Thanks so much Phil. I think this is what I'll end up doing. An Ignition gateway with no internet access on the OT network, and an Ignition gateway with internet in the DMZ to handle the db buffer, cloud sync operations, and non-production applications.
I know Ignition does mirroring/replication from a master gateway to a backup gateway, but I guess I will have to use this article for the Postgres database replication. PostgreSQL: Documentation: 17: 53.4. Streaming Replication Protocol
Do you know if there's a way to also replicate/store an offline version of a cloud identity provider like Okta in Ignition? Or would I need to authenticate using the default Ignition IdP on the OT offline side?
Be aware that PostgreSQL has two forms of replication:
-
Super-efficient physical replication, where everything that happens to the source DB, including DB structure changes, flows to the replicas. These replicas must strictly match versions, including certain system library versions.
-
Less-efficient logical replication, where only data is replicated, and external tasks must keep structure compatible. These replicas can be different versions, and can merge from multiple sources, and can selectively replicate only parts of the source.
Not that I'm aware of.
1 Like
Hi Sergio, I gotcha. The reverse proxy seems like a key piece in connecting OT data to IT applications internally through the DMZ. For cloud operations, I think the intermediate host could have internet and sit in the DMZ like you suggested, read data stored in the DMZ (replicated from OT), and push the data up to the cloud. Very helpful, thank you!
1 Like