Architecture Overview
The SDA Platform is natively built on Amazon Web Services (AWS) taking advantage of the scalability and reliability of cloud services with secure, outbound-only connectivity to industrial systems through the SDA Gateway. This design enables SDA to deliver remote engineering, automated DevOps workflows, and centralized management for diverse industrial environments—without compromising OT network security.
SDA makes extensive use of AWS-native capabilities to ensure high availability, elasticity, and security. Core platform services—including identity, storage, orchestration, compute, messaging, and pipeline execution—are built on top of AWS-managed infrastructure. This allows SDA to minimize operational overhead, inherit AWS’s global reliability, and focus on delivering OT-focused workflows at scale.
This page provides a high-level overview of how SDA components are structured and how cloud and the shop floor elements interact end-to-end.
Cloud Architecture
In the cloud, SDA operates as a fully managed, multi-tenant platform built on modern microservices and AWS-native infrastructure. Core functions include:
Tenant Management & Identity Services
Project Storage, Versioning, and Comparisons
Pipeline Orchestration for Deployments, Backups, Password Rotations, and More
Event Processing, Logging, and Audit Trails
IDEaaS / Browser-Based Engineering Execution Environment
Security Hub, Vaults, and Secrets Storage
All cloud traffic flows through strict authentication and authorization boundaries, with tenant isolation enforced at every layer and always encrypted in transit.
The platform uses a broad range of AWS services to provide reliability, performance, and strong security boundaries. Examples include:
Compute & Orchestration using containerized microservices running on managed AWS compute services
Storage & Durability through AWS-managed databases, object storage, and distributed metadata services
Messaging & Eventing using high-throughput, durable, AWS event services
Identity & Authentication via tightly integrated AWS IAM-backed infrastructure
Global Availability through multi-AZ (Availability Zone) deployments and AWS networking primitives
By leveraging AWS-hosted services, SDA inherits industry-leading uptime, security certifications, global reach, and operational maturity.
On-Premise Architecture (SDA Gateway)
Inside the factory or facility, the SDA Gateway serves as the secure communication point between OT devices and SDA Cloud. The gateway:
Establishes outbound-only encrypted tunnels to the SDA Cloud
Provides device-level routing and protocol handling
Enables IDEaaS sessions to connect to PLCs without exposing the OT network
Executes pipelines such as device backups, deployments, and variable reads/writes
Serves as a local communication hub for associated devices
Establishes only on-demand, short lived connectivity to the cloud
Because the gateway uses outbound-initiated connectivity, no inbound ports need to be opened on the plant firewall, preserving OT security principles. The gateway is designed to respect OT segmentation by never requiring the exposure of PLCs or controllers to the internet. Instead, the gateway reaches devices inside the OT network and communicates securely with SDA Cloud. More details are outlined in the SDA Connectivity Service which dives into the SDA Garteway Architecture.
End-to-End Flow
A simplified view of the architecture:
User interacts with the SDA Web Console or IDEaaS
SDA Cloud authenticates the user and authorizes the requested action
Cloud services orchestrate the workflow (e.g., a pipeline, a deployment, an IDE session)
The SDA Gateway executes the device-level operations within the plant on demand
Results flow back to the cloud, where they are stored, analyzed, or presented to the user
This cloud/on-premise architecture allows SDA to deliver secure remote access, automated OT workflows, version control, and multi-vendor PLC operations without altering factory network structures or compromising segmentation. An in-depth end-to-end flow is outlined in the SDA Connectivity Service page which provides user flow and sequence diagrams.
Last updated