If you are looking into multiple many edge gateways to Azure IoT Hub their Device Provisioning Service (DPS) might be the preferable way to move forward. DPS allows devices to be automatically assigned to IoT Hubs which is very convenient in many scenarious. Just to mention a few:

• Assignment based on e.g. regions, certificates, load balacning
• Reassigning of new IoT Hub (new tenant or changing of subscription plan)
• Mass provisioning of Industrial IoT (IIoT) devices

DPS automatically generates a new device in the assigned IoT Hub and under the hood provides the Connection Information to the edge device. This is very handy when you have to dynamically provision devices as the IoT Hubs are generated for you by the DPS. 
The flow for the provisioning service comes as:

1.  IIoT Edge device connects to Azure DPS
2. Azure DPS returns connection information to the assigned IoT Hub. 
   1. If the device is not already assigned, a new IoT device is created in the Hub.
3. The IIoT Edge device connects to the IoT Hub with the returned connection information

This enables seamless provisioning of the IIoT Edge device and gives the flexibility of the Azure user to reassign to a new hub without any struggles in modifying the configuration on the device.

Using Azure Device Provisioning Service (DPS)

Utilizing the Azure Device Provisioning Service (DPS) for provisioning the device and the Shadow API is the most automated approach and scaleable. The DPS will automatically assign the device to an IoT Hub while SIA Connect automatically fetches the configuration and adds this as the Shadow API configuration making it very automated and scalable.

Preparing Azure DPS with authentication certificates

Upload certificates to Azure DPS

In order to authenticate against Azure DPS we need to add the Root CA which is going to issue the authentication certificates that we are about to use for authenticating our devices. You can also use Symmetric keys as authentication, but in this example we will show with certificates.

1. Go to your Azure IoT Hub Device Provisioning resource
2. Click certificates to get the overview of all the authentication certificates for the DPS
3. Add a new Root or intermediate CA which you are using to issue the authentication certificate that is being added to the SIA Connect solution
4. Mark “Set certificate status to verified on upload” (unless you want to validate it manually)
5. Press save. Now we are ready to add the enrollment in the next steps

Creating and manage the DPS and associated Azure IoT Hubs

To make the provisioning work we need to create a new enrollment. We have the following options for enrollments:

• Enrollment groups: A group of devices that uses the same authentication certificate or symmetric key to enroll.
• Individual enrollments: A single device which uses a certificate or symmetric key for enrollment.

In this example we will use the enrollment group.

1. Go to the menu Manage enrollments under Settings in the DPS menu
2. Select the Enrollment group and then Add enrollment group to create a new group for enrollments
3. A new page will open. In the Attestation section select “X.509 certificates uploaded to This Device Provisioning Service instance" to select the certificate that was previously uploaded for authentication. You can also in this step upload a new certificate (and skip the previous upload part).
4. Select the uploaded certificate to be used for authentication and set a group name

Additionally you can go to the IoT Hubs tab in order to decide how and which IoT Hubs the provisioned devices should be allocated to. You can set various rules in there and also create your custom Azure Function to make the decision.

That's it, press Review + Create and your Azure DPS is ready for devices to use for provisioning an IoT Hub to.

Preparing Azure DPS with symmetric keys

In addition to use certificate for authentication you can also use symmetric keys. 

The steps are the same first we have to create an enrollment policy. We have the following options for enrollments:

• Enrollment groups: A group of devices that uses the same authentication certificate or symmetric key to enroll.
• Individual enrollments: A single device which uses a certificate or symmetric key for enrollment.

In this example we will use the enrollment group.

1. Go to the menu Manage enrollments under Settings in the DPS menu
2. Select the Enrollment group and then Add enrollment group to create a new group for enrollments
3. A new page will open. In the Attestation section select “Symmetric key" that was previously uploaded for authentication. You can also in this step upload a new certificate (and skip the previous upload part).
4. Select if you want Azure DPS to generate the Symmetric Keys or define them your-self. They must be in base-64 if you define them.

Now press Review + Create and your Azure DPS is ready for devices to use for provisioning an IoT Hub to.

Connecting industrial devices to Azure DPS

By using SIA Connect as Edge gateway you can easily connect your industrial or building devices to Azure DPS and get assigned an IoT Hub. Ensure the Connector Azure IoT Hub is installed on the solution and that you have added an instance and items to read data from the desired device (PLC, BMS, etc.) you want to get data from. 

1.  Under Instances add a new instance with the Azure IoT Hub Connector
2.  Use the following parameters for the Azure IoT Instance

To find the ID Scope and Registration URI see below screen shot from the Azure portal:

Setup messaging between IIoT Edge devices and IoT Hub

To get data streaming as Device-to-Cloud messages and Cloud-to-Device messages a few steps is needed:

1. Define payload of messages
2. Setup mappings between the edge device items and the IoT Hub items

Define the payload of the message

You can setup the payload in two ways:

• A template for all messages to make all the messages have the same format
• Customized per mapping if individual messages requires a different format.

You can also add message properties as a parameter under the Device-to-Cloud item under the recently added Azure IoT instance.

In this example we will be using the following payload:

{
	"name": "%ITEM.NAME%",
	"value": "%VALUE%,
	"time": "%VALUE.TIME%
}

For full reference for all available dynamic variables check out these articles: Instance variables, Item variables and System variables 

Setup a message template

1. Go to the recently added Azure IoT instance
2. Click the Device-to-cloud item
3. Set the Input template parameter to the desired format

Customized per mapping

1. Create a mapping between the Edge device item and the Device-to-Cloud (See how to add a mapping)
2. Click on the mapping a modify the Custom value to the desired payload format

Validate the data flow

To validate the data flow open either Azure CLI or Azure IoT explorer in to start monitoring. You can also from the Azure portal send a Cloud-to-device message which will appear under the item in SIA Connect.

Click here to learn how to use Azure IoT Explorer and Azure CLI for message monitoring
 

What is the cost for this setup?

It all comes into how many message you use in the IoT Hub, how many IoT Hubs you require and some various small variations such as data center location. 

Azure DPS charges 0.094€ per 1.000 operations. An operation is an event such as a provisioning which happens everytime you re-initialize SIA Connect or restart it. 

To get a price estimation use Azure's cost calculator. In most simple setups the estimated cost would be around 25€ per months for the Standard tier and 10€ per month for the Basic tier both including for 400.000 messages per day and free if you have below 8.000 messages.