OpcenterEXFN AWSCloudDeploymentGuide

Opcenter Execution Foundation 2401
AWS Cloud Deployment Guide
02/2024
PL20231102916651256
Guidelines
This manual contains notes of varying importance that should be read with care; i.e.:
Important:
Highlights key information on handling the product, the product itself or to a particular part of the documentation.
Note: Provides supplementary information regarding handling the product, the product itself or a specific part of
the documentation.
Trademarks
All names identified by ® are registered trademarks of Siemens AG.
The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes
could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Security Information
Siemens provides products and solutions with industrial security functions that support the secure operation of
plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement -
and continuously maintain - a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions
constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks.
Such systems, machines and components should only be connected to an enterprise network or the internet if and
to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or
network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends that product updates are applied as soon as they are available and that the latest product versions
are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase
customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under
https://www.siemens.com/cert.
Siemens AG PL20231102916651256 Copyright © Siemens AG 2024

Digital Industries 20240202_100645 Technical data subject to change
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of Contents
1 Definitions and Acronyms.................................................................................... 6
2 Introduction ......................................................................................................... 9
2.1 Opcenter Execution Foundation, Opcenter Execution Discrete and Opcenter Execution
Process .......................................................................................................................................9
2.2 Purpose of the Document..........................................................................................................9
2.3 Out of Scope Topics ...................................................................................................................9
2.4 Multiplant support ...................................................................................................................10
2.5 Support Policies .......................................................................................................................10
3 Architecture........................................................................................................ 12
3.1 Overview...................................................................................................................................12
3.2 On-Premises Part .....................................................................................................................12
3.3 Cloud-Hosted Part ...................................................................................................................14
3.3.1 Tiers ........................................................................................................................................................................ 14
3.3.1.1 Access Tier .............................................................................................................................................................. 14
3.3.1.2 Integration Tier ...................................................................................................................................................... 15
3.3.1.3 Application Tier ...................................................................................................................................................... 15
3.3.1.4 Database Tier ......................................................................................................................................................... 16
3.3.1.5 Backup Storage ...................................................................................................................................................... 16
3.3.2 Example Architectures........................................................................................................................................... 17
3.3.2.1 Minimal Architecture.............................................................................................................................................. 17
3.3.2.2 Full Architecture..................................................................................................................................................... 19
3.4 Connectivity .............................................................................................................................21
4 Installation and Configuration .......................................................................... 24
4.1 Security Considerations...........................................................................................................24
4.2 Network Configuration ............................................................................................................24
4.2.1 Network Sizing ....................................................................................................................................................... 25
4.2.2 Firewall Configuration ........................................................................................................................................... 26
4.2.3 AWS Direct Connect ............................................................................................................................................... 26
4.2.4 Backup VPN path.................................................................................................................................................... 26
4.3 On Premises..............................................................................................................................27
4.4 AWS Cloud ................................................................................................................................27
4.4.1 Prerequisites .......................................................................................................................................................... 28
Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide iii

4.4.2 Setup Workflow...................................................................................................................................................... 29
4.4.3 AWS CloudFormation............................................................................................................................................. 29
4.4.3.1 VPC.......................................................................................................................................................................... 30
4.4.3.2 Backup.................................................................................................................................................................... 31
4.4.3.3 Route 53.................................................................................................................................................................. 32
4.4.3.4 Active Directory ...................................................................................................................................................... 32
4.4.3.5 Compute ................................................................................................................................................................. 33
4.4.3.6 Application Load Balancer (ALB)........................................................................................................................... 44
4.4.3.7 Client VPN ............................................................................................................................................................... 49
4.4.4 Hints for Setting up AWS Cloud Manually ............................................................................................................. 50
4.4.4.1 AWS Application Load Balancer Configuration .................................................................................................... 50
4.4.4.2 AWS EC2 Instance Types ........................................................................................................................................ 54
4.4.4.3 Security Groups...................................................................................................................................................... 55
4.4.5 Installation and configuration of Opcenter on EC2 instances............................................................................. 57
4.4.5.1 Integration Tier Installation .................................................................................................................................. 57
4.4.5.2 Application Tier Installation .................................................................................................................................. 58
4.4.5.3 Database Tier Installation ..................................................................................................................................... 58
4.4.5.4 Siemens License Server Configuration ................................................................................................................. 58
5 Data Privacy........................................................................................................ 60
6 Industrial Security Disclaimer ........................................................................... 61
iv Opcenter Execution Foundation2401 - AWS Cloud Deployment Guide

ID OpcenterEXFN_AWSCloudDeploymentGuide
Title AWS Cloud Deployment Guide
Product Title Opcenter Execution Foundation
Version Title 2401
Product Version OpcenterEXFN_2401
Category Installation
Summary Provides architectural and configuration best practices to set up a

MOM system based on Opcenter EX FN on the AWS Cloud environment
Audience Operator, Supervisor, Support Engineer
Revision PL20231102916651256
State Published
Author Siemens AG
Language en-US
Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide 5

Definitions and Acronyms
1 Definitions and Acronyms

The following table describes the least known terms, acronyms, and abbreviations that may be used in this
document.
Acronym Description
AWS Amazon Web Services
AZ Availability Zone
BIL BATCH Integration Library
CNC Computerized Numerical Control machine
CPU Central Processing Unit
DAID Deployment Architecture and Infrastructure Design
DB Database
DCS Distributed Control Systems
DNS Domain Name Server
ERP Enterprise Resource Planning
FTP File Transfer Protocol
Gbps Giga-bits-per-second
GTAC Siemens Global Technical Access Center (responsible for support and
providing technical documentation to customers)
HA High Availability
HD Hard Disk
HTML HyperText Markup Language
HTTP(S) Hypertext Transfer Protocol (Secure)
6 Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide

Acronym Description
HW Hardware
IaaS Infrastructure as a Service
IOPS Input/Output Operations Per Second
IP Internet Protocol
ISP Internet Service Provider
MES Manufacturing Execution System
Mbps Mega-bits-per-second
ms Milli-Second
MOM Manufacturing Operations Management
MSCS Microsoft Cluster Service
OOTB Out of the box
Opcenter CN MOM Opcenter Connect MOM
Opcenter EX PR Opcenter Execution Process
Opcenter EX DS Opcenter Execution Discrete
Opcenter EX FN Opcenter Execution Foundation
OPC UA Open Platform Communications United Architecture
OPC.TCP Open Platform Communications Transmission Control Protocol
PaaS Platform as a Service
PLC Programmable Logical Controllers

Acronym Description
RAM Random Access Memory
RDP Remote Desktop Protocol
RDS (Amazon) Relational Database Service
RTO Recovery Time Objective
SaaS Software as a Service
SISW SIEMENS Industry Software
SLA Service Level Agreement
SMB Server Message Block protocol
SSD Solid-State Disk
SW Software
UI User Interface
UMC User Manager Component
VCN Virtual Cloud Network
VDI Virtual Desktop Infrastructure
VPN Virtual Private Network

Introduction
Opcenter Execution Foundation, Opcenter Execution Discrete and Opcenter Execution Process
2 Introduction
To discover the introduction to MOM Products AWS Best Practice, go through the following topics:
• Opcenter Execution Foundation, Opcenter Execution Discrete and Opcenter Execution Process
• Purpose of the document
• Out of Scope topics
• Multiplant support
• Support of Siemens MOM Products in Cloud Environments
• Overview on the current document
2.1 Opcenter Execution Foundation, Opcenter Execution Discrete

and Opcenter Execution Process
Siemens Opcenter is a holistic Manufacturing Operations Management (MOM) solution that enables the
implementation of your strategy for the complete digitalization of manufacturing operations. Opcenter Execution
Foundation (Opcenter EX FN) is a platform for the implementation of Manufacturing Execution Systems (MES)
solutions. Based on it, two solutions designed to fulfill the most common needs of manufacturing execution are
available:
• Opcenter Execution Discrete (Opcenter EX DS) for the Discrete Manufacturing market;
• Opcenter Execution Process (Opcenter EX PR) for the Process market.
2.2 Purpose of the Document

The purpose of this document is to provide architectural and configuration best practices to drive system
integrators to a successful deployment of solutions based onOpcenter EX FN on the AWS (Amazon Web Services)
Cloud environment, according to a lift and shift concept. This means that Opcenter EX DS and Opcenter EX PR are
deployed on AWS in Infrastructure as a Service (IaaS) mode, as Cloud virtual machines.
The proposed architectures include Shopfloor and Enterprise Resource Planning (ERP) systems integration.
The document covers only those contents that are specific for the AWS Cloud environment. For what concerns
information about installation and configuration, this document contains references to the standard product
documentation.
2.3 Out of Scope Topics

This document provides technical best practices for IaaS deployment. Detailed instructions for the setup of the
single computer instance and troubleshooting are not included in this document. When relevant, other appropriate
documents are referenced.
This document only describes how to set up a single tenant system. In fact, multi-tenancy cannot be currently
achieved, because none of the Opcenter products to which this document applies (Opcenter EX FN /Opcenter EX
DS /Opcenter EX PR and Opcenter CN MOM) supports multi-tenancy.
Cloud native services usually support multi-tenancy, but this document does not cover the corresponding
configuration.
The following domains are not considered in this document:
• Cloud Operations
• Infrastructure security practices
• Data security
• Risk, legal and compliance
• Security Incident Management

Introduction
Multiplant support
2.4 Multiplant support

Starting from 2207 version, Opcenter EX FN (and consequently Opcenter EX DS and Opcenter EX PR, since they are
applications based on it) supports multiplant systems. This means that a single Opcenter EX FN / Opcenter EX DS /
Opcenter EX PR installation can serve more than one production plant, acting as a Regional Hub, thus reducing the
total cost of ownership (TCO) of the MES system. Consider that, in case of multiplant system, the users of the
different plants should connect to different URLs to access their data.
2.5 Support Policies

This paragraph describes the support policies for Siemens products mentioned in this guide, and related AWS
services. When the document states that Opcenter MOM products run on the Cloud, it refers only to the IaaS mode.
Opcenter EX FN, DS and PR support policies

The described architectures, implying Opcenter EX FN, DS and PR deployed on AWS Cloud in IaaS mode on EC2
instances and the usage of the ancillary services described in this document, are fully supported according to the
General SISW Maintenance Services Terms.
Opcenter CN MOM support policies

For what concerns Opcenter CN MOM, as well as the Opcenter MOM portfolio products, the terms of support when
running on AWS in IaaS mode are reported in the software bulletin "Support of SISW MOM Products in Cloud
Environment" (cited below from https://support.sw.siemens.com/en-US/knowledge-base/PL8522238), unless
differently specified in their product documentation:
In case of deployment on a Customer Cloud infrastructure which is not described in the official Documentation for SISW
Products, the Customer is recommended to set up optimized configurations in terms of networking, performances and
security. For this reason, it is recommended that the Customer engages Siemens professional services or Solution
Engineering & Customer Success team to advise on Cloud best-practices and deployment considerations.
Documentation for SISW Products can be found on the Siemens Support Center Web site: https://
support.sw.siemens.com.
For Incident Reports (IRs) in connection with the usage of SISW MOM Products in a Cloud hosted deployment not
acknowledged inside the corresponding Documentation, the responsible SISW support organization will support the
Customer to determine whether a problem reported by the Customer is a result of a Defect rather than in the
underlying Cloud infrastructure.
If SISW Support is not able to reproduce the problem, SISW Support will, at its own discretion, provide commercially
reasonable assistance troubleshooting the problem and may request the Customer replicate the issue in a supported
infrastructure in order to proceed with the investigation.
Other AWS services support policies

The same conditions reported in the software bulletin "Support of SISW MOM Products in Cloud Environment"
(https://support.sw.siemens.com/en-US/knowledge-base/PL8522238) apply also if the Customer uses other AWS
services, not specifically mentioned in this guide.
AWS infrastructure support

Since the deployment mode is in IaaS, it is recommended that the Customer subscribes to AWS Support for
necessary AWS-related support, which is is not included in the Siemens maintenance services contracts. More
information about AWS Support can be found at https://aws.amazon.com/premiumsupport/.

Introduction
Support Policies
Disclaimer: the statements in this Bulletin do not change the rights and obligations in the applicable SISW
maintenance agreement.
 Support is strictly bound to the mentioned conditions.

To ensure the performance levels required by the Customer, the performance of the cloud infrastructure
can heavily vary depending on the features of the selected instances / storage.

Architecture
Overview
3 Architecture
In this section, you can discover the different parts of the architecture hosting Opcenter EX FN-based solutions
deployed on premises vs on AWS Cloud, and their role.
Two example architectures are also described in terms of the required AWS services.
3.1 Overview
The full architecture of a system based on Opcenter EX FN is comprised of the following components:
• An on-premises part, including the layers to be integrated hosted on premises, i.e. typically the external servers
to be integrated like ERP servers, and the components located in each plant, like web clients running UIs,
network devices as printers and scales and control system components, as Programmable Logical Controllers
(PLCs) and CNC (Computerized Numerical Control) machines.
• An AWS Cloud part, hosting the EC2 instances running Opcenter EX FN, EX DS/EX PR and CN MOM, including
ancillary services to enable system functioning and to maximize serviceability.
• Connectivity among the previous two parts, enabled by an Internet Service Provider (ISP).
In this paragraph, you can discover more in detail each of these parts.
3.2 On-Premises Part

The On-Premises part of the proposed architecture hosts the external components Opcenter EX FN should be
integrated with.

Architecture
On-Premises Part
It is comprised of:
• The ERP system, which is usually installed on premises. The requests coming from Opcenter Connect MOM (the
Opcenter component providing interoperability, installed on the Cloud) are posted by the Internet Gateway
located on the Cloud.
• ERP integration can occur via web service. In this case, the HTTP requests are directly posted to the Load
Balancer /Opcenter EX FN host via CN MOM Server (depending on the architecture).
• The ERP integration can also occur via file exchange. In this case, the inbound messages (from the point
of view of Opcenter Connect MOM) coming from ERP, are stored by the ERP system into an FTP folder,
browsable from the Cloud via the Internet Gateway. This requires the setup of an FTP service, to grant
secure communication. Consider that Opcenter CN MOM does not provide an out of the box FTP adapter,
so a custom implementation is required.
• The Shopfloor Tier: this is the part of the IT architecture that is hosted where the assembly or the production is
carried out, by automated system and operators. Therefore, it is placed on-premises, locally to each plant. The
IT infrastructure of the shopfloor tier depends of the interconnectivity use cases in scope for the project, and
comprises:
• User clients: they are client systems, used by operators locally in the shopfloor in order to operate on
the MOM system using the UIs, that consist of HTML-5 web screens opened on the Internet browser. This
category comprises PCs, laptops, tablets and mobile phones. If needed, local printers can be connected
to the PCs. Also scanners can be connected to these terminals.
• OPC UA Servers: they provide bi-directional communication between Opcenter EX FN and any kind of
automation, like PLCs, CNC machines and DCSs. The Opcenter EX FN component enabling integration
with the OPC UA Servers is named Automation Gateway. One or more OPC UA Servers (depending on the
required scalability degree) must be located on premises in case of automation integration. As a
complement for shopfloor integration, in process industry, SIMATIC BATCH integration can be used. In
this case, a SIMATIC BATCH server must be placed on premises like the OPC UA Servers.
• Shopfloor devices: like scales, network label printers, etc.
• The Office Tier: this represents the part of the IT architecture located in offices and used by supervisors and
managers. Therefore, it is placed on premises, locally to each plant. It is made up by user clients displaying UIs
to connect to Opcenter EX FN and manage/monitor production via the Internet browser. Also in this case, user
clients can be PCs, laptops, tablets and mobile phones, and local printers can be connected to them.

Architecture
Cloud-Hosted Part
3.3 Cloud-Hosted Part

The Cloud-hosted part is comprised of the following layers:
• Access Tier (in the public network)
• Integration Tier (in the private network)
• Application Tier (in the private network)
• Database Tier (in the private network)
• Backup Storage
The Routing Gateway is the Cloud service that provides dynamic routing between the Cloud networks and the on-
premises network. The Routing Gateway peers with on-premises VPN gateway or router. Any topology changes
automatically propagate between the Virtual Private Cloud (VPC) network and the on-premises network.
3.3.1 Tiers
This section describes the layers of the architecture deployed on AWS Cloud and their role:
• Access Tier
• Integration Tier
• Application Tier
• Database Tier
• Backup Storage
3.3.1.1 Access Tier

The Access Tier is the first layer inside the Cloud infrastructure.
It can be found in the public network and it is in charge of allowing access from on premise.
The Access Tier is made up of two cascading services:
• Amazon Route 53, i.e. the AWS managed service for Domain Name System (DNS) routing
• AWS Application Load Balancer, used to redistribute the web requests among multiple Opcenter servers
Amazon Route 53 (DNS)

Architecture
Cloud-Hosted Part
The Amazon Route 53 (DNS) is the layer responsible for mapping the host names in the URLs invoked by the on-
premise components of the architecture (e.g. the browsers), into the (private) IPs of the corresponding servers in
the AWS Cloud, i.e. the load balancers or the Opcenter servers, depending on the architecture. This allows reaching
the MES solution URL based on server names, and not only based on IP addresses, increasing security levels.
As an alternative, the DNS role could played by a dedicated EC2 instance.
For HTTPS communication, the host names that are in use must be part of the certificate (common name and
alternative subject name) which is installed on the server (refer to Opcenter EX FN documentation).
Additional DNS routing can be configured in Amazon Route 53 among EC2 instances in the private network., if
needed.
Application Load Balancers

The Application Load Balancers is part of the AWS Elastic Load Balancing which automatically distributes
incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more
Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets. For
more information about the AWS Elastic Load Balancing, refer to https://aws.amazon.com/elasticloadbalancing/
3.3.1.2 Integration Tier

The Integration Tier hosts the Opcenter component which provides interoperability mainly with the ERP system
and with the other external systems, i.e. Opcenter Connect MOM (Opcenter CN MOM).
The Integration Tier is made up of the following SW applications:
• Opcenter CN MOM Server
• Opcenter CN MOM Channel Adapter Host;
• Siemens License Server, to manage Siemens products licenses
• The Microsoft SQL Server DB it uses as a repository
The integration can be based on:
• File exchange;
• HTTP(S) requests.
Other protocols are possible, but they are not recommended for the AWS Cloud architecture, and therefore they are
not described in this guideline. For the complete list, refer to the Opcenter CN MOM User Guide.
Opcenter CN MOM relies on a DB repository, which can be placed alternatively:
• In the Database Tier, as the repositories of the other Opcenter MOM products (but on a dedicated SQL Server
instance);
• (Optionally) In the Integration Tier itself.
The choice must be taken at the project level, considering that the additional EC2 instances used to host the
Opcenter CN MOM DB servers imply additional license and maintenance costs, due to the configuration of
additional machines. On the other hand, separating the Opcenter CN MOM DB servers from the ones related to
Opcenter EX FN / EX DS / EX PR allows you to perform dedicated maintenance operations without affecting the
operativity of the MES layer.
3.3.1.3 Application Tier

The Application Tier hosts the MES application SW, i.e. either of the following:
• Opcenter EX PR, for process industry projects (including possible customizations);
• Opcenter EX DS, for discrete manufacturing projects (including possible customizations).

Architecture
Cloud-Hosted Part
These applications must be installed and configured on EC2 instances.

In both cases, the EC2 instance(s), where the MOM applications are running, also includes prerequisites, such as:
• Opcenter EX FN, i.e. the platform on which they are based (including Automation Gateway Server, a.k.a. AGW,
needed for shopfloor integration via OPC-UA).
• Opcenter CN MOM Client Gateway, needed for communication with Opcenter CN MOM (Integration Tier).
• Siemens License Server, used to manage Siemens products licenses (if Opcenter CN MOM is not in scope,
otherwise Siemens License Server should be preferentially hosted by the Opcenter CN MOM host(s)).
• User Manager Component (UMC), required for handling users and authentication. In case of integration with
Active Directory, the corresponding AWS Directory Service or EC2 instance should be placed on premises / on
the Cloud or according to a hybrid solution, according to customer IT requirements.
The number of EC2 instances (i.e. Cloud virtual machines) that host them, depends on the architecture (minimal vs.
full, refer to Architecture).
3.3.1.4 Database Tier

The Database Tier hosts the DB servers (Cloud instances) on which Opcenter EX PR/DS (and Opcenter CN MOM,
unless its repository is hosted in the Integration tier) repositories are placed. The DB servers can be configured in
high availability depending on the requirement, as displayed in the figures at Minimal Architecture and Full
Architecture.
Multiple Microsoft SQL Server AlwaysOn replicas (primary and its secondaries) must be installed, thus setting up an
SQL Server Always On Availability Group (AG). In this way, the data that is stored in the secondary replicas is
automatically aligned to the primary replica, serving as an active repository for the MOM products, which are
installed in the AWS Cloud.
In this way, the system provides:
• a data backup;
• a stand-by Microsoft SQL Server, which can take over in case of failure of the current active one.
Amazon Web Services (AWS) Relational Database Service (RDS) for SQL Server can be utilized as well. The database
tier can be leveraged in Platform as a Service (PaaS) mode. Therefore, the system can be configured not only to
deploy on a traditional database EC2 instance but also using the Amazon AWS RDS for Microsoft SQL Server service.
This allows you to benefit from the flexibility and lower total cost of ownership that Amazon AWS RDS service can
provide.
3.3.1.5 Backup Storage

For each Tier, a backup must be saved, and kept aligned with the live system, according to the customer IT disaster
recovery plan.
Generally speaking, it could be appropriate to use high-performance storage for primary backup and object storage
for secondary backup.
For example, for the Database Tier, Microsoft SQL Server features recommend that you should periodically backup
the MOM products databases. For the other tiers, solution and configuration files should be periodically backed up
according to project requirements.
In any case, refer to the backup guidelines provided by the Cloud vendor and to Microsoft SQL Server
documentation in order to determine the most appropriate backup policies and the recommended Cloud services.
Refer to the following link for more information about AWS: https://docs.aws.amazon.com/prescriptive-guidance/
latest/sql-server-ec2-best-practices/sql-server-ec2-best-practices.pdf

Architecture
Cloud-Hosted Part
3.3.2 Example Architectures

Two example architecture are described in the next paragraphs, in terms of the AWS Cloud services needed for the
deployment, as follows:
• Minimal architecture: applicable in case of small-medium business (less than 100 concurrent users, if the
recommended HW prerequisites are met) and aimed at minimizing the number of needed servers. This
architecture does not grant high availability.
• Full architecture: providing load balancing and high availability, and allowing to fully exploit Cloud features.
Nevertheless, it should be considered that architecture variations, based on the product features documented in
the Opcenter EX FN, Opcenter EX DS, and Opcenter EX PR manuals, are supported.
These architectures are recommended for both pre-production and production environments. The pre-production
environment should closely replicate the production environment to enable reliable testing.
It's important to note that the pre-production and production environments should be entirely separated from a
network standpoint.
3.3.2.1 Minimal Architecture

The following figure illustrates the Minimal Architecture required to run an Opcenter EX FN-based solution on AWS,
equivalent to a Stand-Alone Scenario with a Separate Database
From the AWS standpoint, the needed components are three:

• The On-premises network (point 1) should be connected to the AWS Customer Gateway, which enables the
connection to the AWS Cloud via AWS Virtual Private Gateway (VPN Gateway).

Architecture
Cloud-Hosted Part
• Network connectivity between On-premises part and AWS cloud (point 2) is via either AWS Direct connect or
VPN connection. The customer should combine both channels for redundancy and high availability.
• AWS Cloud hosts the Siemens Opcenter MOM products servers in terms of Amazon Elastic Compute Cloud (EC2)
instances. The servers are hosted on the same Availability Zone, since the minimal architecture is used when no
high availability is needed.
Go through the following sections that provide relevant insights.
Network connectivity
To maximize the reliability of the connection to the Opcenter MOM servers hosted on the AWS Cloud:
• A fast and dedicated network connection to the Cloud can be established through AWS Direct Connect (point 2),
providing a dedicated and the shortest path to AWS resources. This ensures that traffic stays within the AWS
global network and avoids touching the public internet. Consequently, this reduces the likelihood of
encountering bottlenecks or unexpected increases in latency. For more information, please refer to AWS Direct
Connect at https://aws.amazon.com/directconnect/
• A backup Virtual Private Network (VPN) path can be established through a redundant AWS Site-to-Site VPN,
which creates a secure connection between On-Premise and AWS resources using IP Security (IPSec) tunnels.
For more information, refer to the AWS Site-to-Site VPN URL: https://aws.amazon.com/vpn/site-to-site-vpn/.
 To ensure reliable shopfloor integration, the network connection between on-premise and the AWS Cloud
must be available nearly 100% of the time. This consideration should be included in the definition of the
SLA with the ISP. This is why a redundant connection is required, preventing data loss due to network
disconnection. Another critical factor in the SLA is network latency. High-latency periods could result in a
significant number of shopfloor data value changes that cannot be processed in the MOM layer due to the
absence of an out-of-the-box (OOTB) buffering mechanism. This holds true for all architectures.
AWS Cloud
The AWS Cloud, as represented in the proposed architecture, corresponds to a region in Cloud terminology – a
physical location worldwide where data centers are clustered and interconnected via a low-latency network.
Within the AWS Cloud, there is a set of devices for network traffic routing and an Amazon Virtual Private Cloud
(Amazon VPC) that logically isolates sections of the AWS Cloud. Users can launch AWS resources in a defined virtual
network. Similar to a traditional data center network, the Amazon VPC offers complete control over your network
environment. This includes assigning your private IP address space, creating subnets and route tables, and
configuring stateful firewalls, as described later in this document. Subsequent sections provide guidelines for
setting up the most appropriate configuration.
The entry point to the AWS Cloud is through the AWS Virtual Private Gateway (VPN Gateway), acting as a virtual
router that establishes a path for private traffic between the on-premise part of the architecture and the VPC region.
The VPC is structured with three subnets, a recommended best practice. One subnet (public) hosts the Bastion
Server (details below), while the others (private) host the Opcenter Application Servers and the DB Servers
(Microsoft SQL Server-based), maintained separately to enhance security.
Following the Gateway, Amazon Route 53 (point 5) can be incorporated to map server names used in URLs within
HTTP(s) requests to the IP addresses of the Opcenter EX FN Server or the Opcenter CN MOM, known within the VPC
network. The DNS is placed in the public network to enable resolving IPs traveling over the internet. While this DNS
is optional due to security implications, the decision to use it should align with project requirements. There is a
tradeoff between the convenience of using URLs with machine names and potential security threats, given the
placement of DNS in the public network.

Architecture
Cloud-Hosted Part
The AWS Application Load Balancer (point 3) serves as a connection point to the Opcenter CN MOM/Opcenter EX FN
servers. This allows for potential modifications in a second phase, incorporating additional Opcenter CN MOM/
Opcenter EX FN servers for horizontal scalability. It is also introduced for security reasons.
In this proposed architecture, Opcenter EX FN, running in Availability Zone 1, is connected to a DB Server, which can
be a Microsoft SQL Server running on an AWS EC2 instance (point 4) or AWS Managed Relational Database Service
(RDS) for SQL.
If required, Opcenter EX FN users can be imported from Windows Active Directory to User Manager Components
(UMC), the Opcenter EX FN user management system. This enables authentication leveraging Windows Active
Directory users, using the passwords defined in Active Directory. A prerequisite for this configuration is that the
Opcenter EX FN/DS hosts, running UMC, must belong to the Windows domain, and Active Directory must be
reachable via LDAP(S).
Three alternative solutions are possible (refer to https://docs.aws.amazon.com/whitepapers/latest/active-
directory-domain-services/directory-services-options-in-aws.html). It is up to the customer IT to choose the most
convenient one, according to customer requirements:
• AD Connector (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/
directory_ad_connector.html):
• This allows you to use your existing on-premise AD servers from the cloud.
• This is a gateway or proxy that redirects requests from applications in the cloud to your on-premises AD
servers.
• It does not cache any information in the cloud and does not need any trust or synchronization of users.
• This is a fully managed AWS service.
• AWS Managed Microsoft Directory Service (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/
directory_microsoft_ad.html):
• This creates a new AD domain and allows you to create trusts with existing on-premise domains.
• This is a fully managed AWS service.
• Active Directory on EC2 instance:
• This consists in running Active Directory on EC2 instances deployed and managed by the Customer.
• The Customer manages AD on the EC2 instances.
• This may be the most flexible option but it is not a managed service, it requires more operational effort
on the Customer side.
The architecture tested for AWS Certification relies on the AWS Managed Microsoft Directory Service.
Depending on the selected solution, an additional set of ports should be opened in addition to the ones listed in the
Interconnectivity use cases in the Overview.
The public network hosts a Bastion Server, a Cloud instance that allows remote connections via Remote Desktop
Protocol (RDP) to other Cloud instances hosted by the private network. This is a typical Cloud concept utilized by
customer IT and, in accordance with customer security policies, by system integrators for remote access to servers
for maintenance and troubleshooting.
AWS Backup (point 6) serves as a comprehensive solution to centralize and automate data protection for EC2
instances and EBS volumes. Backups are stored in secured vaults, providing the capability to restore instances and
databases in the event of a disaster recovery.
Amazon S3 (point 7) is a file storage repository for Opcenter EX FN and Opcenter CN MOM.
3.3.2.2 Full Architecture

The following figure displays the Full Architecture recommended for running SiemensOpcenter EX FN-based
products on the AWS Cloud.

Architecture
Cloud-Hosted Part
The Full Architecture enables the full utilization of load balancing and high availability features provided by
both Opcenter EX FN and the AWS Cloud. It can be achieved by enhancing the complexity of the minimal
architecture through:
• Distributing the load and eliminating single points of failure in terms of EC2 instances.
• Distributing instances across multiple AWS Availability Zones.
• Increasing the robustness of the network.
• Configuring required services for high availability.
To enhance the reliability of the connection with the AWS Cloud, it is typically recommended to leverage two
different ISPs with independent infrastructure, complementing AWS Direct Connect and VPN (point 2).
Amazon Route 53 (point 3) continues to be used to map server names in URLs within HTTP(s) requests to the IP
addresses of Opcenter EX FN Server or Opcenter CN MOM (for ERP interoperability) within the VPC network.
AWS Application Load Balancer (point 4) is crucial for automatically distributing incoming traffic across Opcenter EX
FN hosts (point 5) in one or more Availability Zones within the VPC. It also monitors the health of registered targets
and routes traffic only to healthy targets.
In the AWS Cloud virtual network, Cloud instances and services are organized into three subnets, each grouping EC2
instances belonging to the same Availability Zone.
From Opcenter EX FN's perspective, it is a distributed architecture providing load balancing and high availability.
Servers are distributed among different Availability Zones to fully leverage load balancing and AWS Cloud features.
Alternatively, if needed (e.g., in regions with only two Availability Zones), the third Opcenter EX FN host can be
hosted in Availability Zone 1 or Availability Zone 2.
RabbitMQ (on which the Opcenter EX FN Service Bus is based) needs to be configured in Active/Standby mode.

Architecture
Connectivity
In case of a failure of any Opcenter EX FN runtime server, the other two will continue working. If the server hosting
the active RabbitMQ fails, it will be moved to one of the other two Opcenter EX FN Servers. In the event of an
unmanaged shutdown of the Opcenter EX FN runtime server where RabbitMQ is active, the messages already taken
in charge by it will be lost.
The three Opcenter EX FN Servers rely on Microsoft SQL Server DB Servers (point 6) configured for high availability
and placed in multiple Availability Zones. Opcenter EX FN Servers utilize the high availability listener. If a DB Server
in one Availability Zone is down, the three Opcenter EX FN Servers can continue working, leveraging the DB server in
another AZ. The tested configuration consists of Microsoft SQL Server Always On Availability Groups with one
primary replica and two secondary replicas. High availability can also be achieved with a total of two Microsoft SQL
Server EC2 instances by configuring a single Always On Availability Groups secondary replica or leveraging Microsoft
SQL Server Always On Failover Cluster Instances (FCI), although the latter is more complex. If only two Microsoft
SQL Server EC2 instances are present, in the absence of the Availability Zone hosting a DB server, at least another
Availability Zone should be running to maintain system functionality.
Additionally, the database server can be alternatively hosted through AWS RDS, configured for high availability.
3.4 Connectivity
The connectivity between on-premises and the AWS Cloud is, of course, vital for the correct functioning of the
system.
This paragraph explores:
• Aspects related to the Internet Service Provider (ISP)
• Connectivity paths between on-premises and the AWS Cloud
Internet Service Provider (ISP)

The Internet Service Provider (ISP) plays a crucial role in the context of a Cloud-hosted system or solution, as it is
essential for reaching the servers hosted on the AWS Cloud. Therefore, establishing an appropriate Service Level
Agreement (SLA) is important, encompassing aspects such as speed and availability. Completing the infrastructure
with the necessary software connectivity services, provided by the AWS Cloud vendor, is equally vital. For more
information, please refer to the recommendations outlined in the sections on Minimal Architecture and Full
Architecture. Additional guidance on network sizing can be found in the section on Network sizing.

Architecture
Connectivity
Connectivity paths among On-Premises and AWS Cloud

The Table below lists the interconnectivity use cases, grouped into four macro-categories that are:
• Shopfloor integration: integration with the bottom layer of the automation pyramid, in terms of
Programmable Logical Controllers (PLCs), Computerized Numerical Control (CNC) machines, and Distributed
Control Systems (DCSs). The integration of Opcenter EX FN-based solutions with them always occurs via OPC
Unified Architecture (OPC UA) protocol, through OPC UA server(s). Refer to https://opcfoundation.org/about/
opc-technologies/opc-ua/ for more details about OPC UA. The OPC UA Server(s) must be located on the
premises. As a complement, in the process industry, it is possible to interact with the automation via SIMATIC
Batch (leveraging Batch Integration Library, i.e. BIL).
• Device integration: integration with devices usually located on the shopfloor, but directly managed either by
their local drivers or by Opcenter EX FN label printing microservice. Examples are label printers and scales, or
CNC machines for discrete manufacturing. Scanners are managed as keyboard emulators by Opcenter EX FN.
Therefore, they are not explicitly mentioned, and interaction with them falls under the UI category.
• UI: interaction with the users via User Interfaces (UIs). Opcenter EX FN-based UIs are HTML-5 applications,
therefore they are displayed on one of the supported browsers (i.e. Chrome, Microsoft Edge; refer to the
Opcenter EX FN Installation Guide for supported versions).
• Level-4 integration: integration with the top layer of the automation pyramid, i.e. ERP systems like SAP or
middleware.
Category Device/ Endpoint on HA Available Application Protocol Defaul

Application Premises t
Ports
Shopfloor PLCs, DCs, CNC OPCUA Server Y OP EX FN / OPC:TCP (*) 480

Integratio machines, etc. PR / DS 10
n
Shopfloor SIMATIC BATCH Batch Redundancy OP EX PR SQL Server (*)

Integratio Connector 1433
n
Device Label printer Laptop / PC / In case of OP EX FN / SMB (*) 445,

Ethernet network PR / DS 139
printer printer
Device Serial Scale Laptop / PC In case of OP EX PR / CN - Serial (local to (*) 80 /

(local) (***) network MOM PC, not trough 443
scale CN MOM
service) - HTTP
(to get
configuration
from CN MOM)
UI Browser on Laptop / PC Y OP EX FN / HTTP(S) (*) 80 /

laptop / PC PR / DS 443

Architecture
Connectivity
UI Browser on Handheld via Y OP EX FN / HTTP(S) (*) 80 /

handheld WI-FI PR / DS 443
Level-4 ERP / Folder on Y (**) OP CN MOM FTP (*) 21

Integratio middleware Server
n
Level-4 ERP / Web API Y (**) OP CN MOM HTTP(S) (*) 80 /

Integratio middleware 443
n
Legend:
• (*) Configurable. The list of ports on Cloud side will be described in the document.
• (**) Depending on ERP / middleware
• (***) Latency can introduce errors. Therefore, need for fast communication (reason why serial communication is
local only)
For each Category, the table lists:

• Device/Application: the device/application you can integrate with according to the category.
• Endpoint on premise: the endpoint able to provide the communication on the on-premise side.
• HA available: the possibility (or not) to leverage on a high availability solution.
• Application: the Opcenter product, hosted on the Cloud, to which the on-premise device / application connects.
• Protocol: the protocol on which the communication is based.
• Default ports: the default ports through which the communication occurs. These ports are configurable and can
be modified in case it is needed. They should be left open both on the on-premise and Cloud side, in order to
allow for communication.
As it appears from the table above in most of the use cases you can leverage both on HTTP and on HTTPS
connection between the Cloud and On-Premise. It is up to the customer IT to decide which one has to be used,
keeping in mind that HTTP exposes to possible security threats, therefore HTTPS is recommended.

Installation and Configuration
Security Considerations
4 Installation and Configuration

This section provides instructions and references for setting up the Cloud and the On-Premises infrastructure.
Here you can find the following topics:
• Security Considerations: providing security hints.
• Network Configuration: describing network infrastructure requirements and AWS network services
configuration.
• On Premises: providing references for installation and configuration of the on-premises part.
• AWS Cloud: providing instructions / references for installation and configuration of the AWS Cloud part and of
the Opcenter products described in this guide. AWS Cloud EC2 instances and services can be created by AWS
Cloudformation scripts or manually. Additional Cloud services can be added for specific project requirements,
according to the described Support Policies.
4.1 Security Considerations

Security is an essential requirement for a MOM solution hosted by the AWS Cloud. AWS emphasizes the Shared
Responsibility Model, where AWS is responsible for protecting the infrastructure that supports all services in the
AWS Cloud, encompassing hardware, software, networking, and facilities. Customer responsibility depends on the
AWS Cloud services selected, determining the configuration work required for their security responsibilities. For
detailed information about the Shared Responsibility Model, please refer to https://aws.amazon.com/compliance/
shared-responsibility-model/.
Different security levels are necessary based on customer requirements regarding geographical access to the MOM
Solution. Access options include:
• The MOM solution is available only from the plant(s) (preferred for security).
• The MOM solution is accessible from anywhere on the internet (providing flexibility). In this scenario, due to
inherent security risks, it is crucial to secure access to the MOM solution with appropriate controls (e.g., IP
filtering, Multi-Factor Authentication, etc.) to prevent misuse of MOM functionality.
Additional considerations involve the recommendation to use HTTPS instead of HTTP and configuring the network
as outlined in this guide.
Based on business and security requirements, the Customer IT can choose the networking solution that best suits
their needs.
For further information, please consult the Opcenter EX FN Security Concept.
4.2 Network Configuration

When Opcenter EX FN is deployed on the Cloud, reliable and high-performance connectivity with on-premises is
crucial for the correct functioning of the system.
This section describes these network aspects:
• Network Sizing: the network requirements to obtain reliable communication.
• Firewall Configuration: information about firewall configuration to obtain required connectivity.
• The AWS services needed to provide extremely reliable communication with AWS Cloud environment, thus
granting business continuity:
• AWS Direct Connect, providing a fast network connection to the Cloud.
• A backup redundant Virtual Private Network (VPN) path.

Network Configuration
4.2.1 Network Sizing

To ensure a positive user experience in terms of latency, the network connection must meet the requirements
outlined in the table below. The critical factors include latency and bandwidth provided by the network provider,
which depend on the anticipated payload. The table provides an estimation, but the actual values strongly depend
on the specific needs for exchanging documents.
In order to minimize the exchanged bandwidth, you could evaluate the usage of Citrix (refer Security
Considerations).
Item Description Network Requirements
Network It represents the time it takes for a • Among Opcenter Servers (including DB server), RTT <= 2
Latency packet of data to be captured, ms, due to the multi-tier nature of the application.
(RTT) transmitted, processed through • Between clients (hosted on-premises) and servers
multiple devices, then received at (hosted on the AWS Cloud), the recommended latency
its destination and decoded, depends on client type:
including the round-trip time • Web clients, hosting UIs on the browser: in this
(RTT) to return to the source. case the recommended latency is < 100 ms.
• OPC UA Servers (relevant only in case of
It is calculated in milliseconds
shopfloor integration):
(ms).
• Network Latency for stability:
Latency must be <= 200 ms. This value
should not be considered as an average
value, but as the max threshold value that
the latency should reach. Note that this
value is based on test results that were
measured connecting to SIMATIC OPC UA
S7-1500. Connection to different OPC
Servers may result in a different maximum
tolerated network latency value.
• Network Latency for performance:
When the shopfloor communication
performance plays an important role, the
recommended latency is <= 14 ms. This
value is an indication based on internal
tests performed by Siemens and from
data collected from Siemens customers.
As a general rule, the higher the
performance required, the greater the
demand for network speed and
reliability.

Network Configuration
Item Description Network Requirements
Network The volume of information that 30-50 Kbps/User (without document uploads)
Bandwidt can be transmitted over a
General recommendations:
h connection within a measured
amount of time. 1 Gbps (Production Minimum)
10+ Gbps (Production Optimal)
It is calculated in megabits per
second (Mbps) or gigabits per
second (Gbps)
4.2.2 Firewall Configuration

For details about firewall configuration, refer to the:
• Firewall Configuration in the Opcenter EX FN Installation Guide.
• Ports used section in the Opcenter Connect MOM Installation Guide
The referenced documentation includes both Cloud-to-Cloud and Cloud-to-On-Premises port configurations.
Additional ports may need to be opened depending on specific environment (e. g. the port where the label printer is
installed).
In particular, the firewall ports to be opened between the Cloud and on premises depend on the business case.
Refer to the interconnectivity use cases at Connectivity for an overview of the ports to be opened depending on the
business case.
Finally, in case Active Directory integration is needed for user management, the required ports need to be opened.
This depends on Customer IT implementation of the domain.
4.2.3 AWS Direct Connect

A fast network connection to the AWS Cloud is highly recommended and can be achieved through AWS Direct
Connect, providing a dedicated network connection to AWS.
AWS Direct Connect offers the shortest path to your AWS resources, ensuring that your network traffic stays on the
AWS global network and avoids the public internet. This minimizes the risk of encountering bottlenecks or
unexpected increases in latency. For more information about AWS Direct Connect, refer to https://
aws.amazon.com/directconnect/.
4.2.4 Backup VPN path

A VPN is recommended as a redundant, lower-performance path, if an alternative is sought.
AWS Site-to-Site VPN is a fully-managed service that establishes a secure connection between on-premise and AWS
resources through IP Security (IPSec) tunnels. When using Site-to-Site VPN, you can connect to both your Amazon
Virtual Private Clouds (VPC) and AWS Transit Gateway, utilizing two tunnels per connection for increased
redundancy.
For globally distributed applications, the Accelerated Site-to-Site VPN option offers even greater performance. It
works in tandem with AWS Global Accelerator to intelligently route traffic to the nearest AWS network endpoint
with the best performance.

On Premises
For more information about AWS Site-to-Site VPN, please refer here https://aws.amazon.com/vpn/site-to-site-vpn/.
Various VPN types should be implemented based on customer requirements regarding geographical access to the
MOM Solution:
If the MOM solution is available only from the plant, a Site-to-Site VPN Connection between the plant and the AWS
Cloud is necessary and must be appropriately configured.
If the MOM solution is accessible from anywhere on the internet, AWS Client VPN should be set up. Additional
security solutions must be adopted in comparison to the previous option (refer to Security Considerations).
Additionally, to enable some of the relevant use cases (e.g., shopfloor connectivity), the connection between the
on-premise and the AWS Cloud network needs to be server-to-server. This means that both a routing from on-
premise to AWS Cloud network and, vice versa, from AWS Cloud to on-premise network, must be configured.
4.3 On Premises
When installing the on-premises component of the architecture, please refer to the prerequisites for the web clients
described in the Prerequisites for Web Clients of the Opcenter EX FN Installation Guide, where both the HW and SW
prerequisites (i.e., the supported browsers) are listed.
Consider that no Opcenter EX FN product components need to be installed on premises and consequently any
guidelines for the installation and configuration of the on premises components are out of scope of the current
document.
4.4 AWS Cloud

In the next sections, you will find information about setting up the AWS Cloud infrastructure. The parts of the
architecture depicted in green (with a cloud icon) represent AWS managed services, while the blue rectangles
indicate EC2 instances. References for the installation of the Opcenter products mentioned in this guide are also
provided.

AWS Cloud
4.4.1 Prerequisites
This section lists the prerequisites for setting up the AWS Cloud infrastructure needed to host Opcenter EX FN.
Recommended skills
To fully understand the entire installation process and the terminology used in this guide, it is advisable to
complete the AWS Cloud Practitioner Essentials course as a prerequisite
Region selection
According to the AWS Architecture Blog (https://aws.amazon.com/blogs/architecture/what-to-consider-when-
selecting-a-region-for-your-workloads/), the region must be carefully selected based on the following factors:
1. Compliance - If your workload involves data subject to local regulations, selecting a Region compliant with the
regulation takes precedence over other evaluation factors. This is particularly applicable to workloads bound by
data residency laws, where opting for an AWS Region located in that specific country is mandatory.
2. Latency - A significant factor to consider for user experience is latency. Reduced network latency can have a
substantial impact on enhancing the user experience. Choosing an AWS Region in close proximity to your user
base location can achieve lower network latency, potentially improving communication quality, as network
packets have fewer exchange points to travel through.
3. Cost - AWS services are priced differently from one region to another. Some regions have lower costs than
others, potentially resulting in a cost reduction for the same deployment."
4. Services and features - Newer services and features are gradually deployed to AWS Regions. While all AWS
Regions have the same service level agreement (SLA), larger Regions are typically the first to offer newer
services, features, and software releases. Smaller Regions may not receive these services or features in time for
you to use them to support your workload.
Evaluating all these factors can complicate decision-making. This is where business priorities should influence the
final decision.
Given the low-latency requirement for the MOM system, it is highly recommended to select the region with the
lowest latency to the plant, provided that compliance is fulfilled.
EC2 instance types

AWS Cloud
To provide appropriate performance, Opcenter EX FN must be run on EC2 instances with adequate HW resources
(e.g., CPU, RAM, disk speed). For this reason, you must adhere at least to the minimum requirements described in
AWS EC2 Instance Types.
4.4.2 Setup Workflow

To set up a system based on Opcenter EX FN on AWS Cloud, two steps are needed:
1. Set up of AWS Cloud, in terms of EC2 instances and ancillary AWS managed services. AWS CloudFormation
scripts are available to perform this step automatically, minimizing the setup effort and human error risk.
Otherwise, some hints are provided if you prefer the manual setup.
2. Installation and configuration of the Opcenter products mentioned in this guide and related prerequisites on
the EC2 instances.
4.4.3 AWS CloudFormation

Introduction
AWS CloudFormation allows you to model, provision, and manage AWS and third-party resources, by handling the
infrastructure as code (IaS). For more information about CloudFormation, kindly refer to https://aws.amazon.com/
cloudformation/.
AWS CloudFormation scripts are organized into stacks, which are collections of AWS resources that you can manage
as a single unit. In Opcenter Execution Foundation, several separate stack templates that facilitate the
straightforward setup of the necessary infrastructure for the software, can be found in the Support Center, in
the Opcenter Execution Foundation section, in the Downloads > Additional Downloads tab (see https://
support.sw.siemens.com/en-US/product/219646572/downloads/additional).
The available stack templates required to set up the AWS infrastructure running Opcenter EX FN are described in
this section. By creating the stacks based on them, you can deploy the AWS infrastructure.
Stacks
Dependencies
In Opcenter EX FN, the AWS CloudFormation stacks are split into following scripts:
1. VPC
2. Backup (Optional)
3. Route 53 (Optional)
4. Active Directory (Optional)
5. Compute
6. ALB (Optional)
7. Client VPN (Optional)
Dependencies among the AWS CloudFormation stacks are shown in the following diagram:

AWS Cloud
Creation
The provided AWS CloudFormation must be used as a template for stack creation, following the procedures shown
below:
1. Browse to AWS CloudFormation
2. Choose Create stack.
3. In the Create stack window, in the Prepare template section, select Template is ready.
4. In the Specify template section, select Upload a template file.
Please ensure that the order of the stack creation follows the dependency diagram shown above. If the preceding
dependent stack was not created, the stack creation might fail accordingly.
4.4.3.1 VPC
You can use the VPC stack to create a virtual private cloud in AWS for Opcenter Execution Foundation.
The stack creates the following resources:
• A VPC dedicated to the AWS environment.
• An Internet Gateway.
• A public Route Table.
• 3 Public Subnets.
• 3 Network Address Translation (NAT) Gateways (Optional).
• 3 Private Route Tables.
• 3 Private Subnets.
• 3 Database Subnets.
• A S3 VPC Endpoint.
• A S3 Bucket.
The following table lists the parameters that are needed to fulfil the Create Stack wizard. Some of them are defined
in the VPC stack template.
Parameter Description Default

Value
Stack Name (String) Provide stack name for VPC. --

AWS Cloud

Value
Project Identifier (String) The identifier used in resource names and tags. opcent
er
VPC CIDR Block (Number) The IP range of the VPC in CIDR notation, x.x.x.x/16-28. 10.0.0.
0/16
VPC CIDR Count (Number) The number of CIDRs to generate. Valid range is between 12
1 and 256. For Region deployment, the template would need 12
CIDRs in total.
VPC CIDR Bits (Number) The number of subnet bits for the CIDR. For example, 8
specifying a value "8" for this parameter will create a CIDR with a
mask of "/24".
Creation of NAT Gateway (String) Should the Private Subnet creation come with Internet Y
for Private Subnet access? Please be aware that the creation of NAT Gateway would
incur an hourly charge.
At the end of the VPC stack creation, click the Output tab to retrieve the value of UniqueId. The UniqueId will be
used later in subsequent stack creation.
4.4.3.2 Backup
The AWS Backup is used to centrally manage all backups and to automate the backup process.
The Backup stack creation is optional.
• A Backup Vault
• An AWS Role
in the Backup stack template.
Stack Name (String) Provide stack name for Backup. --
Project Identifier (String) The identifier used in resource names opcenter

and tags.
Unique ID (String) Unique that was generated during VPC --

stack creation.

AWS Cloud
4.4.3.3 Route 53
The Route 53 stack is a highly available and scalable Domain Name System (DNS) web service. It connects user
requests to internet applications running on AWS or on-premises.
The creation of Route 53 stack is optional. It is used to create Route 53 Private Zone for Opcenter Execution
Foundation.
The stack creates the following resource:
• A Route 53 Private Zone
in the Route 53 stack template.
Stack Name (String) Provide stack name for Route 53. --
Project Identifier (String) The identifier used in resource names opcenter

and tags.
Unique ID (String) Unique that was generated during VPC --

stack creation.
Domain Name (String) The name for the private hosted zone --
DNS domain.
4.4.3.4 Active Directory

The AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, activates
directory-aware workloads and AWS resources to use managed AD on AWS.
The creation of the Active Directory stack is optional. It is used to create Windows AD for Opcenter Execution
Foundation if there is any AD available.
• A Secret Manager entry for the Administrator password in AD
• An Active Directory (AD)
in the Active Directory stack template.
Parameter Description Defa

ult
Stack Name (String) Provide stack name for Active Directory. --
Project (String) The identifier used in resource names and tags. opce
Identifier nter

AWS Cloud
Parameter Description Defa

ult
Unique ID (String) Unique that was generated during VPC stack creation. --
Active Directory (String) The edition of Active Directory to use, either Standard or Enterprise. Stan
Edition dard
Domain Name (String) The fully qualified domain name for the directory. --
Short Name (String) Optional NetBIOS name for the domain. Leave blank to use the default --
which is the first part of the domain name.
Enable SSO? (String) Sets whether the single sign-on will be enabled. This parameter allows N
users in your directory to access specific AWS services from a computer which is
joined to the directory without having to enter their credentials separately.
4.4.3.5 Compute
The creation of the Compute stack is necessary as it generates templates for multiple EC2 instances and their
associated resources that are suitable and compatible with Opcenter Execution Foundation.
• A Key Management Service (KMS) Key and an Alias for Session Manager to encrypt sessions
• A EC2 Instance Profile with System Manager and S3 Policies
• Security Group and its Rules for
• Production Server
• Database Server
• Proxy Server
• Application Load Balancer
• Network Interfaces for
• 3 Production Servers (Opcenter Execution Foundation)
• 3 Interoperability Servers (Opcenter Connect MOM)
• 1 IPL Server
• 1 Proxy Server
• A Launch Template for
• 3 Production Servers (Opcenter Execution Foundation)
• 3 Interoperability Servers (Opcenter Connect MOM)
• 1 IPL Server
• 3 Database Servers
• 1 Proxy Server
in the Compute stack template.

AWS Cloud
Stack Name (String) Provide stack name for Compute. --
Project (String) The identifier used in resource names and tags. opcenter
Identifier
Unique ID (String) Unique that was generated during VPC stack creation. --
EC2 Key Name (AWS::EC2::KeyPair::KeyName) Name of an existing Amazon EC2 Key Pair --
to associate with the instances.
Existing Session (String) Optional KMS key to be used to encrypt Session Manager --
Manager Key sessions. The EC2 instances need access to the key. If an existing key is
ARN being used by Session Manager, enter the key's ARN here. Otherwise
leave this blank and a new key will be created.
Enable Rotation (String) Enables automatic rotation of the key material for the new key, if N
of New Session a new key is to be created. By default, automation key rotation is not
Manager Key? enabled. Only applies if the ARN of an existing Session Manager key is
not supplied.
Pending (Number) The number of days before the new key is deleted after it has 7
Window Days been marked for deletion, if a new key is to be created. The value must
for New Session be between 7 and 30. It only applies if the ARN of an existing Session
Manager Key Manager key is not supplied.
Allow Launch (String) Enables automatic join of Active Directory Domain based on the Y
Template to created AWS Directory Service (Please ensure that the AWS Directory
Join Active Service is created beforehand).
Directory
Domain
Automatically?
Production (String) EC2 instance type for the production servers. m5.2xlarge
Server Instance
Type
Production (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 1 AMI ID determines the AMI to use to create production server 1. If this is
specified then the Production Server 1 AMI Prefix is ignored. To use the
Production Server 1 AMI Prefix, leave this blank.

AWS Cloud
Production (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Server 1 AMI will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Prefix to identify the latest version of a Windows AMI by looking it up in the er-2019-
Systems Manager Parameter Store. The name of the parameter to English-Full-
lookup will be /aws/service/ami-windows-latest/ followed by this prefix. Base
For example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Production Server 2 AMI Prefix leave this blank.
Production Server 3 AMI Prefix leave this blank.
Production (String) The parameter sets where the hyperthreading will be turned off, Y
Server Limit for the production servers, thus limiting the number of threads per core
Threads Per 1.
Core?
Production (Number) Amount of storage for the production servers in GB. 100
Server Storage
Size
Production (String) ) The EBS volume type for the production servers. See https:// gp2
Server Volume docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
Type types.html.

AWS Cloud
Production (Number) If gp3, io1 or io2 are being used, for the production servers, it 3000
Server IOPS indicates what the required IOPS will be. Between 3000 and 16000 for
gp3 or between 100 and 64000 for io1 or io2. Only used if the volume
type is gp3, io1 or io2.
Production (Number) If gp3 is being used for the production servers, it indicates 125
Server GP3 what the required throughput will be. Between 125 and 1000 MiB/s. Only
Throughput used if the volume type is gp3.
Production (String) Private IP address for the production server 1. 10.0.3.137

Server 1 IP
address

Server 2 IP
address

Server 3 IP
address
Interoperability (String) EC2 instance type for the interoperability server. c5.2xlarge
Server Instance
Type
Interoperability (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 1 AMI ID determines the AMI to use to create interoperability server 1. If this is
specified, then the Interoperability Server AMI Prefix is ignored. To use
the Interoperability Server AMI Prefix leave this blank.
Interoperability (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Prefix to identify the latest version of a Windows AMI by searching for it in the er-2019-
Systems Manager Parameter Store. The name of the parameter to search English-Full-
will be /aws/service/ami-windows-latest/ followed by this prefix. For Base
example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
specified then the Interoperability Server AMI Prefix is ignored. To use

AWS Cloud
Prefix to identify the latest version of a Windows AMI by searching for it n the er-2019-
for will be /aws/service/ami-windows-latest/ followed by this prefix. For Base
specified then the Interoperability Server AMI Prefix is ignored. To use
Prefix to identify the latest version of a Windows AMI by searching for it in the er-2019-
Interoperability (String) It indicates whether hyperthreading will be turned off, for the Y
Server Limit interoperability server, thus limiting the number of threads per core to 1.
Threads Per
Core?
Interoperability (Number) Amount of storage for the interoperability server in GB. 100
Server Storage
Size
Interoperability (String) The EBS volume type for the interoperability server. See https:// gp2
Server Volume docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
Type types.html.
Interoperability (Number) If gp3, io1 or io2 are being used, for the interoperability server, 3000
Server IOPS it indicates what the required IOPS is. Between 3000 and 16000 for gp3
or between 100 and 64000 for io1 or io2. Only used if the volume type is
gp3, io1 or io2.
Interoperability (Number) If gp3 is being used for the interoperability server, it indicates 125
Server GP3 the required throughput. Between 125 and 1000 MiB/s. Only used if the
Throughput volume type is gp3.
Private IP (String) Private IP address for interoperability server 1. 10.0.3.140

address for
interoperability
server 1

AWS Cloud

address for
interoperability
server 2

address for
interoperability
server 3
IPL Server (String) EC2 instance type for the IPL server. m5.large
Instance Type
IPL Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Instance AMI ID determines the AMI to use to create the IPL server. If this is specified then
the IPL Server AMI Prefix is ignored. To use the IPL Server AMI Prefix leave
this blank.
IPL Server AMI (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
to identify the latest version of a Windows AMI by searching for it in the er-2019-
IPL Server Limit (String) It sets whether the hyperthreading will be turned off, for the IPL Y
Threads Per server, thus limiting the number of threads per core to 1.
Core?
IPL Server (Number) Amount of storage for the IPL server in GB. 100
Storage Size
IPL Server (String) The EBS volume type for the IPL server. See https:// gp2
Volume Type docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
types.html.
IPL Server IOPS (Number) If gp3, io1 or io2 are being used, for the IPL server, what is the 3000
required IOPS. Between 3000 and 16000 for gp3 or between 100 and
64000 for io1 or io2. Only used if the volume type is gp3, io1 or io2.
IPL Server GP3 (Number) If gp3 is being used for the IPL server, it indicates what the 125
Throughput required throughput is. Between 125 and 1000 MiB/s. Only used if the
volume type is gp3.

AWS Cloud
IPL Server IP (String) Private IP address for the IPL server. 10.0.3.143
Address
Database Server (String) EC2 instance type for the database servers. m5.2xlarge
Instance Type
Database Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
1 AMI ID determines the AMI to use to create database server 1. If this is specified
then (String) the Database Server AMI Prefix is ignored. To use the
Database Server AMI Prefix leave this blank.
Database Server (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
1 AMI Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
to identify the latest version of a Windows AMI by looking it up in the er-2019-
then the Database Server AMI Prefix is ignored. To use the Database
Server AMI Prefix leave this blank.
to identify the latest version of a Windows AMI by searching for it in the er-2019-
then the Database Server AMI Prefix is ignored. To use the Database
Server AMI Prefix leave this blank.
Database Server (Number) Size of the root volume for the database servers in GB. 250
Root Volume
Size

AWS Cloud
Database Server (String) The volume type for the root volume of the database servers. gp2
Root Volume See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-
Type volume-types.html.
Database Server (Number) If gp3, io1 or io2 are being used, for the root volume of the 3000
Root Volume database servers, what is the required IOPS. Between 3000 and 16000 for
IOPS gp3 or between 100 and 64000 for io1 or io2. Only used if the volume
type is gp3, io1 or io2.
Database Serve (Number) If gp3 is being used for the root volume of the database 125
Root Volume servers, what is the required throughput. Between 125 and 1000 MiB/s.
GP3 Throughput Only used if the volume type is gp3.
Database Server (String) The drive letter for the first extra volume of the database servers. D
Extra Volume 1
Letter
Database Server (String) The volume label for the first extra volume of the database Data
Extra Volume 1 servers.
Label
Database Server (Number) Size of the first extra volume of the database servers in GB. 10
Extra Volume 1
Size
Database Server (String) The volume type for the first extra volume of the database gp2
Extra Volume 1 servers. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
Type ebs-volume-types.html.
Database Server (Number) If gp3, io1 or io2 are being used, for the first extra volume of 3000
Extra Volume 1 the database servers, what is the required IOPS. Between 3000 and
IOPS 16000 for gp3 or between 100 and 64000 for io1 or io2. Only used if the
volume type is gp3, io1 or io2.
12Database (Number) If gp3 is being used for the first extra volume of the database 125
Server Extra servers, what is the required throughput. Between 125 and 1000 MiB/s.
Volume 1 GP3 Only used if the volume type is gp3.
Throughput
Database Server (String) The drive letter for the second extra volume of the database L
Letter

AWS Cloud
Database Server (String) The volume label for the second extra volume of the database Logs
Label
Database Server (Number) Size of the second extra volume for the database servers in GB. 10
Extra Volume 2
Size
Database Server (String) The volume type for the second extra volume of the database gp2
Database Server (Number) If gp3, io1 or io2 are being used, for the second extra volume of 3000
Extra Volume 2 the database servers, what is the required IOPS. Between 3000 and
IOPS 16000 for gp3 or between 100 and 64000 for io1 or io2. Only used if the
volume type is gp3, io1 or io2.
Database Server (Number) If gp3 is being used for the second extra volume of the 125
Extra Volume 2 database servers, what is the required throughput. Between 125 and
GP3 Throughput 1000 MiB/s. Only used if the volume type is gp3.
Database Server (String) The drive letter for the third extra volume of the database T
Letter
Database Server (String) The volume label for the third extra volume of the database TempDBs
Label
Database Server (Number) Size of the third extra volume for the database servers in GB. 10
Extra Volume 3
Size
Database Server (String) The volume type for the third extra volume of the database gp2
Database Server (Number) If gp3, io1 or io2 are being used, for the third extra volume of 3000
Extra Volume 3 the database servers, it determines what the required IOPS is. Between
IOPS 3000 and 16000 for gp3 or between 100 and 64000 for io1 or io2. Only
used if the volume type is gp3, io1 or io2.

AWS Cloud
1Database (Number) If gp3 is being used for the third extra volume of the database 125
Server Extra servers, what the required throughput will be. Between 125 and 1000
Volume 3 GP3 MiB/s. Only used if the volume type is gp3.
Throughput
Proxy Server (String) EC2 instance type for the proxy server. m5.large
Instance Type
Proxy Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Instance AMI ID determines the AMI to use to create the proxy server. If this is specified
then the Proxy Server AMI Prefix is ignored. To use the Proxy Server AMI
Prefix leave this blank.
Proxy Server (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
AMI Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Proxy Server (Number) Amount of storage for the proxy server in GB. 100
Storage Size
Proxy Server (String) The EBS volume type for the proxy server. See https:// gp2
Volume Type docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
types.html.
Proxy Server (Number) If gp3, io1 or io2 are being used, for the proxy server, what is 3000
IOPS the required IOPS. Between 3000 and 16000 for gp3 or between 100 and
64000 for io1 or io2. Only used if the volume type is gp3, io1 or io2.
Proxy Server (Number) If gp3 is being used for the proxy server, what is the required 125
GP3 Throughput throughput. Between 125 and 1000 MiB/s. Only used if the volume type is
gp3.
Proxy Server IP (String) Private IP address for the proxy server. 10.0.3.144
Address
Amazon EC2 Key Pair

A key pair, consisting of a public key and a private key, is a set of security credentials that are used to prove the
user's identity when connecting to an Amazon EC2 instance.
Amazon EC2 stores the public key on the instance, and user stores the private key. For Windows instances, the
private key is required to decrypt the administrator password. You then use the decrypted password to connect to

AWS Cloud
your instance. For more information about Amazon EC2 Key Pair, kindly refer https://docs.aws.amazon.com/
AWSEC2/latest/WindowsGuide/ec2-key-pairs.html.
In the AWS CloudFormation Compute stack, one of the compulsory entry in the stack template was asking about an
Amazon EC2 Key Pair. Key pair creation is compulsory whenever a new EC2 instance is launched regardless
manually or via launch template. This key pair was then used to associate with EC2 instances and needed during
RDP connection.
The EC2 Key Pair can be created by following the AWS documentation on how to create an EC2 Key Pair.
EC2 Launch Template User Data

In the EC2 launching interface, additional commands or command scripts can be provided in the User Data section
to install and perform additional configurations for the particular EC2 instance. The input is base64 encoded
unless User data has already been base64 encoded check box is selected.
In the CloudFormation Compute stack, some of the basic scripts were included for different EC2 servers creation.
However, the provided script can be safely removed in the launch template under User Data section in case if they
are not needed.
Here are the scripts included for each EC2 instance's functionalities:
Production Server
1. Installation of AWS CLI
2. Installation of Chocolatey
3. Installation of Google Chrome web browser
4. Installation of DBeaver database browser
5. If the Allow Launch Template to Join Active Directory Domain Automatically parameter was set to Y, AD will
be automatically joined if the AD is created via Active Directory stack; If not, no AD will be joined.
Interoperability Server
IPL Server
Database Server
2. Map, initialize and name additional available EBS volumes

AWS Cloud
4.4.3.6 Application Load Balancer (ALB)

AWS Application Load Balancer (ALB) operates at the request level (layer 7), routing traffic to targets (EC2 instances,
containers, and IP addresses) based on the content of the request. It is ideal for HTTP and HTTPS traffic which suits
to Opcenter Execution Foundation profile. Application Load Balancer simplifies and improves the security of your
application, by ensuring that the latest SSL/TLS ciphers and protocols are used at all times.
The creation of an Application Load Balancer stack is optional. An alternative solution is to launch another AWS EC2
instance, set it up and configure it as a Microsoft Application Request Routing (ARR) proxy server. The launch
template of the proxy server has been provided in the Compute stack.
• Additional rules for Application Load Balancer Security Group
• Additional rules for Production Server Security Group
• An Application Load Balancer
• Target Groups necessary for Opcenter Execution Foundation
• Application Load Balancer's Listener
• Application Load Balancer Listener's Rules for Opcenter Execution Foundation
• A Web Application Firewall (WAF) Web ACL
in the Application Load Balancer stack template.
Stack Name (String) Provides stack name for ALB. --
Project (String) The identifier used in resource names and tags. opcenter
Identifier
Unique ID (String) Unique identifier that was generated during the --

VPC stack creation.
Application (String) If the Application Load Balancer has been --

Load Balancer created, it provides the ARN of the Application Load
ARN Balancer. If not, then just leave it blank.
Load Balancer (String) Sets if the load balancer is internal or internet- internet-facing
Scheme facing.
Idle Timeout (Number) The idle timeout in seconds. The valid range is 60
1-4000. Defaults to 60.
Source IP CIDR (String) The IP range address from which to allow --

connections . Use /32 to allow just 1 address.
Port (Number) The TCP port on which the load balancer will 443
listen to.

AWS Cloud
Load Balancer (String) The protocol used to connect to the load HTTPS
Protocol balancer.
Target Group (String) The protocol used to connect to the target HTTPS
Protocol groups.
Target Group (String) The version of the protocol used to connect to the HTTP1
Protocol Version target groups.
SSL Certificate (String) The ARN of the SSL server certificate to use. --
ARN
SSL Policy (String) Optional. The security policy that defines which --
protocols and ciphers are supported.
Session (String) Sets if the sticky session will be be enabled (Y/N).( Y

Stickiness
Enabled?
Session (Number) The time period, in seconds, during which 604800

Stickiness requests from a client will be routed to the same target.
Duration The default value is the maximum, 7 days (604800
seconds).
Deregistration (Number) The amount of time, in seconds, for Elastic 300

Delay Load Balancing to wait before changing the state of a
deregistering target from draining to unused. The default
value is 300 seconds.
Application (String) The ping path that is the destination on the /sit-svc/DefaultPlant/
Default Plant targets for health checks. application/healthcheck
Svc Health
Check Path
Application (Number) The number of consecutive health checks 5

Default Plant successes required before considering an unhealthy
Svc Healthy target healthy
Threshold Count
Application (Number) The approximate amount of time, in seconds, 30

Default Plant between health checks of an individual target.
Svc Health
Check Interval
in Seconds

AWS Cloud
Application (String) The HTTP code, or range of codes, that the load 200
Default Plant balancer should consider represents a healthy target.
Svc Health
Check Matcher
HTTP Code
Application Svc (String) The ping path that is the destination on the /sit-svc/application/
Health Check targets for health checks. healthcheck
Path
Application Svc (Number) The number of consecutive health checks 5

Healthy successes required before considering an unhealthy
Threshold Count target healthy
Application Svc (Number) The approximate amount of time, in seconds, 30

Health Check between health checks of an individual target.
Interval in
Seconds
Application Svc (String) The HTTP code or range of codes that the load 200
Health Check balancer should consider represents a healthy target.
Matcher HTTP
Code
Archiving (String) The ping path that is the destination on the /sit-arch/DefaultPlant/
Default Plant targets for health checks. application/healthcheck
Svc Health
Check Path
Archiving (Number) The number of consecutive health checks 5

Default Plant successes required before considering an unhealthy
Svc Healthy target healthy
Threshold Count
Archiving (Number) The approximate amount of time, in seconds, 30

Default Plant between health checks of an individual target.
Svc Health
Check Interval
in Seconds
Archiving (String) The HTTP code or range of codes that the load 200
Default Plant balancer should consider represents a healthy target.
Svc Health
Check Matcher
HTTP Code

AWS Cloud
Archiving Svc (String) The ping path that is the destination on the /sit-arch/application/
Path
Archiving Svc (Number) The number of consecutive health checks 5

Archiving Svc (Number) The approximate amount of time, in seconds, 30

Interval in
Seconds
Archiving Svc (String) The HTTP code or range of codes that the load 200
Matcher HTTP
Code
Authorization S (String) The ping path that is the destination on the /sit-auth/healthcheck
vc Health Check targets for health checks.
Path
Authorization (Number) The number of consecutive health checks 5

Svc Healthy successes required before considering an unhealthy
Authorization (Number) The approximate amount of time, in seconds, 30

Svc Health between health checks of an individual target.
Check Interval
in Seconds
Authorization (String) The HTTP code or range of codes that the load 200
Svc Health balancer should consider represents a healthy target.
Check Matcher
HTTP Code
Doc Svc Health (String) The ping path that is the destination on the /sit-svc/documentation/odata
Check Path targets for health checks.
Doc Svc Healthy (Number) The number of consecutive health checks 5

Threshold Count successes required before considering an unhealthy
target healthy

AWS Cloud
Doc Svc Health (Number) The approximate amount of time, in seconds, 30

Check Interval between health checks of an individual target.
in Seconds
Doc Svc Health (String) The HTTP code or range of codes that the load 200
Check Matcher balancer should consider represents a healthy target.
HTTP Code
Platform Svc (String) The ping path that is the destination on the /sit-svc/administration/
Path
Platform Svc (Number) The number of consecutive health checks 5

Platform Svc (Number) The approximate amount of time, in seconds, 30

Interval in
Seconds
Platform Svc (String) The HTTP code or range of codes that the load 200
Matcher HTTP
Code
UMC Svc Health (String) The ping path that is the destination on the /umc-sso/GetHealthState
Check Path targets for health checks.
UMC Svc Health (Number) The number of consecutive health checks 5

y Threshold successes required before considering an unhealthy
Count target healthy
UMC Svc Health (Number) The approximate amount of time, in seconds, 30

Check Interval between health checks of an individual target.
in Seconds
UMC Svc Health (String) The HTTP code or range of codes that the load 200
Check Matcher balancer should consider represents a healthy target.
HTTP Code
Ping Path (String) The URL path to be used for a ping test. Leave /pingpingping
blank for no ping test.

AWS Cloud
Enable Web (String) It sets whether a Web Application Firewall will be N

Application created (Y or N).
Firewall?
Existing Load Balancer Scenario

If an AWS Application Load Balancer already exists, and you want to utilize it as an Opcenter Execution Foundation
endpoint, the Application Load Balancer ARN parameter must be filled in with the existing Application Load
Balancer ARN. Also in this case, ensure that the existing ALB Security Group has both Inbound and Outbound as
indicated in the Load Balancer Security Group in the Security Groups section of this deployment guide.
After Application Load Balancer ARN is filled in, the ALB stack, the additional listener and any necessary target
groups will be associated with it.
4.4.3.7 Client VPN

The AWS Client VPN is a fully-managed remote access VPN solution, used to securely access resources within both
AWS and on-premises networks. AWS Client VPN, including the software client, supports the OpenVPN protocol.
The creation of a Client VPN stack is optional. It is used to establish the connection with the AWS VPC from the on-
premises network. The Client VPN is not necessarily needed if:
• AWS Direct Connect or VPN Site to Site is established
• RDP Bastian Server existed to remote access VPC Private Subnet
The Client VPN stack requires Active Directory setup beforehand to ensure its successful creation, as it depends on
the AWS Directory Service to retrieve the administrator password
• A Client VPN Security Group
• Security Group's Rules for Production Server, Database Server & Proxy Server
• A Client VPN Endpoint
• 3 Client VPN Target Network Association
• A Client VPN Authorization Rule
in the Client VPN template.
Parameter Description Defau

lt
Stack Name (String) Provides the stack name for Active Directory. --
Project (String) The identifier used in resource names and tags. opcen
Identifier ter
Unique ID (String) Unique identifier that was generated during VPC stack creation. --

AWS Cloud
Parameter Description Defau

lt
ClientCidrBlo (String) The IPv4 address range, in CIDR notation, from which to assign client IP 11.0.0.
ck addresses. The address range cannot overlap with the local CIDR of the VPC in which 0/16
the associated subnet is located, or the routes that you add manually. The address
range cannot be changed after the Client VPN endpoint has been created. Client CIDR
range must have a size of at least /22 and must not be greater than /12.
ServerCertific (String) The ARN of the server certificate in Certificate Manager. See the instructions --
ateArn for creating a certificate here, https://docs.aws.amazon.com/vpn/latest/clientvpn-
admin/mutual.html.
SessionTimeo (Number) The maximum VPN session duration time in hours. 24 hours is the 24
utHours maximum.
SplitTunnelE (String) It sets whether the split-tunnel will be enabled for the client VPN. With a split Y
nabled tunnel, only traffic that needs to will be sent across the client VPN, allowing the client
to continue to connect to other resources. Without split tunnel, all the client's traffic
will be pushed to the VPN, cutting them off from anything else.
TransportPro (String) The transport protocol to be used by the VPN session. Either udp (default) or tcp
tocol tcp.
VpnPort (Number) The port number to be used to connect to the Client VPN endpoint for TCP 443
and UDP traffic. Either 443 (default) or 1194.
4.4.4 Hints for Setting up AWS Cloud Manually

If you prefer the manual setup of the AWS Instances and AWS services, go through the following sections as they
provide useful hints for the configuration of:
• AWS Application Load Balancer Configuration
• AWS EC2 Instance Types
• Security Groups
The configurations described in these sections are automatically applied in the case of AWS Cloud setup via AWS
CloudFormation scripts.
Therefore, this section can also be considered as a reference to know more details about the configuration which is
automatically applied by AWS CloudFormation scripts.
4.4.4.1 AWS Application Load Balancer Configuration

This section describes the relevant AWS Application Load Balancer settings to provide proper system connectivity.
AWS Application Load Balancer Attributes

AWS Cloud
AWS Application Load Balancer can be created in two different schemes, internet facing or internal, where internet
facing allows public internet access and internal only within in the VPC. For this reason, it is strongly advised that
for internet-facing schemed ALB, strict security group inbound rules must be adhered.
Generally, the ALB IP address type should be IPv4.
AWS Application Load Balancer Listeners and Rules

Listeners and rules of ALB work similarly to Microsoft Application Request Routing (ARR), where the listener listens
to a specific port, and rules are then applied to route the traffic to specific target groups (server farm in Microsoft
ARR).
It is recommended that the protocol and port of the listener be HTTPS with port 443 for security reasons. With that
being said, additional certification should be associated as well to further enhance security.
According to the Configuring Microsoft ARR Load Balancein the Opcenter Execution Foundation Installation guide,
the AWS ALB listener's rules must be configured based on the Microsoft ARR redirection rules.
Listener Item Description
Rules Provides rule's name as preferred.
Priority The order of the rules, as stated in Configuring the Redirection Rule
Order.
Condition Type Path
Condition Condition of routing, as stated in "Conditions: Pattern" under

"Configuring the Redirection Rules"
Target Group Routing traffic to which server farm, as stated in "Server farm"
under "Configuring the Redirection Rules""
Group-Level Stickiness Off
The table below represents a summary of required listener rules configuration for an Opcenter EX FN-based single-
plant system. Consider that the Target Groups described in the next section are a prerequisite for these Listener
Rules. For the Opcenter CN MOM related configuration, refer to Opcenter CN MOM User Guide.
Listener Rules Priorit Condi Condition Target Group Group-Level

y tion Stickiness
Type
ARR_APPLICATION_DefaultPl 10 Path /sit-svc/DefaultPlant/ APPLICATION- Off

ant_SVC_loadBalance application/* OR DEFAULTPLAN
/sit-ui/DefaultPlant/* T-SVC

AWS Cloud
ARR_APPLICATION_SVC_load 20 /sit-svc/application/* APPLICATION-

Balance OR SVC
/sit-ui/runtime/*
ARR_AUTHORIZATION_SVC_l 30 /sit-samadapter* OR AUTHORIZATIO

oadBalance /sit-auth/* N-SVC
ARR_ARCHIVING_DefaultPlan 40 /sit-arch/DefaultPlant/ ARCHIVING-

t_SVC_loadBalance application/* DEFAULTPLAN
T-SVC
ARR_ARCHIVING_SVC_loadBa 50 /sit-arch/application/* ARCHIVING-

lance SVC
ARR_DOC_SVC_loadBalance 60 /sit-svc/ DOC-SVC

documentation/*
ARR_UMC_SVC_loadBalance 70 /IPSimatic-Logon* OR UMC-SVC

/UMC* OR
/umc-idp* OR /umc-
sso*
ARR_UMC_SVC_loadBalance2 80 /ipsimatic-logon* OR
/umc*
ARR_PLATFORM_SVC_loadBa 90 /sit-svc* OR PLATFORM-

lance /sit-ui/system/* SVC
Default Last Fixed If no other rule applies 503: Check N/A

Respo AWS ALB
nse Listener Rules
AWS Application Load Balancer Target Groups

The Target Groups are similar to the web farms in Microsoft ARR, where groups of production servers in AWS need
to be assigned to a specific target group based on Configuring Microsoft ARR Load Balancer' section Opcenter
Execution Foundation Installation guide.
You must specify a health check path to check the health of Target Groups.
Stickiness must be enabled on Opcenter Execution Foundation to let the authentication layer work properly. In the
Microsoft ARR terminology, stickiness is called Client Affinity and its configuration is specified in Opcenter Execution
Foundation Installation guide.
Target Groups Item Description
Target Groups Provides name as preferred.

AWS Cloud
Target Groups Item Description
Targets Include the servers' IP for traffic to route to in this particular

target group. More information can be referred to the Creating the
Web Farms section.
Health Check Path Provides the health check as stated in Configuring the Health
Tests section.
Load Balancing Algorithm Round Robin
Stickiness On, as stated in Configuring the Client Affinity
Stickiness Duration 7 days
Stickiness Type Load balancer generated cookie
The table below represents a summary of the required Target Group configuration for an Opcenter EX FN-based
single-plant system. For Opcenter CN MOM related configuration, refer to Opcenter CN MOM User Guide.
Target Group Prot Pro Targets Health Checks Path Load Stic Sticki Stick
ocol toc balanci kin ness iness
Port ol ng ess Durat type
ver algorit ion
sio hm
n
APPLICATION- HTT HTT All 3 /sit-svc/DefaultPlant/ Round On 7 days Load

DEFAULTPLANT PS: P1 production application/ robin balan
-SVC 443 servers in healthcheck cer
different AZ gener
ated
APPLICATION- /sit-svc/application/
cooki
SVC healthcheck
e
ARCHIVING- /sit-arch/DefaultPlant/
DEFAULTPLANT application/
-SVC healthcheck
ARCHIVING-SVC /sit-arch/application/
healthcheck
AUTHORIZATIO /sit-auth/healthcheck
N-SVC

AWS Cloud
DOC-SVC Only primary /sit-svc/

production documentation/odata
server
PLATFORM-SVC All 3 /sit-svc/

production administration/
servers in healthcheck
different AZ
UMC-SVC /umc-sso/
GetHealthState
4.4.4.2 AWS EC2 Instance Types

This paragraph lists the minimum EC2 instance types that are required for hosting the architecture described in this
guide.
AWS CloudFormation scripts create EC2 instances according to the specifications listed below. Nevertheless, the
specifications of the instance type may need to be scaled up based on the project needs. For example, in case high
performance is required, it is recommended to use GP3 EBS volume type instead of GP2.
Minimum Requirements
Opcenter Execution Foundation Machine
• EC2 Instance Type: m5.2xlarge
• EBS Volume Type: GP2
• EBS Storage Size: up to 160 GB of available space, typical installations require 40/50 GB
Opcenter Connect MOM

• EC2 Instance Type: c5.2xlarge
• EBS Storage Size: Dependent on the data size
Database Server (Standalone)

Database Server (High Availability)

Reverse Proxy Server

• EC2 Instance Type: m5.large

AWS Cloud

• EBS Storage Size: 30 GB
4.4.4.3 Security Groups

The AWS Security Groups control the traffic that can reach and leave the AWS resources to which they are
associated (e.g. EC2 instances).
This section describes the configuration of the Security Groups, in terms of inbound and outbound rules that need
to be configured on the EC2 instances and on the AWS managed services to permit proper communication and
system functioning.
The settings reported below are automatically applied by the available AWS CloudFormation scripts.
Production Server Security Group

Inbound Rules
Source Protocol Port Range Description
Production Server Security All All Allows all connections from instances
Group in the same security group.
Proxy Server Security Group TCP 80 Allows port 80 connections from the
proxy server security group.
Proxy Server Security Group TCP 443 Allows port 443 connections from the
proxy server security group.
Proxy Server Security Group TCP 4402 Allows port 4402 connections from
the proxy server security group for CN
MOM.
Database Server Security TCP 445 Allows SMB connection from database
Group security group.
Load Balancer Security TCP 80/443 Allows connections from the

Group application load balancer to the
production servers.
Client VPN Security Group All All Allows all connections from the client
VPN endpoint.
Database Server Security Group

Inbound Rules

AWS Cloud
Database Server Security All All Allows all connections from the same
Group database server security group.
Production Server Security TCP 5432 Allows connections from instances in

Group the production servers security group
on TCP 5432 for PostgreSQL.

on TCP 1433.
Production Server Security UDP 1434 Allows connections from instances in

on UDP 1434.

on TCP 139.

on TCP 445.
Production Server Security ICMP All Allows ICMP connections from

Group instances in the production servers
security group.
Proxy Server Security Group TCP 139 Allows connections from instances in
the proxy servers security group on
TCP 139.
Proxy Server Security Group TCP 445 Allows connections from instances in
the proxy servers security group on
TCP 445.
Client VPN Security Group All All Allows all connections from the client
VPN endpoint.
Proxy Server Security Group

Inbound Rules

AWS Cloud
Client VPN Security Group All All Allows all connections from the
client VPN endpoint.
Load Balancer Security Group

Inbound Rules
Source IP CIDR TCP 80/443 Allows connections from a specific IP

address.
Outbound Rules
Destination Protocol Port Description

Range
Production Server TCP 80/443 Allows outgoing traffic to production servers security group.
Security Group
Client VPN Security Group

Inbound Rules
Source IP CIDR TCP 80/443 Allows connections from a specific IP

address.
4.4.5 Installation and configuration of Opcenter on EC2 instances

In the next paragraphs you will find information about the installation and the configuration of the Opcenter
products described in this guide on the AWS EC2 instances. The number of Cloud instances depends on the
architecture (alternatives are described at Minimal Architecture and Full Architecture).
Explore the following contents:
• Integration Tier Installation
• Application Tier Installation
• Database Tier Installation
• Siemens License Server Configuration
4.4.5.1 Integration Tier Installation

The Integration Tier comprises:

AWS Cloud
• The Cloud instance(s) where Opcenter CN MOM is installed, also including the required Opcenter CN MOM
Channel Adapter Host(s), depending on the project requirements.
• Optionally, the Cloud instances where the SQL Server installations (configured in AlwaysOn for obtaining high
availability) hosting the Opcenter CN MOM repository is installed, unless it is hosted by a dedicated SQL instance
on the Database Tier (see Database Tier).
For the installation and the configuration of Opcenter CN MOM (and its Channel Adapter Host/s) on the dedicated
EC2 instance/s, in order to obtain successful interoperability with ERP, refer to the Opcenter CN MOM User Guide,
related to the relevant product version. Multiple EC2 instances (three is the minimum) must be installed in case load
balancing and high availability of Opcenter CN MOM are needed. Should you decide to leverage Opcenter CN MOM
load balancing and high availability features, refer to Opcenter CN MOM User Guide for configuration details.
For the installation and configuration of Microsoft SQL Server in AlwaysOn on the dedicated instances (no matter if
in the Integration or DB Tier), refer to Database Tier.
4.4.5.2 Application Tier Installation

The Application Tier comprises the EC2 instances where Opcenter EX FN and DS / PR must be installed (depending
on the industry the customer is working in). The number of EC2 instances where Opcenter EX PR / DS must be
installed depends on the required architecture, mainly in terms of required availability levels and number of
concurrent users (see Minimal Architecture and Full Architecture).
For a detailed description of the installation process and required prerequisites, refer to Opcenter EX DS/PR
Installation Guides, related to the relevant product version.
 The Automation Gateway Channel address (the URL address of the OPC UA server endpoint to be used for
establishing the connection) must be configured with an OPC.TCP connection. HTTP and HTTPS
connections are not supported. For example: opc.tcp://<OPCUAServerName>:48010.
4.4.5.3 Database Tier Installation

The Database Tier consists of the EC2 instances hosting the Microsoft SQL Server installations required for the
repositories of the relevant products (including Opcenter CN MOM, in case it is not decided to host its repository in
the Integration Tier itself, see Application Tier).
In order to set up the database servers in high availability, as proposed for both the proposed architectures (see
Minimal Architecture and Full Architecture), it is recommended to setup SQL Server in AlwaysOn mode. The SQL
Server AlwaysOn replicas (primary and secondary) should be configured setting up an SQL Server Availability Group
(AG).
SQL Server is also supported in AlwaysOn Failover Cluster Instances (FCI) mode by the Opcenter products in scope.
But this configuration on the Cloud is difficult, due to a poor offering of shared storage. For this reason, in the
proposed architecture only AlwaysOn was tested. More advanced solutions allowing to set up a system based on
AlwaysOn Failover Cluster Instances could be anyway possible.
In order to know about the supported Microsoft SQL Server version and configurations, refer to Opcenter EX DS / PR
Installation Guides. For detailed instructions about Microsoft SQL Server configuration, refer to standard Microsoft
documentation.
4.4.5.4 Siemens License Server Configuration

Opcenter licenses are hosted and managed by the Siemens License Server, which should be preferentially installed
on the Opcenter CN MOM Server.

AWS Cloud
Each license is associated with the MAC address of a machine, on which the Opcenter products will run. For this
reason it is advisable to use a fixed MAC address.

Data Privacy
AWS Cloud
5 Data Privacy
During the development of MOM Products and Solutions, Siemens DI SW MOM follows the "Data protection by
design" as foreseen in Article 25 of the General Data Protection Regulation (GDPR). This means that data protection
and privacy issues are taken into account, starting from the commencement of product development or solution
engineering.
In general, Siemens implements the following processes: Data Protection by Design approach and Threat and Risk
Analysis (TRA). In particular:
• Data Protection by Design approach is a part of the principles actively adopted by Siemens and integrated in the
secure lifecycle development of products.
• Threat and Risk Analysis (TRA), adopted by Siemens solutions, is a Siemens-wide standardized methodology
that is used for product, solution and service business during the product development, engineering or service
projects. This methodology is intended to support Siemens teams in identifying typical security weaknesses and
vulnerabilities, analyzing any threats that might exploit these weaknesses or vulnerabilities and evaluating any
resulting risks.
Specifically for MOM products and solutions, in all data collection and processing activities that potentially involve
personal data in the intended customer use case, Siemens DI SW MOM considers appropriate technical and/or
organizational measures, with the goal of adequately addressing the data protection principles and safeguarding
individual rights.
Siemens DI SW MOM, as product manufacturer, may be neither in the role of Controller nor Processor in accordance
with the E.U. General Data Protection Regulation Article 4(7) and Article 4(8).
According to the Data Protection and Privacy applicable laws and regulations as the General Data Protection
Regulation ("GDPR") or the California Consumer Privacy Act (CCPA), the customer acts as the Controller and has the
responsibility to comply with, and demonstrate compliance with all the data protection principles as well as the
others requirements in the Regulations for proper handling of personal data, including where you can store it and
who can access it, as well as how you may share it and whether you have obtained consent to do so.

Industrial Security Disclaimer
AWS Cloud
6 Industrial Security Disclaimer

Siemens provides products and solutions with industrial security functions that support the secure operation of
plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement –
and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens' products and solutions
only form one element of such a concept.
The customer is responsible to prevent unauthorized access to its plants, systems, machines and networks.
Systems, machines and components should only be connected to the enterprise network or the internet if and to
the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in
place.
Additionally, Siemens' guidance on appropriate security measures should be taken into account. For more
information about industrial security, please visit http://www.siemens.com/industrialsecurity.
Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends to apply product updates as soon as available and to always use the latest product versions. Use of
product versions that are no longer supported, and failure to apply latest updates may increase customer's
exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://
www.siemens.com/industrialsecurity.

OpcenterEXFN AWSCloudDeploymentGuide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OpcenterEXFN AWSCloudDeploymentGuide

Uploaded by

Copyright:

Available Formats

Opcenter Execution Foundation 2401

AWS Cloud Deployment Guide

Siemens AG PL20231102916651256 Copyright © Siemens AG 2024

Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide iii

iv Opcenter Execution Foundation2401 - AWS Cloud Deployment Guide

Title AWS Cloud Deployment Guide

Product Title Opcenter Execution Foundation

Version Title 2401

Product Version OpcenterEXFN_2401

Summary Provides architectural and configuration best practices to set up a

Audience Operator, Supervisor, Support Engineer

Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide 5

1 Definitions and Acronyms

AWS Amazon Web Services

BIL BATCH Integration Library

CNC Computerized Numerical Control machine

CPU Central Processing Unit

DAID Deployment Architecture and Infrastructure Design

DCS Distributed Control Systems

DNS Domain Name Server

ERP Enterprise Resource Planning

FTP File Transfer Protocol

HTML HyperText Markup Language

HTTP(S) Hypertext Transfer Protocol (Secure)

6 Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide

IaaS Infrastructure as a Service

IOPS Input/Output Operations Per Second

ISP Internet Service Provider

MES Manufacturing Execution System

MOM Manufacturing Operations Management

MSCS Microsoft Cluster Service

OOTB Out of the box

Opcenter CN MOM Opcenter Connect MOM

Opcenter EX PR Opcenter Execution Process

Opcenter EX DS Opcenter Execution Discrete

Opcenter EX FN Opcenter Execution Foundation

OPC UA Open Platform Communications United Architecture

OPC.TCP Open Platform Communications Transmission Control Protocol

PaaS Platform as a Service

PLC Programmable Logical Controllers

Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide 7

RAM Random Access Memory

RDP Remote Desktop Protocol

RDS (Amazon) Relational Database Service

RTO Recovery Time Objective

SaaS Software as a Service

SISW SIEMENS Industry Software

SLA Service Level Agreement

SMB Server Message Block protocol

SSD Solid-State Disk

UMC User Manager Component

VCN Virtual Cloud Network

VDI Virtual Desktop Infrastructure

VPN Virtual Private Network

8 Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide

2.1 Opcenter Execution Foundation, Opcenter Execution Discrete

2.2 Purpose of the Document

2.3 Out of Scope Topics

Opcenter Execution Foundation 2401 - AWS Cloud Deployment Guide 9

2.4 Multiplant support

2.5 Support Policies

Opcenter EX FN, DS and PR support policies

Opcenter CN MOM support policies