Google IoT Core Overview
Cloud IoT Core
Cloud IoT Core is a fully managed service that easily and securely connects and manages your global device network. Devices can connect to the cloud through IoT Core, instead of being processed by a gateway. IoT Core adds security and helps funnel massive amounts of sensor data into its suite of data processing and analytics products. Google’s Cloud IoT Core also takes care of the load balancing and horizontal scaling as part of being on its serverless infrastructure. On Android Things platform, the integration with IoT Core will help push out firmware and device update seamlessly.
Components of Cloud IoT Core
The main components of Cloud IoT Core are Device manager and protocol bridges(MQTT and HTTP):
- A device manager registers the devices with the service, so you can monitor and configure them. It establishes the identity of a device and provides a mechanism to authenticate the device during the connection. Device manager keeps a logical configuration for each device and it can be used to remotely control the device from the cloud.
- The two protocol bridges (MQTT and HTTP) that the devices can use to connect to Google Cloud Platform.
- MQTT is a standard publish/subscribe protocol which is frequently used and supported by embedded devices.
- HTTP is a connectionless protocol, with the HTTP bridge, devices do not maintain the connection to Cloud IoT Core. Instead, they send requests and receive responses. Cloud IoT Core supports HTTP 1.1 only.
The following diagram shows the service components and the flow of data.
For a device to connect, it must be registered with Cloud IoT Core. Registration consists of adding a device to a registry and defining the essential properties.
Device telemetry data is forwarded to a Cloud pub/sub topic, which can be used to trigger the Cloud Function. One can perform streaming analysis with Cloud Dataflow or custom analysis with their own subscribers.
Cloud IoT Core offers the following security features:
- Per-device public/private key authentication using the JSON Web Tokens (JWTs, RFC 7519).
- Support for RSA algorithms to verify signatures, with enforcement for strong key sizes.
- Support to rotate the keys per device by allowing concurrent keys to be registered, and also support for expiration time per credential.
- TLS 1.2 connection, using root certificate authorities.
The authenticated provisioner, configuring the device, have created a project and a registry, and have permission to create devices. The provisioner uses the Cloud IoT Core API, gcloud commands, or the Google Cloud Platform Console to create a logical device in the cloud.
The below diagram shows authentication in Cloud IoT Core using MQTT:
- The device prepares a JSON Web Token. The JSON Web Token is signed with the private key from the authentication flow.
- When connecting to the MQTT bridge, the device presents the JSON Web Token as the password in MQTT CONNECT message.
- MQTT bridge verifies the JSON Web Token against the devices public key.
- MQTT bridge accepts the connection.
- The connection is closed when the JSON Web Token expires.