Azure IoT Edge -How to pull data from Purdue OT Level 2/3 devices and move it to IT layer

Question

Azure IoT Edge -How to pull data from Purdue OT Level 2/3 devices and move it to IT layer

Pavan Puligandla 105

Hi,

I'm looking at these blogs(https://learn.microsoft.com/en-us/answers/questions/1414540/difference-between-azure-iot-and-azure-iot-edge-an) to move data from lower levels of Purdue OT network to Level 5 DMZ IT network. But I'm not clear with the approach as it was not specified in the Microsoft blogs. Below is what I'm looking for and would need your help in stitching the pieces.

If I've 1000+ devices on Level 3 network of OT, how many IoT Edge devices should I deploy? Can one Linux VM with custom modules docker image suffice? or do we need more here? Is it like one IoT Edge device instance per device to get the data moved from level 3 to level 5?
Lets say my 1000+ devices are already outputting the files to a connected lab pc on level 3, in that case how can I connect to that lab PC to pull the files using IoT Edge modules and move it to azure cloud storage like?
In movement of data case, do we need Azure IoT Hub or we can use azure file share or in memory IoT edge blob storage and sync it with blob storage on the cloud and expose that data to a 3rd party API? How this file sync works?
If I need Azure IoT Hub data ingestion, how would we push the files to IoT Hub on cloud directly from Level 5 IT network?

Thanks

Accepted answer

0 additional answers

Your answer

Answer 1

Sander van de Velde | MVP 36,941 MVP Volunteer Moderator

Hello @Pavan Puligandla ,

welcome to this moderated Azure community forum.

The simplest answer regarding the Perdue / ISA-95 support is by creating a hierarchy of Azure IoT Edge devices, one at every level:

Structure of the tutorial hierarchy, containing two devices: the top layer device and the lower layer device

This way, you have full control over the communication between each device.

Regarding Q1, the number of devices needed is depending on many variables like:

the amount of compute available on an edge device
the amount of messages and message size provided
How many modules needed for eg. protocol translations or message filtering/transformations, etc (max 50 by default)

The best way is to start connecting a small group for collecting data offers the most value through insights. From there, learn about the load and the value and needs. For sure you normally do not need to have a 1-to-1 ratio between machines and edge devices.

Regarding Q2, you want to move files from edge to cloud. You can use Azure IoT Edge to move files to the cloud in a secure way towards a Blob storage account. Check out this post regarding forwarding blob files.

But how about turning the content of the local blob files in separate (one of more) messages sent to the IoT Hub as a stream? This is also a scenario, turning lines of a text file from a batch into separate messages. This also makes it possible to act more real-time.

As an alternative, if the files can be compressed to under 256KB, these could be sent as separate messages at once.

Regarding Q3, it seems you are pointing to that Blob storage account sync, as seen in this post .

That is a Azure storage account specific synchronization between a local 'storage account' container from Microsoft and an Azure Storage account.

You are free to build your own synchronization on other resources or use some 3rd party solution.

Azure IoT Edge is basically a docker container distribution mechanism. You can deploy any 3rd party Docker container including Grafana, InFluxDB, Mosquitto, etc. The only thing to take into account is that these 3rd party modules do not support the Azure IoT Edge Edgehub routing mechanism. So you need to provide a 'custom bridge module' is needed.

Regarding Q4, this seems to be the same question as Q3. If you want to push file to the Azure cloud, you probably forward them to a Storage account.

The Azure IoT Hub offers a separate integration with a storage account but this is only available via the File Upload functionalty of the Azure IoT DeviceClient, part of the Azure IoT Device SDK.

An Azure IoT Edge works with ModuleClients, living in the individual modules/docker containers and this ModuleClient does not support file upload functionality.

Finally, please experiment with Azure IoT Edge so you understand the basic components and modules offers by this very flexible ecosystem. Then you also learn about the size needed to upload data to the cloud and adding value through insights.

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

Pavan Puligandla 105 Reputation points

2025-04-10T05:25:55.95+00:00

Thank you for elaborately explaining the scenarios, we would definitely go with IoT Edge experimentation for sure. However, I was curious to learn on the below particular scenario,

If Level 2 PC that captures files is registered as an IoT Edge device, then how can I transfer the file to Level 5 IT DMZ and then to cloud in a real time fashion? can we make use of Azure file share sync mechanism to mount the volumes on IoT Edge on prem lab PC to azure files on a VM using NFS or SMB and then moving that file to third party API?

I'm looking out for 2 things here - 1. With IoT Edge and 2 . Without IoT Edge

Request you to comment on this.

Thanks!
Sander van de Velde | MVP 36,941 Reputation points MVP Volunteer Moderator

2025-04-10T06:52:49.5166667+00:00

Hello @Pavan Puligandla ,

The nested IoT Edge solution adds a 'pass-through tunnel' over each edge device so messages can flow through the layers to the cloud.

The standard module with the blob sync to an Azure storage account needs access to the storage account directly.

Your scenario seems to need another approach eg. turning files into messages.
Pavan Puligandla 105 Reputation points

2025-04-10T13:01:56.36+00:00

Thank you,

I'm also thinking of enabling Azure File share in Level 3 lab PC's and sync the files directly to Azure blob storage. I'm not sure if this can be done without IoT Edge or not. Any comments or guidance on this would be greatly appreciated. going thru Azure IoT Edge and Hub is for sure but as an interim or tactical solution would be to open a file share between level 3 OT lab pc and syncing it to the cloud.
Sander van de Velde | MVP 36,941 Reputation points MVP Volunteer Moderator

2025-04-10T17:12:10.1166667+00:00

Hello @Pavan Puligandla ,

This Azure Files feature is a separate Azure feature, part of Azure Storage account functionality. It is unrelated to Azure IoT.
Pavan Puligandla 105 Reputation points

2025-05-02T13:31:09.7866667+00:00
Hello @Sander van de Velde | MVP I was going thru the IoT Edge stuff and had below questions during my study and would request you to kindly point me in right direction.

we have SAP in Level 5 IT network and we may also need to send the data to SAP. Is it possible thru Azure IoT Edge OPC UA to send message directly to SAP ECC/S4 Hana? Please confirm.

we have few OT related apps in level 3 which outputs the lab files( you can treat this as LIMS application) and we also need to communicate with SAP QM modules from LIMS. Can this also be achieved with OPC UA thru Iot Edge? we need direct communication with SAP systems from our OT network instead of sending the messages to Azure IoT Hub and then to Event Grid from there to SAP thru RFC logic app.

How can we use OPC UA to communicate with Azure IoT Hub from the Azure IoT Edge instead of MQTT? Is this possible and if yes, I could not reconcile the benefits of using OPC UA over MQTT over HTTPS over AMQP protocols. What best could we do on this ask? Reference link - (https://www.kai-waehner.de/blog/2022/02/11/opc-ua-mqtt-apache-kafka-the-trinity-of-data-streaming-in-industrial-iot/)

Can you please point me in right direction with recommended articles which I couldnt find good ones.

Thanks in advance
Sander van de Velde | MVP 36,941 Reputation points MVP Volunteer Moderator

2025-05-02T23:19:21.2933333+00:00

Hello @Pavan Puligandla ,

I have no hands-on experience with the SAP tooling you mention so I can only answer this in a general way.

Regarding all questions, Azure IoT Edge internal routing is based on MQTT. While an Azure IoT Edge solution (or better: one or more docker containers deployed on it) can act as an OPC-UA client and/or server, the OPC-UA communication is passed on via MQTT. You will find AMQP in the documentation too but that gives practically the same solution.

So MQTT is the transport layer protocol on which Azure IoT Edge communicates.
Pavan Puligandla 105 Reputation points

2025-05-13T15:29:06.85+00:00
Hello @Sander van de Velde | MVP

Thank you for your helpful insights, a couple of questions around Azure IoT Edge,

Does Azure IoT Edge natively support OPC UA and Unified namespace?

How do we implement UNS design pattern in Azure IoT Edge?

I've seen a video which talks about Azure IoT Operations, but we would like to pursue Azure IoT Edge and Azure IoT Hub with native OPC UA and UNS support. Can you please point me in a right direction.

Thanks in advance
Pavan Puligandla 105 Reputation points

2025-05-14T09:12:27.5+00:00

Any clarification on the above would be greatful and we can proceed with our POC implementation.
Manas Mohanty 8,320 Reputation points Microsoft External Staff Moderator

2025-05-14T10:57:02.6233333+00:00
Hi Pavan Puligandla

Sorry for the delay in response.

Yes, Azure IoT Edge natively supports OPC UA via Azure IoT Operations through a dedicated connector for OPC UA. This connector is a Kubernetes-native application that:

Connects to multiple OPC UA servers simultaneously.

Publishes telemetry and event data in OPC UA PubSub format using JSON encoding.

Supports MQTT as the transport layer, enabling integration with cloud services and local workloads.

Offers features like automatic reconnection, payload compression, Open Telemetry observability, and secure authentication (including username/password and encryption)

Regarding Unified namespace implementation

The UNS design pattern aims to create a single, hierarchical, and real-time data model that unifies all industrial data sources. While Azure IoT Edge doesn't offer a direct UNS solution, you can implement the pattern using the following components:

OPC UA Connector: Acts as the ingestion layer, pulling structured data from industrial assets.

MQTT Broker: Azure IoT Edge can route OPC UA data to an MQTT broker, which serves as the backbone of the UNS.

Azure IoT Hub / Azure Digital Twins: These services can be used to model the namespace and provide semantic context.

Azure IoT Operations: Offers a shared control and data plane for edge and cloud, aligning with UNS principles of unified access and control

Reference - https://learn.microsoft.com/en-us/azure/iot-operations/discover-manage-assets/overview-opcua-broker

Reference blog-

https://learn.microsoft.com/en-us/azure/iot/tutorial-iot-industrial-solution-architecture

Hope it helps

Thank you.
Pavan Puligandla 105 Reputation points

2025-05-14T11:32:08.81+00:00

thank you for the response,

do we need to make use of both azure iot edge and azure iot operations then?
Manas Mohanty 8,320 Reputation points Microsoft External Staff Moderator

2025-05-14T11:58:46.9433333+00:00

Yes, Pavan Puligandla

We have to use both Azure IOT edge and IOT operations.

Also attached documentation from IOT operations on Layered network

https://learn.microsoft.com/en-us/azure/iot-operations/manage-layered-network/concept-iot-operations-in-layered-network

Thank you
Sander van de Velde | MVP 36,941 Reputation points MVP Volunteer Moderator

2025-05-19T21:10:43.4666667+00:00

Hi Pavan Puligandla,

Note: Please create a separate questions so other can fins these if they have the same questions. This question and answer is not quite hidden.

sorry for the late response.

I read the comments and combining Azure IoT Edge with Azure IoT Operations just to support UNS seems a bit much.

Regarding OPC-UA support, There is a Microsoft provided module named OPC Publisher that can read tags and forward them using the internal module-to-module routing.

We prefer 3rd party tooling, an C# SDK as Nuget package, to read tags.

Yes, this SDK is not free but days of programming is still cheaper that months of tinkering with that 'free' module because it can be hard to get it right. And running Azure IoT Operations is not free either.

Plus, an OPC-UA SDK also supports writing messages or proving an OPC-UA server.

Regarding the universal Namespace, UNS... it depends.

In Azure IoT Operations, the UNS is the topic (of the local MQTT broker) on which tag messages are posted. This mqtt topic could look like 'company\country\factory\line\device' so we get some UNS context about where the data is coming from, from the Asset itself.

That topic can then be added to the tag message via an enrichment.

So technically, it's up to you how you work with an UNS.

In Azure IoT Edge, you could recreate this by running an MQTT broker alongside the OPC-UA client.

But using a desired property as UNS value and adding that to each message could work too.

You do not need Azure IoT Operations, just some imagination to get UNS working in Azure IoT Edge once you have OPC-UA working.

Share via

Azure IoT Edge -How to pull data from Purdue OT Level 2/3 devices and move it to IT layer

0 additional answers

Your answer