A study by Capgemini Research Institute indicates that 60% of organizations across various sectors are currently using digital twins to enhance their operational performance and sustainability efforts. This is further expected to increase by another 36% in the next 5 years. Ensuring data security and securing assets, apps, devices and equipments involved in the digital twins ecosystem is paramount to the success of a digital twins implementation. These projects involve valuable and sensitive information that, if compromised may lead to serious consequences. NetFoundry has been helping organizations establish secure networks for IT, IOT and OT over the internet via our Network As A Service platform. In this article, we'll discuss our solution approach to establish military grade secure networks to Azure Digital Twins that use the power of software defined networking and the zero trust framework.
Getting started:
What you need to get started:
1. A NetFoundry Cloud account - Go through the steps to create a free trial account if you don't have one.
2. A network in your account with at least one public router. The articles will guide you through this process.
- How to create a network
- Provision a public router ( NetFoundry hosted)
- Firewall policy requirements to provide outbound only access to the NetFoundry network
Creating an Azure Digital Twins instance:
You can follow the steps outlined in the "Set up Azure Digital Twins" section of this document:
Create a new VPC or use an existing VPC to provision your Azure Digital Twins instance
Disable public network access:
The next step is to proceed to disabling public network access for your ADT instance and the ADT explorer. This means that you can no longer access them without establishing a secure private connection to Azure.
Connect to the ADT instance via a private endpoint:
In the same VPC, provision a Azure private endpoint. The private endpoint is our entry point within Azure to reach the ADT instance. You can follow the instructions outlined in the "Add a private endpoint to existing instance" section of the document- https://learn.microsoft.com/en-us/azure/digital-twins/how-to-enable-private-link?tabs=portal%2Cportal-2#add-a-private-endpoint-to-an-existing-instance
Check that the private endpoint association reflects under the networking section
Spin up a NetFoundry edge router in Azure:
The NetFoundry edge router is the gateway to Azure Digital Twins via the private and secure zero trust overlay. Follow the instructions to spin up the NetFoundry edge router in Azure from the Azure marketplace. The router has to be spun up in the same VNET as your ADT instance or have reachability to the ADT instance via VNET peering.
The router should show registered and online once provisioned successfully.
Create your identity, service and service policy:
You can access your ADT explorer via a NetFoundry endpoint software on your laptop or an edge router at your office or factory, where the edge router acts as a WAN gateway.
- Create your identity - If you are accessing the ADT explorer from a PC or laptop or mobile
- Create your service for ADT explorer
The service configuration is configured with the "wildcard" domain name using the host name of the ADT instance.
The host name from Azure for the ADT instance is ADTNetFoundry.api.sea.digitaltwins.azure.net and the service is configured with the wildcard intercept hostname *.ADTNetFoundry.api.sea.digitaltwins.azure.net to reach the ADT explorer URL via the NetFoundry Cloud network.
The identity is that of the customer edge router that was provisioned in Azure VNET from the marketplace.
Port 443 has been selected since this is a https service.
- Create your service policy to allow your identity (or identities) to access the service ( ADT explorer)
Create a service policy to allow the identities for devices or the router identity deployed in your factory or site to access the ADT service over the highly secure NetFoundry cloud network. Note that you can have a mix of device identities and router identities to allow engineers access the ADT explorer app from a work location or anywhere. You can follow this article on how to create your service policy.
The service policy that allows identities to access the ADT explorer service has been created as shown below:
Access the ADT explorer app over the secure, private NetFoundry Cloud network:
Check that the NetFoundry edge client running on your device has an identity with access to the Azure Digital twin service
You should be able to access the service over the NetFoundry Cloud network. You can also verify that you are not able to access the ADT explorer app over the public internet.
On the metrics section in the console, you can verify the service traffic
Comments
0 comments