SDA Gateway

The SDA Console, accessible at https://app.eu1.sdaconsole.io/, serves as the central management platform for creating and managing your industrial connectivity infrastructure. After completing the tenant account onboarding process, you can begin configuring your network topology by creating Gateways and linking industrial devices.

The setup process involves two main steps: first declaring a connectivity Gateway that will serve as the secure bridge between your industrial network and SDA Cloud services, and then creating and linking the industrial devices (such as PLCs, HMIs, and robots) that the Gateway will provide access to.

• Step 1: Creating a Gateway

• Step 2: Gateway Installation

• Addendum: Configuring Static networks on Linux

Related information on SDA Gateways

The SDA Gateway plays a central role in each quarterly release, serving as the secure bridge between on-premise industrial networks and the SDA cloud platform. For more details on how the Gateway fits into the overall system design and setup, please refer to the followign information

• Prerequisites - Firewall Requriements

• Prerequisites - Network/Proxy Settings

• Architecture - SDA Connectify Services

Overview

Secure industrial connectivity service bridging manufacturing networks with cloud services via encrypted VPN tunnels. The SDA Connectivity Service relies on the SDA Glue, the application for Gateways, available for Linux and Windows hosts. The service is powered by SoftEther VPN, which supports OpenVPN on Windows clients, establishing a secure TCP tunnel between a network interface in the Gateway and the SDA cloud services, such as IDEaaS, Backup and Deployment VMs.

It also combines OS native firewalls (Linux iptables and Windows Filtering Platform (WFP)) with a NAT table to bridge vendor-specific software, like Siemens TIA Portal and Rockwell Studio 5000, directly with the device in the manufacturing control layer.

Key Points

Managing industrial assets with SDA is powered by a comprehensive and secure industrial connectivity solution that bridges the gap between manufacturing environments and cloud-based services. By leveraging proven technologies and implementing robust security measures, the service delivers enterprise-grade connectivity tailored specifically for industrial automation and control systems.

Industrial-Grade Security

• Integration with AWS IoT Core provides secure TLS connections with fine-grained access control policies.

• Follows industrial IoT security best practices, allowing administrators to restrict access based on device properties and context.

Proven VPN Foundation

• Utilizes SoftEther VPN, which provides AES 256-bit and RSA 4096-bit encryption with high-speed throughput performance and low memory and CPU usage.

• Ensures data in transit remains secure from eavesdropping and unauthorized access, ideal for industrial applications where security and performance are critical.

Zero-Trust Network Access

• Eliminates the need for traditional static VPNs by establishing connections on-demand.

• This Point-to-Point architecture ensures that users can only access specifically authorized devices, not entire network segments, significantly reducing the attack surface.

Factory-Friendly Design

• All connections are initiated from the Gateway outward, requiring no inbound firewall rules in the manufacturing environment.

• This design respects existing industrial security architectures while providing secure remote access capabilities.

Architecture

The peers in a virtual network are called Nodes, the main components in the Connectivity Service. Each connection is built from the interaction of a chain of Nodes, each one with a specific role.

Devices

Industrial assets usually located in the manufacturing secure network that can be accessed by their IP address (e.g., PLCs, HMIs, Robots).

• Devices are declared in the SDA Console for each Tenant, and user access is managed by Role-Based Access Control (RBAC).

• Connectivity requires that every Device is linked with at least one network Gateway.

Gateways

Network hosts with secure access to the Internet and to the Devices managed in the SDA Console.

• Typically IPCs, VMs, Containers, or Raspberry Pis, located in a firewall zone that requires specific rules to access SDA Cloud resources like Tenant Servers.

• Every Gateway runs the SDA Glue, which is an OS service listening to connection requests and providing telemetry data.

Tenant Servers

Bastion hosts running in a secure SDA Cloud environment, dedicated for every Tenant.

• Bridge the Gateway’s network interface with an SDA Service VM or another Gateway.

• Guarantee required filtering policies to ensure Point-to-Point connection only (e.g., from IDEaaS to a specific PLC, and not to other devices in the same network).

• Authenticate access from Gateways based on a credentials rotation policy for every connection.

Service VMs

Run the applications needed by SDA Services, like IDEaaS, Backup, and Deployment Pipelines.

• These VMs rely on the Connectivity Service to access Devices on the network layer by their IP address, which is essential for industrial applications.

Cloud

Instead of using traditional static VPNs, the SDA Connectivity Service establishes connections to industrial assets upon requests that are forwarded to a chain of Nodes that operate together to provide Point-to-Point network access between SDA Services and Devices.

For the manufacturing network, all connections are initiated from the Gateway, requiring no inbound connection rules in the factory. To achieve that, Nodes are constantly listening on an IoT message broker for incoming requests, powered by AWS IoT Core.

This architecture enables users to interact with assets in the factory from any place with Internet, from any computer, depending only on a browser.

Network

The Gateway is an edge device sitting between a manufacturing control layer and the Internet, which provides SDA services with controlled access to assets defined in the Console. It is important to consolidate an architecture that securely bridges the SDA Cloud with the local infrastructure.

We recommend one of the two proposed setups for the Gateway, as follows:

Gateway in LAN

This is the most common approach, in which the Gateway is placed next to the PLCs that are onboarded onto the SDA platform.

• A firewall strictly controls outbound connections from the Gateway to the Internet.

• The Gateway has access to the subnet where it is located, but a firewall may be provisioned in the network’s router as an Access Control Layer (ACL).

• It is common to use a Gateway device with two network interfaces: one pointing to the DMZ, and another to the control layer.

• This architecture allows repeated IP zones (e.g., both with the subnet 10.0.0.0/24).

Gateway in DMZ

This approach is often used when the Gateway runs in a dedicated Virtual Machine within the server infrastructure.

• The IT team provides special routes between the VM and target PLCs in the control layer, with firewalls likely existing on both Internet and OT access paths.

• A Network Address Translation (NAT) may exist when going downstream to the PLCs.

  • Attention required: some PLC vendor-specific software may not be compatible with IP aliasing and must connect using the configured project IP.

• Every PLC in the manufacturing unit must have a unique IP address to avoid collisions.

• Depending on the network infrastructure, Layer 2 access from Gateways to PLCs may not work—this is an upcoming feature for integration of Real-Time Industrial Networks in SDA services.

Software

The SDA Glue is an application that runs as an OS service, ensuring high availability of the Gateway with automated startup and restart in case of errors.

In order to establish the network tunnels by managing network resources like interfaces, routes, and firewall rules, it requires elevation as a system user.

Auto-Updates

Auto-Updates are enabled by default. The Glue service will read the latest stable version from repository.eu1.sdaconsole.io and apply the update once there are no active connections.

The updating mechanism:

• Downloads the new application binary

• Replaces it with the old one

• Restarts the service

AWS IoT Core Connection

AWS IoT Core will be connected during login, using the endpoint iot.eu1.sdaconsole.io.

Once connected, the Glue service will:

• Constantly listen to requests from the SDA Cloud

• Publish telemetry data such as the status of the Devices associated with the Gateway

IoT authentication is protected by:

• A short ID and a one-time password (OTP) retrieved from the SDA Console

• A secret key embedded in the application binary

The connection to IoT can be configured to use:

• MQTT SSL, or

• WebSocket Secure, both on port 443

Platform Differences

The network mechanisms are different for Linux and Windows. Therefore, they are described separately.

Linux

SDA Glue on Linux relies on the SoftEther VPN Client, which is open-source (Apache License 2.0) and installed from SDA’s mirror on repository.eu1.sdaconsole.io during Glue installation.

For each connection:

• Glue uses the SoftEther Client to create a NIC network interface and connect it to the Tenant Server.

• It uses Linux IP tools to assign an IP address to that interface and create the necessary routes between the Service VM and the target Device.

Internal firewall rules and NAT translation are created in iptables, which:

• Do not allow incoming network packets to the Gateway

• Only forward packets to the target Device

Windows

SDA Glue on Windows does not support the embedded usage of SoftEther VPN Client. Therefore, it uses the OpenVPN Community Open-Source Client (GPL license version 2), installed from SDA’s mirror on repository.eu1.sdaconsole.io during Glue installation.

For each connection:

• Glue uses the OpenVPN TAP driver to create a network interface and connect it to the Tenant Server using certificate-based authentication.

• It uses Windows native API to assign an IP to the interface and create the necessary routes between the Service VM and the target Device.

Glue also uses Windows Filtering Platform (WFP) to create dedicated layers and firewall rules. However, it depends on WinNAT (or NetNat) to declare the address translation between the Service VM and the Device, which may not be enabled by default.

Summary

The SDA Connectivity Service delivers a mature, secure, and scalable solution for industrial connectivity challenges.

By combining proven open-source technologies like SoftEther VPN with enterprise-grade cloud infrastructure from AWS IoT Core, the service provides the reliability and security that industrial operations require while offering the flexibility and ease of use that modern engineering teams expect.

The service’s architecture respects industrial security principles while enabling digital transformation initiatives that drive:

• Operational efficiency

• Remote collaboration

• Data-driven decision making

For organizations seeking to securely connect their industrial assets to cloud services without compromising network security or operational reliability, the SDA Connectivity Service provides a comprehensive, production-ready solution.