中樞的資源名稱。Select Service bus Data Sender as role, Azure AD user, group, or service principal as Assigning access to and select your IoT Hub's resource name in the drop-down list. 按一下 [儲存] 按鈕。Click the Save button.

  3. 巡覽至服務匯流排中的 [防火牆和虛擬網路] 索引標籤,然後啟用 [允許從選取的網路存取] 選項。Navigate to the Firewalls and virtual networks tab in your service bus and enable Allow access from selected networks option. 在 [例外] 清單下,核取 [允許信任的 Microsoft 服務存取此服務匯流排] 核取方塊。Under the Exceptions list, check the box for Allow trusted Microsoft services to access this service bus. 按一下 [儲存] 按鈕。Click the Save button.

  4. 在 IoT 中樞的資源頁面上,巡覽至 [訊息路由] 索引標籤。On your IoT Hub's resource page, navigate to Message routing tab.

  5. 巡覽至 [自訂端點] 區段,然後按一下 [新增]。Navigate to Custom endpoints section and click Add. 選取 [服務匯流排佇列] 或 [服務匯流排主題] (如果適用的話) 作為 [端點類型]。Select Service bus queue or Service Bus topic (as applicable) as the endpoint type.

  6. 在顯示的頁面上,提供端點的名稱,並選取服務匯流排的命名空間以及佇列或主題 (如果適用的話)。On the page that shows up, provide a name for your endpoint, select your service bus' namespace and queue or topic (as applicable). 選取 [以身分 識別為基礎 ] 作為 驗證類型,然後按一下 [ 建立 ] 按鈕。Select Identity-based as the Authentication type, and click the Create button.

現在,服務匯流排已設定為使用中樞系統指派的身分識別,且即使有防火牆限制,也有權存取服務匯流排資源。Now your custom service bus endpoint is set up to use your hub's system assigned identity, and it has permission to access your service bus resource despite its firewall restrictions. 您現在可使用此端點來設定路由規則。You can now use this endpoint to set up a routing rule.

輸出連線到儲存體帳戶以進行檔案上傳Egress connectivity to storage accounts for file upload

IoT 中樞的檔案上傳功能可讓裝置將檔案上傳至客戶所擁有儲存體帳戶。IoT Hub's file upload feature allows devices to upload files to a customer-owned storage account. 若要讓檔案上傳正常運作,裝置和 IoT 中樞都必須具有與儲存體帳戶的連線。To allow the file upload to function, both devices and IoT Hub need to have connectivity to the storage account. 如果儲存體帳戶上有防火牆限制,裝置就必須使用任何支援的儲存體帳戶機制 (包括私人端點服務端點直接防火牆設定) 來取得連線。If firewall restrictions are in place on the storage account, your devices need to use any of the supported storage account's mechanism (including private endpoints, service endpoints, or direct firewall configuration) to gain connectivity. 同樣地,如果儲存體帳戶上有防火牆限制,IoT 中樞就必須設定為透過信任的 Microsoft 服務例外來存取儲存體資源。Similarly, if firewall restrictions are in place on the storage account, IoT Hub needs to be configured to access the storage resource via the trusted Microsoft services exception. 基於此目的, IoT 中樞必須具有受控識別。For this purpose, your IoT Hub must have a managed identity. 布建受控識別之後,請遵循下列步驟,將 Azure RBAC 許可權授與您中樞的資源身分識別,以存取您的儲存體帳戶。Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your storage account.

重要

使用 x.509 憑證授權單位單位之裝置上的檔案上傳功能 (CA) 驗證處於公開預覽狀態,且 必須啟用預覽模式File upload functionality on devices that use X.509 certificate authority (CA) authentication is in public preview, and preview mode must be enabled. 它在使用 x.509 指紋驗證的裝置上已正式推出。It is generally available on devices that use X.509 thumbprint authentication. 若要深入瞭解使用 IoT 中樞的 x.509 authentication,請參閱 支援的 x.509 憑證To learn more about X.509 authentication with IoT Hub, see Supported X.509 certificates.

  1. 在 Azure 入口網站中,巡覽至儲存體帳戶的 [存取控制 (IAM)] 索引標籤,然後按一下 [新增角色指派] 區段下的 [新增]。In the Azure portal, navigate to your storage account's Access control (IAM) tab and click Add under the Add a role assignment section.

  2. 選取 [儲存體 Blob 資料參與者] (而「不是」[參與者] 或 [儲存體帳戶參與者]) 作為 [角色]、[Azure AD 使用者、群組或服務主體] 作為 [存取權指派對象為],然後在下拉式清單中選取 IoT 中樞的資源名稱。Select Storage Blob Data Contributor (not Contributor or Storage Account Contributor) as role, Azure AD user, group, or service principal as Assigning access to and select your IoT Hub's resource name in the drop-down list. 按一下 [儲存] 按鈕。Click the Save button.

  3. 巡覽至儲存體帳戶中的 [防火牆和虛擬網路] 索引標籤,然後啟用 [允許從選取的網路存取] 選項。Navigate to the Firewalls and virtual networks tab in your storage account and enable Allow access from selected networks option. 在 [例外] 清單下,核取 [允許信任的 Microsoft 服務存取此儲存體帳戶] 核取方塊。Under the Exceptions list, check the box for Allow trusted Microsoft services to access this storage account. 按一下 [儲存] 按鈕。Click the Save button.

  4. 在 IoT 中樞的資源頁面上,巡覽至 [檔案上傳] 索引標籤。On your IoT Hub's resource page, navigate to File upload tab.

  5. 在顯示的頁面上,選取想要在 blob 儲存體中使用的容器,然後視需要設定 [檔案通知設定]、[SAS TTL]、[預設 TTL] 和 [最大傳遞計數]。On the page that shows up, select the container that you intend to use in your blob storage, configure the File notification settings, SAS TTL, Default TTL, and Maximum delivery count as desired. 選取 [以身分 識別為基礎 ] 作為儲存體端點的 驗證類型Select Identity-based as the Authentication type to your storage endpoint. 按一下 [ 建立 ] 按鈕。Click the Create button. 如果您在此步驟中收到錯誤,請暫時將您的儲存體帳戶設定為允許來自 所有網路 的存取,然後再試一次。If you get an error at this step, temporarily set your storage account to allow access from All networks, then try again. 一旦檔案上傳設定完成之後,您就可以在儲存體帳戶上設定防火牆。You can configure firewall on the storage account once the File upload configuration is complete.

現在,您用於檔案上傳的儲存體端點已設定為使用中樞系統所指派身分識別,且即使有防火牆限制,也有權存取儲存體資源。Now your storage endpoint for file upload is set up to use your hub's system assigned identity, and it has permission to access your storage resource despite its firewall restrictions.

輸出連線到儲存體帳戶以進行大量裝置匯入/匯出Egress connectivity to storage accounts for bulk device import/export

IoT 中樞支援在客戶提供的儲存體 blob 中大量匯入/匯出裝置資訊的功能。IoT Hub supports the functionality to import/export devices' information in bulk from/to a customer-provided storage blob. 若要讓大量匯入/匯出功能正常運作,裝置和 IoT 中樞都必須具有與儲存體帳戶的連線。To allow bulk import/export feature to function, both devices and IoT Hub need to have connectivity to the storage account.

這項功能需要從 IoT 中樞連線到儲存體帳戶。This functionality requires connectivity from IoT Hub to the storage account. 若要在有防火牆限制時存取服務匯流排資源, IoT 中樞必須具有受控識別。To access a service bus resource while firewall restrictions are in place, your IoT Hub needs to have a managed identity. 布建受控識別之後,請遵循下列步驟,將 Azure RBAC 許可權授與您中樞的資源身分識別,以存取您的服務匯流排。Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your service bus.

  1. 在 Azure 入口網站中,巡覽至儲存體帳戶的 [存取控制 (IAM)] 索引標籤,然後按一下 [新增角色指派] 區段下的 [新增]。In the Azure portal, navigate to your storage account's Access control (IAM) tab and click Add under the Add a role assignment section.

  2. 選取 [儲存體 Blob 資料參與者] (而「不是」[參與者] 或 [儲存體帳戶參與者]) 作為 [角色]、[Azure AD 使用者、群組或服務主體] 作為 [存取權指派對象為],然後在下拉式清單中選取 IoT 中樞的資源名稱。Select Storage Blob Data Contributor (not Contributor or Storage Account Contributor) as role, Azure AD user, group, or service principal as Assigning access to and select your IoT Hub's resource name in the drop-down list. 按一下 [儲存] 按鈕。Click the Save button.

  3. 巡覽至儲存體帳戶中的 [防火牆和虛擬網路] 索引標籤,然後啟用 [允許從選取的網路存取] 選項。Navigate to the Firewalls and virtual networks tab in your storage account and enable Allow access from selected networks option. 在 [例外] 清單下,核取 [允許信任的 Microsoft 服務存取此儲存體帳戶] 核取方塊。Under the Exceptions list, check the box for Allow trusted Microsoft services to access this storage account. 按一下 [儲存] 按鈕。Click the Save button.

如需如何使用大量匯入/匯出功能的資訊,則現在可使用 Azure IoT REST API 來建立匯入/匯出作業You can now use the Azure IoT REST APIs for creating import export jobs for information on how to use the bulk import/export functionality. 您必須在要求本文中提供 storageAuthenticationType="identityBased",並分別使用 inputBlobContainerUri="https://..."outputBlobContainerUri="https://..." 作為儲存體帳戶的輸入和輸出 URL。You will need to provide the storageAuthenticationType="identityBased" in your request body and use inputBlobContainerUri="https://..." and outputBlobContainerUri="https://..." as the input and output URLs of your storage account, respectively.

Azure IoT 中樞 SDK 也會在服務用戶端的登錄管理員中支援這項功能。Azure IoT Hub SDKs also support this functionality in the service client's registry manager. 下列程式碼片段示範如何使用 C# SDK 來啟動匯入作業或匯出作業。The following code snippet shows how to initiate an import job or export job in using the C# SDK.

// Call an import job on the IoT Hub
JobProperties importJob = 
await registryManager.ImportDevicesAsync(
  JobProperties.CreateForImportJob(inputBlobContainerUri, outputBlobContainerUri, null, StorageAuthenticationType.IdentityBased), 
  cancellationToken);

// Call an export job on the IoT Hub to retrieve all devices
JobProperties exportJob = 
await registryManager.ExportDevicesAsync(
    JobProperties.CreateForExportJob(outputBlobContainerUri, true, null, StorageAuthenticationType.IdentityBased),
    cancellationToken);

若要使用具有 C#、Java 和 Node.js 虛擬網路支援的這個 Azure IoT SDK 版本:To use this version of the Azure IoT SDKs with virtual network support for C#, Java, and Node.js:

  1. 建立名為 EnableStorageIdentity 的環境變數,並將其值設定為 1Create an environment variable named EnableStorageIdentity and set its value to 1.

  2. 下載 SDK:Java | C# | Node.jsDownload the SDK: Java | C# | Node.js

針對 Python,請從 GitHub 下載有限版本。For Python, download our limited version from GitHub.

  1. 巡覽至 GitHub 版本頁面Navigate to the GitHub release page.

  2. 下載下列檔案,您將會在發行頁面底部名為 [資產] 的標題下找到此檔案。Download the following file, which you'll find at the bottom of the release page under the header named assets.

    azure_iot_hub-2.2.0_limited-py2.py3-none-any.whlazure_iot_hub-2.2.0_limited-py2.py3-none-any.whl

  3. 開啟終端機,並巡覽至包含所下載檔案的資料夾。Open a terminal and navigate to the folder with the downloaded file.

  4. 執行下列命令,以安裝具有虛擬網路支援的 Python 服務 SDK:Run the following command to install the Python Service SDK with support for virtual networks:

    pip install ./azure_iot_hub-2.2.0_limited-py2.py3-none-any.whlpip install ./azure_iot_hub-2.2.0_limited-py2.py3-none-any.whl

後續步驟Next steps

若要深入了解 IoT 中樞功能,請使用下列連結:Use the links below to learn more about IoT Hub features: