Secure MQTT broker communication using BrokerListener

Article
10/18/2024

Important

Azure IoT Operations Preview – enabled by Azure Arc is currently in preview. You shouldn't use this preview software in production environments.

You'll need to deploy a new Azure IoT Operations installation when a generally available release is made available. You won't be able to upgrade a preview installation.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

To customize the network access and security use the BrokerListener resource. A listener corresponds to a network endpoint that exposes the broker to the network. You can have one or more BrokerListener resources for each Broker resource, and thus multiple ports with different access control each.

Each listener port can have its own authentication and authorization rules that define who can connect to the listener and what actions they can perform on the broker. You can use BrokerAuthentication and BrokerAuthorization resources to specify the access control policies for each listener. This flexibility allows you to fine-tune the permissions and roles of your MQTT clients, based on their needs and use cases.

Tip

You can only access the default MQTT broker deployment by using the cluster IP, TLS, and a service account token. Clients connecting from outside the cluster need extra configuration before they can connect.

Listeners have the following characteristics:

You can have up to three listeners. One listener per service type of loadBalancer, clusterIp, or nodePort. The default BrokerListener named listener is service type clusterIp.
Each listener supports multiple ports
BrokerAuthentication and BrokerAuthorization references are per port
TLS configuration is per port
Service names must be unique
Ports cannot conflict over different listeners

For a list of the available settings, see the Broker Listener API reference.

Default BrokerListener

When you deploy Azure IoT Operations Preview, the deployment also creates a BrokerListener resource named default in the azure-iot-operations namespace. This listener is linked to the default Broker resource named default that's also created during deployment. The default listener exposes the broker on port 18883 with TLS and SAT authentication enabled. The TLS certificate is automatically managed by cert-manager. Authorization is disabled by default.

To view or edit the listener:

Portal
Kubernetes

In the Azure portal, navigate to your IoT Operations instance.
Under Azure IoT Operations resources, select MQTT Broker.
From the broker listener list, select the default listener.
Review the listener settings and make any changes as needed.

To view the default BrokerListener resource, use the following command:

kubectl get brokerlistener listener -n azure-iot-operations -o yaml

The output should look similar to this, with most metadata removed for brevity:

apiVersion: mqttbroker.iotoperations.azure.com/v1beta1
kind: BrokerListener
metadata:
  name: listener
  namespace: azure-iot-operations
spec:
  brokerRef: default
  serviceName: aio-broker
  serviceType: ClusterIp
  ports:
  - authenticationRef: authn
    port: 18883
    protocol: Mqtt
    tls:
      certManagerCertificateSpec:
        issuerRef:
          group: cert-manager.io
          kind: Issuer
          name: mq-dmqtt-frontend
      mode: Automatic

To learn more about the default BrokerAuthentication resource linked to this listener, see Default BrokerAuthentication resource.

Update the default broker listener

The default BrokerListener uses the service type ClusterIp. You can have only one listener per service type. If you want to add more ports to service type ClusterIp, you can update the default listener to add more ports. For example, you could add a new port 1883 with no TLS and authentication off with the following kubectl patch command:

kubectl patch brokerlistener listener -n azure-iot-operations --type='json' -p='[{"op": "add", "path": "/spec/ports/", "value": {"port": 1883, "protocol": "Mqtt"}}]'

Create new broker listeners

This example shows how to create a new BrokerListener resource named loadbalancer-listener for a Broker resource. The BrokerListener resource defines a two ports that accept MQTT connections from clients.

The first port listens on port 1883 with no TLS and authentication off. Clients can connect to the broker without encryption or authentication.
The second port listens on port 18883 with TLS and authentication enabled. Only authenticated clients can connect to the broker with TLS encryption. TLS is set to automatic, which means that the listener uses cert-manager to get and renew its server certificate.

Portal
Kubernetes

In the Azure portal, navigate to your IoT Operations instance.
Under Azure IoT Operations resources, select MQTT Broker.

Select MQTT broker listener for LoadBalancer > Create. You can only create one listener per service type. If you already have a listener of the same service type, you can add more ports to the existing listener.

Screenshot using Azure portal to create MQTT broker for load balancer listener.

Enter the following settings:

Setting	Description
Name	Name of the BrokerListener resource.
Service name	Name of the Kubernetes service associated with the BrokerListener.
Service type	Type of broker service, such as LoadBalancer, NodePort, or ClusterIP.
Port	Port number on which the BrokerListener listens for MQTT connections.
Authentication	The authentication resource reference.
Authorization	The authorization resource reference.
TLS	Indicates whether TLS is enabled for secure communication. Can be set to automatic or manual.

Select Create listener.

To create these BrokerListener resources, apply this YAML manifest to your Kubernetes cluster:

apiVersion: mqttbroker.iotoperations.azure.com/v1beta1
kind: BrokerListener
metadata:
  name: loadbalancer-listener
  namespace: azure-iot-operations
spec:
  brokerRef: default
  serviceType: LoadBalancer
  serviceName: aio-broker-loadbalancer
  ports:
  - port: 1883
    protocol: Mqtt
  - port: 18883
    authenticationRef: authn
    protocol: Mqtt
    tls:
      mode: Automatic
      certManagerCertificateSpec:
        issuerRef:
            name: e2e-cert-issuer
            kind: Issuer
            group: cert-manager.io

For more information about authentication, see Configure MQTT broker authentication. For more information about authorization, see Configure MQTT broker authorization. For more information about TLS, see Configure TLS with automatic certificate management to secure MQTT communication in MQTT broker or Configure TLS with manual certificate management to secure MQTT communication in MQTT broker.

Share via

Secure MQTT broker communication using BrokerListener

Default BrokerListener

Update the default broker listener

Create new broker listeners

Feedback

Additional resources

Share via

Secure MQTT broker communication using BrokerListener

Default BrokerListener

Create new broker listeners

Related content

Feedback

Additional resources