Flux matrix (Azure version)
External flux
External flux from/to outside the system (user, devices, pipelines, etc...)
| Source | Target | Protocol | Authentication | Desc. (optional) |
|---|---|---|---|---|
| User / SPA front-end | Caddy | HTTPS | OAuth2.0 / JWT Token | Used to retrieve front-end and contact the backend (API & WSS) |
| Device | Caddy | HTTPS | Certificate (self-signed or CA-signed) or symmetric key | Update state through HTTP channel |
| Device | IoT Hub | MQTTS | Certificate (self-signed or CA-signed) or symmetric key | |
| Device | DPS | HTTPS | Certificate (CA-signed) | Self provisioning |
| Device | RabbitMQ | MQTTS | Certificate (self-signed or CA-signed) or symmetric key | |
| Device | Storage Account | HTTPS | Token (provided through device configuration) | Download binary files |
| CI/CD pipelines | Azure Management API | HTTPS | Azure CLI authentication with ID & secret | Deploy infrastructure through IaC & deploy applications |
| CI/CD pipelines | Azure Storage Account | HTTPS | Azure CLI authentication with ID & secret | Deploy front-ends |
| CI/CD pipelines | Kubernetes cluster | HTTPS | Azure CLI authentication with ID & secret | Apply manifests |
| Management API | AAD B2C | HTTPS | None - Keys are public | Read public keys in order to validate incoming JWT tokens |
| Management API | AAD B2C | HTTPS | Secret | Manage user accounts |
| Azure Function | InfluxDB | HTTPS | Token (least access privilege) | Write / read telemetries |
Internal flux
Internal flux are internal to the system, and should not come be exposed to the public internet
| Source | Target | Protocol& | Authentication | Desc. (optional) |
|---|---|---|---|---|
| Management API | SQL database | TCP/TLS | Technical user account (login + password) | User account with full privileges on the database |
| Management API | Azure Functions | HTTPS | Azure Function Key | Read telemetries |
| Management API | Service Bus | AMQP | Connection string | Receive device-related events |
| Management API | Redis | Redis protocol | Technical user account (login + password) | Write and receive device-related information and events |
| Management API | Storage Account | HTTPS | Managed identity | Store assets (icons, binary files, etc...) |
| Management API | IoT Hub | HTTPS | Managed identity | Provision devices, send configurations, commands, etc. |
| Management API | RabbitMQ | MQTTS | Technical user account | Receive / send device related information |
| Management API | RabbitMQ | AMQPS | Technical user account | Configure users, exchanges, topics, etc. |
| AMQP Consumers | RabbitMQ | MQTTS | Technical user account | Receive device telemetries and configurations |
| AMQP Consumers | Service Bus | AMQPS | Connection string | Forwar device telemetries and configurations |
| WebSocket Server | Management API | HTTPS | User access token | Validate user authentication and authorization |
| WebSocket Server | Redis | Redis protocol | Technical user account (login + password) | Subscribe to device-related events |
| WebSocket Server | Service Bus | AMQP | Connection string | Receive device-related events |
| Azure Function | Service Bus | AMQP | Connection string | Send telemetries |
| Azure Function | Azure Function | HTTPS | Azure Function Key | Telemetry-related actions |
| Azure Function | Redis | Redis protocol | Technical user account (login + password) | Read device provisioning information and update device connectivity states |
| Service bus | Azure Function | Event Grid | / (Internal Azure process) | Trigger several functions (e.g events & telemetries writing to DB) |
Publicly exposed resources
Those resources are publicly exposed, and should stay exposed:
- Reverse proxy
- IoT Hub
- Device Provisioning Service (DPS)
- Azure Active Directory B2C
- RabbitMQ (acting as an MQTT broker)
Those resources are publicly exposed in the default setup, but can be made publicly unaccessible through the use of virtual networks or other configurations:
- Azure Functions
- Service Bus
- Databases (SQL & Influx)
- RabbitMQ (acting as a message bus)
- Redis
- Storage accounts