What Is IoT Edge

What is IoT Edge?

Azure IoT Edge is an Internet of Things (IoT) service that builds on top of the IoT Hub and enables users to carry out edge computing. Edge computing is when data is analyzed on devices, that is, at the edge of the network, rather than in the cloud itself. With edge computing, you can avoid transferring raw data by carrying out data cleaning, aggregation, and analysis on the device itself, and then send the insights gained to the cloud. This will result in reduced bandwidth costs, quicker response times and reduced traffic.

IoT Edge

Artificial Intelligence on the edge

Azure also offers services such as Azure Functions, Azure Stream Analytics and Azure Machine Learning which can all be run via Azure IoT Edge. This means that you can deploy AI, including image recognition, machine learning and complex event processing without having to write the code in-house.

Azure IoT Edge's components

Azure IoT Edge has three components: IoT Edge modules, the IoT Edge runtime, and a cloud-based interface.

IoT Edge modules

These are containers that run Azure services, 3rd party services, or your own code. IoT Edge modules are deployed and execute locally on IoT Edge devices. Multiple modules can be configured to communicate with each other. You can also package Azure services into modules or develop custom modules. If you want to deploy your own code to your devices, Azure IoT Edge supports both Linux and Windows and Java, .NET Core 2.0, Node.js, C, and Python.

The IoT Edge runtime

This runs on each IoT Edge device and manages the modules deployed there. It performs a number of functions including monitoring and managing the device and facilitating communications between the modules, the device, other devices, and the cloud. The runtime supports both Linux and Windows operating systems.

IoT Edge

Cloud-based interface

This interface allows you to remotely monitor and manage IoT Edge devices. Cloud services allow users to create and configure a workload to be run on a specific type of device, send a workload to a set of devices and to monitor workloads running on devices in the field.

IoT Edge

Using an IoT edge device as a gateway

There are three patterns for using an IoT Edge device as a gateway:

  • transparent
  • protocol translation
  • identity translation


Devices are connected to a gateway device instead of IoT Hub. The gateway passes communications between the devices and IoT Hub. Both the devices themselves and a user interacting with the devices do not know that they are communicating with the cloud via a gateway.

IoT Edge

Protocol translation 

If a device doesn't support MQTT, AMQP, or HTTP, then it uses a gateway device to send data to IoT Hub. All the information will look like it's coming from one device, the gateway device. If cloud applications want to analyze the data on a per device basis, then additional identifying information must be embedded in their messages...

IoT Edge

Identity translation

If a device cannot connect to the IoT Hub, then it connects to a gateway device instead. The gateway is able to understand the protocols used by downstream devices and provide the identity.

IoT Edge

Use cases

All three gateway patterns provide the following benefits:

  • Edge analytics – the data coming from downstream devices is processed locally using AI services and only a subset of data is sent to IoT Hub.
  • Downstream device isolation – With this gateway device all downstream devices are protected from exposure to the internet. Also, it can be placed between an IT network which provides access to the internet and an OT network which is not connected to the internet.
  • Traffic smoothing – In the case of IoT Hub throttling the IoT Edge device will automatically implement exponential backoff. As a result, you’ll be able to cope better with spikes in traffic.
  • Limited offline support – If messages can’t be delivered to IoT Hub, then the gateway device will store the message locally.

Devices on the edge produce data; however, some of these devices may not have been designed with cloud connectivity in mind, but opaque gateways make it possible for the data which they generate to be accessed and used. A gateway which does identity translation also allows downstream devices to be fully managed from the cloud. However, regardless of the protocol used, all your devices show up in IoT Hub.

Operating systems

Azure IoT Edge runs on most operating systems that can run containers; however, not all operating systems are equally supported. Operating systems are grouped into tiers depending on the level of support available.

Tier 1

For Tier 1 systems Microsoft:

  • Has these operating system in automated tests
  • Provides installation packages for them

IoT Edge
Tier 2

 Tier 2 is generally compatible with Azure IoT Edge and can be used relatively easily.

IoT Edge


Edge computing means that data and thus value are concentrated on the edge, and not just in the cloud. A device in the edge can also be physically accessed and is thus vulnerable to many types of threats. Therefore, devices on the edge need to be kept as secure as the cloud itself.

IoT Edge


Azure IoT edge uses certificate-based authentication. This mechanism is based on the standards governing Public Key Infrastructure (PKiX) by the Internet Engineering Task Force (IETF).

The Azure IoT Edge security framework requires unique certificate identities for all devices, modules, and actors which interact, either physically or through the network connection, with the Azure IoT Edge device.


IoT Edge

Controlling access to resources and data is a fundamental part of security. Devices, modules, and actors are only allowed to access resources and data within their permission scope, and only if this is architecturally allowable. Other authorization schemes include certificate signing rights, and role-based access control (RBAC). Other authorization schemes can also be used, depending on your needs.


The integrity of software bits is ensured using attestation and in Azure IoT edge it is divided into three main categories.

  • Static attestation
  • Runtime attestation
  • Software attestation

Static attestation is also referred to as secure boot. It involves the verification of the integrity of all the software, operating systems, runtimes and configuration information when the device is powered up. Azure IoT Edge’s security framework includes hardware-ingrained capabilities to ensure static attestation.

Runtime attestation

This is when a system detects malware or unauthorized configuration changes that occur after the boot process and takes countermeasures against them. Some of these attacks are warded off by the device’s hardware; however, extensions are also needed to combat runtime threats.

Software attestation

All systems need patches and upgrades. However, update processes require security, as otherwise, they may be a vector which allows malware into a system. Azure IoT Edge updates are done through measured and signed packages in order to check the integrity of the patches and upgrades and to authenticate their source, thus preventing them from becoming threat vectors. 

Hardware root of trust

IoT Edge

Intelligent edge devices are often deployed in places where malicious actors may have access to them. Therefore, security offered by the device hardware is important. Azure IoT Edge works together with silicon hardware vendors to develop tamper-resistant hardware for a variety of deployment scenarios.


Azure IoT Edge security allows extensibility into different areas including,

  • First party security services like the Device Provisioning Service for Azure IoT Hub.
  • Third-party services such as managed security services.
  • Legacy systems which need to be retrofitted with alternative security arrangements.
  • Secure hardware

In the end, the highest success in securing the intelligent edge results from collaborative contributions from an open community driven by a common interest in securing IoT. These contributions might be in the form of secure technologies or services. The Azure IoT Edge security framework offers a solid foundation for security that is extensible for the maximum coverage to offer the same level of trust and integrity in the intelligent edge as with the Azure cloud.