You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-edge/production-checklist.md
+23-1Lines changed: 23 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Prepare your Azure IoT Edge solution for production
3
3
description: Ready your Azure IoT Edge solution for production. Learn how to set up your devices with certificates and make a deployment plan for future updates.
4
4
author: sethmanheim
5
5
ms.author: sethm
6
-
ms.date: 06/03/2025
6
+
ms.date: 02/26/2026
7
7
ms.topic: concept-article
8
8
ms.service: azure-iot-edge
9
9
services: iot-edge
@@ -337,6 +337,9 @@ This checklist is a starting point for firewall rules:
337
337
338
338
<sup>1</sup>Open port 8883 for secure MQTT or port 5671 for secure AMQP. If you can only make connections via port 443 then either of these protocols can be run through a WebSocket tunnel.
339
339
340
+
> [!TIP]
341
+
> For tighter security, replace wildcard FQDNs with specific endpoints where possible. For example, replace `*.azure-devices.net` with `<your-hub-name>.azure-devices.net`. Replace `*.azurecr.io` with `<your-registry-name>.azurecr.io`. Enterprise security teams often reject wildcard rules, so plan for specific FQDNs in production.
342
+
340
343
Since the IP address of an IoT hub can change without notice, always use the FQDN to allowlist configuration. To learn more, see [Understanding the IP address of your IoT Hub](../iot-hub/iot-hub-understand-ip-address.md).
341
344
342
345
Some of these firewall rules are inherited from Azure Container Registry. For more information, see [Configure rules to access an Azure container registry behind a firewall](/azure/container-registry/container-registry-firewall-access-rules).
@@ -375,6 +378,14 @@ Specify the DNS server for your environment in the container engine settings. Th
375
378
}
376
379
```
377
380
381
+
For corporate or private networks that block external DNS, use your internal DNS server instead:
382
+
383
+
```json
384
+
{
385
+
"dns": ["10.0.0.53"]
386
+
}
387
+
```
388
+
378
389
## Solution management
379
390
380
391
* **Helpful**
@@ -518,6 +529,17 @@ Docker lets you limit resources like memory and CPU usage. For more information,
518
529
519
530
You can apply these constraints to individual modules by using create options in deployment manifests. For more information, see [How to configure container create options for IoT Edge modules](how-to-use-create-options.md).
520
531
532
+
For example, to limit a module to 256 MB of memory and 1 CPU core:
533
+
534
+
```json
535
+
"createOptions": {
536
+
"HostConfig": {
537
+
"Memory": 268435456,
538
+
"NanoCPUs": 1000000000
539
+
}
540
+
}
541
+
```
542
+
521
543
## Next steps
522
544
523
545
* Learn more about [IoT Edge automatic deployment](module-deployment-monitoring.md).
0 commit comments