Architecture for Enterprise Solutions

This chapter describes the architecture recommendations for using the OPC Router in large enterprise environments. These recommendations are aimed at companies that operate complex and extensive systems and require a highly available, secure, and scalable solution for data integration and processing. The OPC Router is the ideal platform for digitalization and offers companies the opportunity to design their solutions in a flexible and scalable manner. Regardless of whether requirements increase due to company growth, new ideas, or changing regulations and customer requirements, the OPC Router can be quickly and agilely adapted to the new circumstances through configuration.

Definition and characteristics of large enterprise solutions

Enterprise solutions are characterized by their extensive infrastructure, high data flow, and complex requirements for availability and security. OPC Router offers the flexibility and scalability to meet these requirements.

Typical characteristics of large enterprise solutions

• High availability and redundancy
• Comprehensive security measures
• Integration into existing IT infrastructures
• Scalability and flexibility
• Mandatory test and development environments

Highly available and redundant architecture

High availability and redundancy are crucial factors for operating OPC Router instances in enterprise environments. These concepts help to minimize downtime and ensure the reliability of data communication. There are various architectural options for achieving these goals:

1. Centralized architecture with cross redundancy
   • Definition: Operation of two or more central OPC Router instances in parallel, with the connected systems also designed to be redundant.
   • Advantages: High availability, fast switchover times thanks to "hot standby," dynamic compensation for failures, centralized management.
   • Example: Redundant connections to OPC UA servers, databases, and SAP systems.
2. Decentralized architecture
   • Definition: Operation of OPC Router instances close to the data source in so-called "fault zones."
   • Advantages: Reduced latency, higher fault tolerance, flexibility, and scalability.
   • Implementation: Local redundancy with edge devices, use of store and forward, local data brokers, or databases.
3. Hybrid architecture
   • Definition: Combination of centralized and decentralized architecture to leverage the advantages of both models.
   • Advantages: Maximized availability and fault tolerance, optimized latency.
   • Implementation: Central servers with cross-redundancy and decentralized edge devices with local redundancy and synchronization.
4. Kubernetes and container orchestration
   • Definition: Kubernetes is an open-source platform for automating the deployment, scaling, and management of containerized applications.
   • Advantages: Scalability, flexibility, automation.
   • Challenges: Complexity, resource requirements.
   • Implementation: OPC Router is installed on a Kubernetes cluster using Helm Charts, supported by various configurations and redundancy options for OPC Router and MongoDB instances.

For detailed implementation strategies, practical implementations, and specific configuration examples, please refer to the subpage [#highly-available-and-redundant-architecture](./#highly-available-and-redundant-architecture "mention").

Virtualized Environments

The use of virtualized environments offers numerous advantages for operating the OPC Router in enterprise environments. Virtualization enables efficient use of resources, flexible scaling of infrastructure, and implementation of additional security measures.

Operation in virtualized environments

• Flexibility and scalability: Virtualized environments offer the flexibility to dynamically allocate resources and easily scale the infrastructure.
• Security measures: Additional security through isolation and easy recovery options.
• Cost efficiency: Reduction of hardware costs by consolidating multiple virtual machines on a single physical server.
• Recoverability: Easy creation of snapshots and backups of the entire virtual machine.

Recommended platforms

• VMWare: Widely used and offers extensive management and security features.
• HyperV: Well integrated into Microsoft environments and offers high availability and scalability.

Recommendation for the use of hypervisors: Regardless of the architecture used, e.g., centralized, decentralized, hybrid, or Kubernetes, we recommend the use of a hypervisor. Hypervisors such as VMWare ESXi or Microsoft HyperV provide a robust and flexible foundation for operating virtualized environments. They enable efficient resource utilization and offer numerous functions for managing and securing your virtual machines.

Separation of Concerns (SoC)

The introduction of Separation of Concerns (SoC) is a fundamental and self-evident part of the architecture for enterprise solutions. SoC means that different tasks and responsibilities are divided among separate components to improve the maintainability and extensibility of the system.

Implementation of SoC

• Separation of tasks: Different tasks such as data acquisition, processing, and forwarding are distributed across separate OPC Router instances.
• Reduced dependencies: Each instance is configured independently, which facilitates expansion and scaling.
• Easy maintenance: Problems can be isolated and fixed more easily, simplifying maintenance.
• Flexibility and adaptability: By separating tasks, the OPC Router can respond quickly and agilely to new requirements and changes.

Versioning of configurations

Configuration versioning is a crucial aspect of operating the OPC Router in enterprise environments. It ensures that changes to the system configuration are traceable and that previous versions can be reverted to if necessary. This increases the reliability and maintainability of the system.

Key points of configuration versioning:

1. Integrated versioning in OPC Router:
   • Built-in feature: OPC Router supports Git internally and uses YAML configuration files, which enables effective management and versioning of configurations.
   • Advantages: Easy to use, automatic versioning, and quick recovery in case of errors.
2. Extension through integration with hosted Git servers:
   • Hosted Git servers: Additional functions can be used by connecting to external Git servers such as GitHub, Bitbucket, or Microsoft Azure DevOps.
   • Advantages: Centralized management, extended access control, and comprehensive change tracking. It is important that the repositories are private to prevent unauthorized access.
3. Best practices:
   • Regular commits and pushes: Regularly save and upload configuration changes to the Git server.
   • Change logs: Keep a log of all changes made with timestamps and responsible persons.
   • Test environment: Validate changes in a test environment before transferring them to the production environment.
   • Security of secrets: Secrets or passwords should never end up in the Git repository. The OPC Router always stores secrets in a separate local vault to ensure that they are not versioned.

Test and development systems

Test and development systems are essential for ensuring the stability and security of the OPC Router in an enterprise environment. These systems make it possible to test new functions and configurations before they are transferred to the production environment and help to identify and resolve potential problems at an early stage.

The role of test and development systems

• Risk minimization: By testing changes in a secure environment, potential risks and errors can be identified and corrected before they affect the production environment.
• Quality assurance: Quality assurance ensures that new features and configurations work as expected and have no unexpected side effects.
• Training and continuing education: Test and development environments can be used for training and continuing education of IT staff without affecting production systems.

Recommendations for test and development systems

1. Set up a separate environment:
   • Set up a separate test and development environment that replicates the production environment as closely as possible.
   • Use virtualization or containerization to create and manage these environments efficiently and cost-effectively.
2. Perform regular tests:
   • Perform regular tests to ensure the stability and compatibility of new updates and changes.
   • Use automated testing tools to increase the efficiency and accuracy of testing.
3. Project export and import:
   • Use the export and import functions of the OPC Router to transfer projects between development, test, and production environments.
   • Enables easy and consistent management of configurations and changes.
4. Set up a development lab:
   • Set up a development lab where PLCs and other machines and hardware can be simulated.
   • Stage external systems such as ERP, MES, and databases to create realistic test scenarios.
5. Version control and deployment pipelines (optional):
   • Use version control systems such as Git to manage changes to configurations and projects.
   • Implement deployment pipelines to automate and standardize the transition from the development to the production environment.
6. Security checks:
   • Perform regular security checks and penetration tests in the test environment to ensure that new configurations and updates do not introduce security vulnerabilities.
   • Ensure that the test environment is as well protected as the production environment to guarantee realistic results.
7. Documentation and training:
   • Thoroughly document all tests, results, and changes to maintain a traceable history.
   • You can use the test and development environment for training and exercises to prepare IT staff for new features and changes.

Test and development systems are an essential part of a robust and secure IT infrastructure. They allow changes and updates to be tested under realistic conditions before they are transferred to the production environment. By setting up separate test environments, conducting regular tests and security checks, and using project export and import, development labs, and, ideally, version control systems and deployment pipelines, companies can ensure the quality and security of their OPC Router implementations.

IT Monitoring and Integration

IT monitoring is an essential component for ensuring the performance, availability, and security of OPC Router instances in enterprise environments. OPC Router offers various functions for monitoring and integration with external monitoring tools.

Monitoring

• Monitoring: Continuous monitoring of system performance and availability.
• Early warning systems: These detect problems before they lead to failures. This allows measures to be taken to solve the problem before a failure occurs.

Internal diagnostic data

OPC Router provides internal diagnostic data that can be transmitted to external systems via internal OPC UA servers and monitored there. This enables seamless integration into existing monitoring solutions and provides detailed insights into the operating status of the system.

Self-monitoring with email notification

OPC Router offers an internal self-monitoring function that automatically sends email notifications when anomalies or errors are detected. This feature ensures that administrators and IT staff are immediately informed of potential problems and can respond accordingly.

External monitoring tools

It is recommended to use established monitoring tools that are already known and used in the IT infrastructure. These tools offer extensive functions for monitoring and analyzing system performance and availability.

Integrate monitoring into the existing IT infrastructure and alert systems to ensure comprehensive monitoring and rapid response to potential problems.

Auditing and security

Auditing and security are essential aspects of operating the OPC router in enterprise environments. These measures ensure that the system meets the highest standards and is protected against unauthorized access and potential threats.

Auditing changes

• Tracking: Log all changes to systems and configurations.
• Security review: Regularly review audit logs to identify security-related events.

Security measures

• Azure Active Directory / Entra ID: Use central directory services for authentication and authorization.
• SSL encryption: Ensure that all connections are SSL-encrypted to guarantee data integrity and confidentiality during transmission.
• Separation of Concerns (SoC): Implement SoC to distribute different tasks across separate components and increase security and maintainability. SoC enables a clear separation of responsibilities and reduces the risk of security vulnerabilities affecting multiple parts of the system.

Regular updates and maintenance

• Maintenance Releases: inray regularly provides maintenance releases for OPC Router versions and also checks dependencies for known vulnerabilities to ensure the security of the updates.
• Security updates for included components: Please note that security updates for any included components, such as the .NET Framework, must also be installed.
• Host and operating system updates: Regular updates of the host and operating systems should be performed to close security gaps and ensure stability.

Summary

For enterprise solutions, OPC Router offers a highly available, secure, and scalable solution for data integration and processing. By implementing cross-redundancy, versioning, Kubernetes, and virtualized environments, as well as comprehensive security measures, companies can build an efficient and reliable infrastructure. Integration with existing IT monitoring systems and auditing of changes also ensure continuous monitoring and security of the entire system.

\