We are looking for the possibility to add an Ignition gateway to our architecture. We are actually designing a whole new network architecture.
We will have two separated network:
1- Control lan
2- Business lan
The two lan will be connected trought 2 firewall.
What is the best pratices considering the gateway will act as historian and the user that will access the historian can be on the business lan (and can ask for big quantities of data).
Should the gateway be installed on the business lan? Or on the control lan?
You’re missing an important section in your Architecture.
There should be a DMZ between the business firewall and the Control Firewall
Business LAN >>> Business Firewall >>> DMZ >>> Control Firewall >>> Control LAN
Servers which require access to both networks should be located inside of the DMZ, this is where your gateway should exist as well as other things like Data Base servers etc.
Also, if you do not feel like opening a hole in the Control Firewall for your control devices then one option is to have a second gateway which exists inside of the Control Network and is a remote tag provider to the Gateway in the DMZ, this way the ACL only need be modified to allow traffic between the two gateways.
Thanks for the help.
So if I unbderstand correctly, I need to put the Ignition Gateway and the DB server in the DMZ like this:
Yes, that is generally what I would recommend.