IoT Hub

Governance policies for Iot Hub

Domain: azure-data

Patterns

Name	Description
IoT Hub Standard with private endpoint and DPS	Production IoT Hub with Entra auth, private endpoints, and device provisioning

Anti-Patterns

Description	Instead
Do not expose IoT Hub to the public internet	Disable public access and use private endpoints
Do not use symmetric keys for large device fleets	Use X.509 certificates with Device Provisioning Service

References

Checks (3)

Check	Severity	Description
AZ-IOT-001	Required	Deploy IoT Hub with Standard tier, managed identity, TLS 1.2, and public access disabled
AZ-IOT-002	Required	Use X.509 certificates or TPM attestation for device authentication
AZ-IOT-003	Recommended	Enable diagnostic settings for IoT Hub operations and device telemetry

AZ-IOT-001

Deploy IoT Hub with Standard tier, managed identity, TLS 1.2, and public access disabled

Severity: Required
Rationale: Standard tier supports cloud-to-device messaging and routing; managed identity eliminates connection strings
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

Microsoft.Devices/IotHubs

Companion Resources

Resource	Name	Purpose
Microsoft.Network/privateEndpoints	pe-iothub	Private endpoint for IoT Hub with groupId 'iotHub'
Microsoft.Network/privateDnsZones	privatelink.azure-devices.net	Private DNS zone for IoT Hub private endpoint resolution
Microsoft.Devices/provisioningServices	dps	Device Provisioning Service for automated X.509 device enrollment
Microsoft.Insights/diagnosticSettings	diag-iothub	Diagnostic settings routing connection, telemetry, and routing logs to Log Analytics

AZ-IOT-002

Use X.509 certificates or TPM attestation for device authentication

Severity: Required
Rationale: Symmetric keys are less secure and harder to rotate at scale; X.509 provides stronger device identity
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer

Targets

Microsoft.Devices/IotHubs

Companion Resources

Resource	Name	Purpose
Microsoft.Devices/IotHubs	iot-hub	Parent IoT Hub that the DPS enrollment connects to
Microsoft.KeyVault/vaults	kv-certs	Key Vault storing X.509 CA certificates for device authentication

AZ-IOT-003

Enable diagnostic settings for IoT Hub operations and device telemetry

Severity: Recommended
Rationale: Monitor device connections, message routing, and error rates for operational visibility
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

Microsoft.Devices/IotHubs

Companion Resources

Resource	Name	Purpose
Microsoft.OperationalInsights/workspaces	log-analytics	Log Analytics workspace as destination for IoT Hub diagnostic logs

Governance Policies Azure Data IoT Hub - Azure/az-prototype GitHub Wiki

IoT Hub

Patterns

Anti-Patterns

References

Checks (3)

AZ-IOT-001

Targets

Companion Resources

AZ-IOT-002

Targets

Companion Resources

AZ-IOT-003

Targets

Companion Resources

⚠️ GitHub.com Fallback ⚠️

Governance Policies Azure Data IoT Hub - Azure/az-prototype GitHub Wiki

IoT Hub

Patterns

Anti-Patterns

References

Checks (3)

AZ-IOT-001

Targets

Companion Resources

AZ-IOT-002

Targets

Companion Resources

AZ-IOT-003

Targets

Companion Resources

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️